Employment law · Legal

Should employees work exclusively on company-owned computers?

Charles Best Experienced Software Engineer, Researcher

July 14th, 2016

Should all company employees and interns be provided with company-owned computers to work on exclusivley? Or is it OK to have them work on a computer that they own? Are there issues with IP for development performed on an employee's or intern's private computer. What is the general way to handle this issue?

Richard Giraud Lead Developer at BubbleUP

July 14th, 2016

Dancing around the issue a bit, an employer-provided computer is a good idea.  You get to choose what software is on it, whether it uses full-disk encryption, how it's used, etc.  Valuable IP will be less likely to leak through infected personal computers and you don't have to worry so much about a leaving employee accidentally having your IP on their computer.  It also avoids the question of what to do when an employee's computer breaks down.

Davidson Young Leadership Coach and Development Consultant

July 15th, 2016

The IP issue has already been pointed out by others but I want to share an example of how it can go wrong...I worked with a start-up that had employees use their own laptops. An employee decided to leave the company and we suspected that he was downloading company material and not uploading his work to our drives. Legally we couldn't force him to show us the content of his laptop because it was his own property. 

I recommend just making is simple and provide the equipment.

Gabor Nagy Founder / Chief architect at Skyline Robotics

July 14th, 2016

For sensitive IP, company-owned computers are usually be better (depending on the system, the competency level of the IT staff etc.).
For son-sensitive stuff, allowing employees to use their own system may be better.
To get the best of both worlds, you can provide a system that they can take home...

Joanan Hernandez CEO & Founder at Mollejuo

July 21st, 2016

Hello Dave,

The problem I see with your suggestion is: How do you know or control that the employee didn't download the company's files to their computers and stored them on a USB pen drive? Which means, if they left, they kept that info. Regardless if you have it in the cloud or not.

It's true, that the employee can also do the previous with a company own equipment, but at least, the company will be legally more protected than if the employee used their own computer. Unless you do Lorne's suggestion.

From an startup point of view, having employees use their own equipment is a huge money saver, I'm guilty as charged. But that benefit, obviously comes with some important risks.

Cheers!

Marcia Allen Founder and COO BioTech Solutions Enterprise Group, Ltd, LLC

July 15th, 2016

I have had 2 situations of theft of the customer list - one with a company computer and one without.  I think it's really important to have the technology in place to safeguard or be able to track whose taking what.  With the company owned computer, they did a download from an external device before they wiped everything and we were able to recover forensically what was on the computer (a business plan to start a competing company) and the theft of our customer list.  In the non-owned computer they had administrative privilege and did an export of the customer list.  We could clearly see the export.  How do you totally safeguard either way?  You have to give people access.  As a former sales rep I have left companies because they didn't give good reports to work from. The best company I ever worked for gave me all the data in every format on paper.   If you can't view all the data in various report formats, it's difficult to sell and know where your opportunities are.  Those paper reports can always be copied.  But people are lazy and stupid or they just feel entitled to own the results of their efforts.  In my opinion most important is strong legal contracts that spell out exactly what IP a person brings into the company (most people leave it blank).  You can't leave it blank and then years later say you brought in all the relationships.  Second is to have technology that records everything that is possible.  Third.  Only trust your dog, because life is always changing and people change.  The only relationship that won't change is how your dog feels about you.

Charles Best Experienced Software Engineer, Researcher

July 14th, 2016

Thanks, these are some great answers covering mostly security/convenience caveats involved with this issue. I'm more interested in this issue from the legal standpoint. There are scenarios where this may bring up ip/ownership issues, with university personnel on university equipment, for instance. Of course an attorney is the best source for this, but does anybody have experience on the legal side of this in private companies?

Adam Bell Connecting China, ASEAN and the world

July 16th, 2016

There's quite a few issues to consider. Legal.. Does the company own emails generated by employees regardless of how it was generated? Same with data files, vs their content.  Where are the files stored?  Can they be transferred and if so is there a log?  Does the password have to be strong?  How trustworthy are the employees.  Providing the occasional can be beneficial in my experience for emphasis but the key is on legally tuning the policy,  employee contract and software to manage your data for those risks which apply. 

Dave Wolpert Content Marketing Leader | Sales Engine Media

July 20th, 2016

I'm not an attorney, but I would suggest that, at least in the U.S., who owns the physical device is less important than who owns and controls the organization's work product. I give my employees the choice of whether to use a company-supplied laptop or their own, and most choose their own. But we use Google Mail and Google Apps for most of our work and everything is stored in the cloud under an account controlled by our IT admin. In the event of a termination or other tricky situation, there's no issue of "turning over all of your files" or getting a subpoena to access an employee's personal computer--we already have full, legal access to our employees' work product. It doesn't matter if they create that work on a work computer, a home computer, or a mobile device.

Joseph Wang Chief Science Officer at Bitquant Research Laboratories

July 18th, 2016

In banking and finance, you often do not have a choice in the matter.  Essentially the regulators want full access to the work product of employees, and you cannot make the regulators happy unless you require that employees work *only* on company provided hardware or through a remote solution in which the employee machine works only as a terminal and everything is a login to the banks computers. 

Essentially, if the SEC wants someone's machine and it's the companies machine, the company can and will give it to them.  If it's an employee's personal machine, they may need to get a warrant, and having to do this will make the SEC very, very annoyed at the bank.

Even in the absence of regulation, this is a good idea for audit and control.  I really would feel better knowing that my checking account can only be accessed by hardware that is issued by the bank, rather than knowing that it might be accessed by someone whose machine could be hacked.

Adam Bell Connecting China, ASEAN and the world

July 21st, 2016

Good point Joanan... Products such as, Kaspersky endpoint can disable USB (I'm not recommending Kaspersky specifically just illustrating a point)   but as Dave also says risk management,  multi layered,  proportional to the consequences  if those risks come into play is the way to go... There are some good firms out there who can help businesses of all sizes deal with this if inhouse knowledge insufficient..