BYOD Policy (Bring Your Own Device)
BRING YOUR OWN DEVICE (BYOD) POLICY
Company: [Company Name]
Effective Date: [Effective Date]
IT Contact: [IT Contact]
1. PURPOSE AND SCOPE
[Company Name] (the "Company") permits eligible employees to use personally owned mobile devices, tablets, and laptops ("Personal Devices") to access Company systems, email, and data, subject to the requirements of this Bring Your Own Device (BYOD) Policy (the "Policy").
This Policy applies to all employees who enroll in the BYOD program and governs the use of Personal Devices to access Company information. Participation in the BYOD program is voluntary.
2. ELIGIBILITY AND PERMITTED DEVICES
2.1 Eligible Employees. The following employees are eligible to participate in the BYOD program: [Eligible Employees].
2.2 Permitted Devices. The following types of Personal Devices are permitted for BYOD enrollment: [Permitted Devices].
2.3 Enrollment. Eligible employees who wish to participate must submit their device for enrollment through the IT Department and install the required MDM software: [MDM Software]. Enrollment constitutes acceptance of this Policy.
3. SECURITY REQUIREMENTS
All enrolled Personal Devices must maintain the following security settings at all times:
[Security Requirements]
3.1 Reporting Lost or Stolen Devices. Employees must report a lost or stolen enrolled device to the IT Department immediately. The Company will remotely wipe Company data from the device as described below.
3.2 Remote Wipe. In the event of a lost or stolen device, or upon separation of employment: [Wipe Policy]. Employee acknowledges and consents to this remote wipe as a condition of BYOD participation.
4. ACCEPTABLE USE
4.1 Permitted Uses. Employees may use enrolled Personal Devices for the following work purposes: [Acceptable Use]
4.2 Prohibited Activities. The following activities are strictly prohibited on enrolled Personal Devices:
[Prohibited Activities]
5. EMPLOYEE PRIVACY
[Privacy Statement]
6. EXPENSE REIMBURSEMENT
[Reimbursement Policy]
7. VIOLATIONS AND CONSEQUENCES
[Consequences]
8. GENERAL PROVISIONS
8.1 Policy Changes. The Company reserves the right to amend or terminate this Policy at any time with reasonable notice to enrolled employees.
8.2 No Expectation of Privacy in Company Data. Employees have no expectation of privacy in Company data, email, or applications accessed or stored on Personal Devices.
8.3 Separation from Employment. Upon separation from employment, the employee must return all Company data, uninstall the MDM profile, and cooperate with any remote wipe of Company data.
EMPLOYEE ACKNOWLEDGMENT
By signing below, I acknowledge that I have read, understand, and agree to comply with this BYOD Policy. I consent to the installation of MDM software on my enrolled Personal Device(s) and understand and consent to the Company's remote wipe capabilities described in Section 3.2.
Employee Signature: _______________________________ Date: _______________
Printed Name: ___________________________________
Department: _____________________________________
Enrolled Device(s): _________________________________ OS Version: __________
What Is a BYOD Policy (Bring Your Own Device)?
A BYOD Policy in the United States establishes the obligations and procedures governing the conduct it regulates.
The legal obligation to have a BYOD policy derives from the patchwork of US federal and state data security laws that impose requirements on organizations handling sensitive data — regardless of the device on which that data resides. The Health Insurance Portability and Accountability Act Security Rule (45 C.F.R. Part 164, Subpart C) requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic protected health information (ePHI) on any device that stores, transmits, or processes that data — including personal devices enrolled in BYOD programs. The Office for Civil Rights (OCR) of the US Department of Health and Human Services has issued guidance stating that HIPAA-covered organizations must address BYOD risks through written policies, workforce training, and technical controls such as encryption and remote wipe capability.
The Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. §§ 6801–6827) and the FTC's Safeguards Rule (16 C.F.R. Part 314), as updated in 2023, require financial institutions to implement an information security program with specific administrative, technical, and physical safeguards — including controls on mobile devices that access customer financial data. The Payment Card Industry Data Security Standard (PCI DSS), while not a federal statute, is contractually required of all entities that process payment card data (Visa, Mastercard, American Express, Discover) and includes specific requirements (Requirement 12.3) for BYOD programs.
State-level data breach notification laws in all 50 states impose requirements on organizations that experience breaches of personal information — including breaches originating from personal devices that accessed corporate data without adequate security controls. California's CCPA (Civil Code §§ 1798.100 et seq.) and CPRA amendments create additional obligations for businesses handling California consumer personal information, including on personal devices. New York's SHIELD Act (General Business Law § 899-bb) requires reasonable security measures for personal information, including mobile device management.
The National Institute of Standards and Technology (NIST) Special Publication 800-124 (Guidelines for Managing the Security of Mobile Devices in the Enterprise) and NIST SP 800-46 (Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security) provide the technical framework that informs BYOD security requirements, including Mobile Device Management (MDM), Enterprise Mobility Management (EMM), and Mobile Application Management (MAM) solutions offered by vendors such as Microsoft Intune, VMware Workspace ONE, and IBM MaaS360.
When Do You Need a BYOD Policy (Bring Your Own Device)?
A BYOD Policy is needed in the United States whenever a company allows or expects employees to use personal devices for any work-related purpose — including accessing company email, using collaboration tools such as Microsoft Teams or Slack, storing work files, or connecting to the corporate network through a VPN.
Small and medium businesses that cannot afford to provide company-owned devices to all employees frequently rely on employees' personal smartphones and laptops for day-to-day operations. Without a BYOD policy, these businesses have no contractual basis for requiring security configurations on employees' personal devices, no clear right to remove corporate data when an employee leaves, and no documentation that they implemented reasonable security measures if a data breach occurs.
Healthcare organizations — including hospitals, medical practices, dental offices, and mental health providers subject to HIPAA — must have a BYOD policy as part of their required HIPAA Security Rule compliance program. The OCR has investigated and settled HIPAA enforcement actions against healthcare organizations that allowed employees to access PHI on personal devices without adequate security policies, controls, and workforce training.
Financial services firms regulated by the SEC, FINRA, or state banking regulators must implement BYOD controls as part of their information security programs under the Gramm-Leach-Bliley Act Safeguards Rule and the SEC's Regulation S-P (17 C.F.R. Part 248). SEC and FINRA examinations increasingly scrutinize firms' BYOD and remote communication policies.
Law firms and other professional service firms that handle client confidential information — subject to attorney-client privilege and professional conduct rules including ABA Model Rule 1.6 (confidentiality) — need BYOD policies to meet their professional obligations to safeguard client information.
Companies with remote or hybrid workforces — the prevalent work model in the United States since 2020 — need BYOD policies to manage the security of work performed on personal devices outside the office perimeter. The move to cloud-based work platforms (Microsoft 365, Google Workspace, Salesforce) has made BYOD security both more important and more technically manageable through cloud access security brokers (CASBs) and conditional access policies.
What to Include in Your BYOD Policy (Bring Your Own Device)
A complete BYOD Policy for a US employer must contain several essential provisions to comply with applicable data security laws, protect company and employee interests, and set clear expectations for all participants.
Scope and eligible devices defines which employees may participate in the BYOD program, which device types are covered (smartphones, laptops, tablets, wearables), and which operating systems and minimum OS versions are supported. Some employers limit BYOD to smartphones and tablets for email access, while providing company-owned laptops for more sensitive work.
Security requirements are the technical core of the policy. The policy must specify: minimum device passcode or biometric authentication requirements (e.g., 6-digit PIN or Face ID/Touch ID, auto-lock after 5 minutes of inactivity); required OS version and patch currency (e.g., iOS 16+ or Android 13+); prohibition on jailbreaking or rooting; required enrollment in the company's Mobile Device Management (MDM) solution; required device encryption (enabled by default on modern iOS and Android devices but should be verified); and required installation of company-approved security applications, including VPN software for remote corporate network access.
MDM enrollment and capabilities disclosure is a legally important element in states with employee privacy protections. The policy must disclose which MDM platform is deployed (Microsoft Intune, Jamf, VMware Workspace ONE, etc.), what capabilities the company has through the MDM (view apps installed, enforce security policies, remotely lock or wipe the device), and the distinction between full wipe (which erases personal data) and selective/corporate wipe (which removes only company apps and data). Employee written consent to MDM enrollment should be obtained before installation.
Permitted and prohibited uses define which company systems and data employees may access on personal devices, and what personal uses are prohibited on enrolled devices. Accessing company email, approved collaboration tools, and company cloud storage is typically permitted. Prohibited uses typically include: storing unencrypted company data in personal cloud storage; using personal devices to access highly sensitive data (trade secrets, HR records, payment card data) without additional security controls; using the personal device as a hotspot for other personal devices to access the corporate network; and installing software that could compromise device security.
Data ownership and separation provisions confirm that company data remains company property regardless of where it is stored, and require employees to keep company data in MDM-managed containers rather than in personal apps (e.g., company email in the managed Outlook app rather than in the personal Mail app).
Termination and departure procedures require that employees return all company data and access credentials and submit their device for selective corporate wipe upon separation from employment — with a specific timeframe (e.g., within 24 hours of separation).
Reimbursement provisions address whether the company provides a monthly stipend for BYOD participation and the process for claiming reimbursable work-related expenses, addressing California Labor Code § 2802 and equivalent state reimbursement requirements.
Consequences for policy violations, ranging from loss of BYOD privileges to termination of employment for serious breaches, and the employee's acknowledgment and signature complete the policy.
Sources & Citations
Statutory citations link to official government sources.
- 15 U.S.C. §§ 6801US – Cornell LII
- Health Insurance Portability and Accountability ActUS – Cornell LII
- HIPAAUS – Cornell LII
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). BYOD Policy (Bring Your Own Device) (United States) [Legal document template]. Forms Legal. https://forms-legal.com/usa/business/policies/byod-policy
"BYOD Policy (Bring Your Own Device) (United States)." Forms Legal, 2026, https://forms-legal.com/usa/business/policies/byod-policy.
@misc{formslegal-byod-policy,
author = {{Forms Legal}},
title = {BYOD Policy (Bring Your Own Device) (United States)},
year = {2026},
howpublished = {\url{https://forms-legal.com/usa/business/policies/byod-policy}},
note = {Free legal document template. Based on Uniform Commercial Code (UCC)}
}
Frequently Asked Questions
A BYOD (Bring Your Own Device) policy is a written policy that an organization adopts to govern a specific aspect of its operations and to set clear expectations for employees or users. A BYOD policy governs how employees may use their personal devices, such as smartphones, tablets, and laptops, for work purposes, addressing security, privacy, and acceptable use. Having a written policy is important because it communicates the organization's rules and expectations consistently, helps ensure compliance with applicable laws and regulations, provides a basis for fair and uniform enforcement, and can protect the organization in disputes by documenting its standards and procedures. The policy should be clearly written, communicated to those it covers, and applied consistently, and it should be reviewed and updated as laws and circumstances change. Because the policy guides behavior and supports compliance, it should be tailored to the organization's actual practices and the relevant legal requirements rather than copied generically. A well-drafted BYOD (Bring Your Own Device) policy reduces confusion, supports consistent treatment, and helps the organization manage the area it addresses, while giving employees or users clear guidance on what is expected and what the organization's standards are.
A BYOD policy should address security requirements, acceptable use, the handling of company data on personal devices, privacy, and what happens to the device and data when employment ends. Security provisions commonly require passcodes or biometric locks, encryption, up-to-date software, and the ability to remotely wipe company data if the device is lost or the employee leaves, often through mobile device management software. The policy should define acceptable use, specify which company systems and data may be accessed, and require employees to protect confidential information. It should address privacy by clarifying what the employer can and cannot access on the personal device and how a remote wipe affects personal data, since employees use the same device for personal purposes. Provisions on reimbursement of costs, support, and the return or removal of company data at separation are also important. Because mixing personal and company use raises security and privacy concerns, the BYOD policy should balance protecting company data with respecting employee privacy, and employees should understand the rules before using their personal devices for work.
The security risks of BYOD arise because personal devices used for work can expose company data to threats that are harder to control than on company-owned equipment. Risks include the loss or theft of a device containing company information, malware or unsecured apps on the personal device, the use of unsecured networks, weak or absent device security such as no passcode or encryption, and the difficulty of ensuring the device stays updated and protected. When an employee leaves, company data on a personal device may remain unless properly removed. These risks can lead to data breaches, exposure of confidential or regulated information, and compliance violations. A BYOD policy and mobile device management tools help mitigate these risks by requiring security measures, enabling remote wipe of company data, and limiting how company information is stored and accessed. Because personal devices are outside the employer's full control, the security risks are significant, which is why a BYOD policy should impose safeguards. Employees should follow the policy's security requirements to protect company data on their personal devices and reduce the risk of a breach.
An employer can typically wipe company data from a personal device under a BYOD policy, and the policy should clearly explain the circumstances and the effect on personal data so employees understand it before participating. To protect company information, BYOD programs often use mobile device management software that allows the employer to remotely remove company data, and sometimes to perform a full device wipe, if the device is lost or stolen or when the employee leaves the company. A selective wipe removes only company data and applications, leaving personal content intact, while a full wipe erases everything, including the employee's personal photos and files. Because a wipe can affect personal data, the policy should specify what type of wipe may occur and advise employees to back up personal data. Employees generally consent to these terms when they agree to the BYOD policy. Because the ability to wipe protects company data but can impact the employee's personal information, the policy should be transparent about it, and employees should understand the remote wipe terms before using their personal device for work.
Who pays for devices and data under a BYOD policy depends on the policy and, in some states, on expense reimbursement laws. By definition, BYOD means employees use their own devices, so the employee typically owns the device, but the policy should address whether the employer reimburses any portion of the costs, such as a stipend for the device or a share of the data plan used for work. Some states, such as California, have laws requiring employers to reimburse employees for necessary business expenses, which can include a reasonable portion of personal phone or data costs when used for work, so employers in those states may be required to reimburse. The policy should clarify reimbursement, technical support, and who is responsible if the device is damaged. Because employees bear the device cost but use it for the employer's benefit, and some jurisdictions mandate expense reimbursement, the BYOD policy should address cost-sharing clearly. Employees should understand what the employer will reimburse, and employers should ensure their approach complies with applicable expense reimbursement laws for work-related use of personal devices.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Remote Work Policy
Establish clear expectations for remote and hybrid employees with a comprehensive Remote Work Policy for US employers. This template covers eligibility, work hours, communication standards, equipment and expense reimbursement, data security, performance expectations, and the right to revoke remote work privileges. Compliant with FLSA overtime rules, state wage and hour laws, and OSHA home office safety guidance.
Workplace Harassment Policy
Protect your workforce and limit employer liability with a comprehensive Workplace Harassment Policy for US employers. This template addresses prohibited conduct, reporting procedures, investigation protocols, confidentiality, anti-retaliation protections, and disciplinary consequences. Compliant with Title VII of the Civil Rights Act, the EEOC Harassment Guidance, and state-specific requirements in California (FEHA), New York, and other jurisdictions.
Nda Employee
Create a professional Employee Non-Disclosure Agreement (NDA) with our free online generator. Protect your company's confidential information, trade secrets, client lists, and proprietary data when hiring new employees. Define the scope of confidential information, duration of obligations, permitted disclosures, and consequences of breach. Includes provisions for return of materials upon termination. Suitable for full-time employees, part-time workers, and interns. Preview in real time and download as PDF or Word. Electronic signature support included. Enforceable across all 50 US states when properly executed.
Employment Contract
Hiring a new team member? An Employment Contract isn’t just a formality — it’s the foundation of the working relationship. It sets clear expectations on both sides: job title and responsibilities, salary and benefits, work schedule, probation period, termination conditions, and confidentiality obligations. Without one, disagreements about pay, duties, or notice periods can get ugly fast. Our free template is designed for real hiring situations and covers compensation details, PTO policies, non-disclosure terms, and grounds for termination. Fill it out step by step, preview in real time, and download as PDF or Word.