In today’s workplace, employees commonly use their own electronic devices for work-related tasks, such as responding to work-related emails, accessing company servers and data, reviewing and editing company documents, and performing work remotely. While employers may benefit from this “Bring Your Own Device” or “BYOD” trend because it reduces costs and increases productivity, employers should be aware that BYOD is not without risk. Allowing employees to use their own devices for work-related activities may lead to increased data security risks, privacy concerns, and other legal issues. Employers should give careful consideration to the benefits of BYOD in their business. Before allowing the use of personal devices in the workplace, employers should address these risks through a sound BYOD policy. A company should consider the following when drafting its BYOD policy:
- Address data security risks: Employers must implement reasonable data security measures if they are going to allow personal devices to access and store sensitive company data. The loss of and irresponsible use of an employee’s mobile device are common sources of data security breaches, which can result in the loss of trade secrets, exposure of confidential commercial information, and/or liability under state and federal data security laws. Before employees are allowed to use personal devices at work, employers should require their employees to:
- use password protection on all personal devices;
- install and update software regularly to patch known vulnerabilities;
- encrypt data on all personal devices;
- enable tracking and remote wipe features (allowing data to be erased remotely if the device is lost);
- notify their employer as soon as a device is lost; and
- properly destroy/erase data before discarding or reselling their devices.
Employers should also prohibit employees from:
- jail-breaking their devices;
- installing applications from unapproved sources;
- connecting to unknown wireless networks; and
- sharing their device with another individual (e.g. spouse or child), or perhaps more realistically, require their employees to prevent others from accessing sensitive information on their devices.
- Clearly define employee privacy expectations: Your employees must understand that company information is company property, even if stored on a personal device. The company must retain access to its information. There may be instances where employers need prolonged access to the data stored on personal devices and the devices themselves. For example, if an employer is involved in litigation, company data contained on personal devices may be subject to discovery requests and/or litigation holds. Similarly, in the event that a data security breach occurs, forensic investigators may need to take an image of an employee’s entire device to investigate to cause of the breach. In each instance, personal employee information may be accessed because separating relevant company data from personal information is often impossible. The employee may also be denied use of the personal device for a period of time while the data is copied and reviewed. Employees’ expectations of privacy should be set accordingly. Employers should have their employees acknowledge and agree in writing that they do not have any rights in company data, the employer has the right to access the data on their personal devices, monitor the use of those devices, and retain possession of those devices as needed.
- Address what happens when the employee stops working for your company: As noted above, employers have a duty to safeguard sensitive company data. Therefore, when an employee terminates his or her relationship with the employer, the employer must ensure that all of its data is permanently erased from the employee’s personal devices. Yet, it is often impossible to separate relevant company data from personal employee information when “wiping” a device. Therefore, employers should require that their employees acknowledge and agree that all of the data on their devices will be erased when the employee stops working for the company.
- Address potential FLSA wage claim issues: Under the Fair Labor Standards Act (“FLSA”), employers are required to compensate non-exempt (or “hourly” wage) employees for all time worked, whether the work was performed on-site or remotely. Because employees normally have their personal devices with them outside of the workplace, they may read and respond to work emails and phone calls during non-working hours. This may constitute “working time” and be compensable. This can be a trap for the unwary. Employees should have a policy to properly record and compensate employees for this time. Alternatively, employers may want to consider restricting its use of personal devices (for company business) to exempt employees.
- Address who is responsible for fees and related expenses: An employer’s BYOD policy should clearly state which parties are responsible for costs related to the use of personal devices in the workplace. Typically, in a BYOD environment, the employee purchases his or her own device(s). Nevertheless, there are other associated costs that should be considered, such as:
- Who pays for repair costs?
- Who pays for voice and data plans?
- Who pays for roaming and or international data plans when an employee travels?
- Who pays for technical support?
- Who pays for device accessories used for work-related purposes?
- Who pays for applications used for work-related purposes?
Clearly defining each party’s responsibilities for these costs in a BYOD policy will lessen the chance of a dispute in the future.
- Finally, make sure your company follows its own BYOD policy: Employers that create a written BYOD policy must be sure that they comply with the requirements and obligations of their own policy. Simply put, failure to follow policy creates risk.
You can refer to our Dawn Harmon and Joseph Talbot webpages at www.perkinsthompson.com for more information about us. We would be happy to assist you on your employment and cyber-security matters.