Companies looking to adopt bring-your-own-device (“BYOD”) policies should be mindful of the liabilities and benefits of such policies before adopting them. It is also equally important for employees to ask questions and to understand their employer’s BYOD policy before agreeing to it. These policies allow employees to use their own smartphones, tablets, and laptops in the workplace instead of company provided devices. For many companies and its employees, this practice has been extremely beneficial with respect to convenience, cost benefits, flexibility, improving overall employee productivity and responsiveness, and increasing worker satisfaction. However, there are also some risks to consider as well, such as the loss or theft of devices, wage and hour issues, employee privacy, discrimination and harassment, and termination of employment.
This article examines some of these employment-specific legal issues as well as the benefits of BYOD policies and further outlines some best practices that companies and employees can incorporate when implementing BYOD practices at work.
1. Wage and Hour Issues. Before adopting a BYOD policy, employers should carefully consider the wage and hour implications of the policy. Under the Fair Labor Standards Act (“FLSA”), employers must pay at least minimum wage to nonexempt employees for all hours the employee is “suffered or permitted” to work by the employer. In addition, nonexempt employees must receive overtime pay when they work over 40 hours during a workweek. When employees have remote access, hours worked can include time spent (on or off the clock) drafting and responding to emails, taking conference calls, videoconferencing, and completing projects. Some employers may expect employees to check their emails around the clock, while others may not; but if such compensable time is not paid, it can expose a company to potential liability.
Best Practices: Employers can protect themselves from such wage and hour issues by incorporating into BYOD programs measures that: (i) require employees to record and report all time worked, (ii) set clear policies on working outside of normal scheduled hours, and (iii) ensure minimum wage compliance by reimbursing employees for device fees or paying an hourly rate that keeps employees at or above minimum wage after device expenses and fees. It is also equally important for employers to check their state’s wage and hour laws, as state laws may vary on this issue.
2. Discrimination and Harassment. If an employee uses his or her personal device to bully coworkers in cyberspace, send harassing e-mails or text messages, or transmit racially insensitive pictures and videos, whether during working hours or not, it could create liability for the employer.
Best Practices: In order to mitigate these risks, employers should remind employees to use good judgment when communicating with colleagues on their personal devices. The company’s BYOD policy should also include instructions on acceptable use, prohibit inappropriate use and remind employees that the company’s policies prohibiting harassment, discrimination and retaliation apply to the use of all devices under the BYOD policy.
3. Employee Negligence. Employee negligence can also put an organization at risk. When employees get a new mobile device, they often store the old one or give it away thus increasing the risk of data compromise. Employees may also inadvertently download malware or become the victim of a phishing scam by clicking on a malicious link. Company data can also be compromised if the employee loses the device, fails to password protect their device, or the device is stolen. Employees may also accidentally expose sensitive company information when communicating through unsecured or public Wi-Fi networks.
Best Practices: To lessen the likelihood of data loss and security breaches, employers should educate employees on the importance of maintaining strong passwords, changing passwords and encrypting data stored on the device. Employers may also want to consider adopting a BYOD policy that clearly states that the organization owns the company data on the device and require employees to back up company data and notify the employer in the event their personal device is lost, stolen or damaged. If data compromise is an ongoing concern, employers can establish protocols which permit retrieval and review of company data as well as the ability to remotely locate the device and automatically wipe the device of all data in certain instances (e.g., too many incorrect password attempts, devices are lost or stolen, or when a data breach is detected).
4. Privacy Issues. The employer should balance its duty to safeguard sensitive and proprietary information with employee privacy. For example, certain states have enacted laws that protect an employee’s right to social media privacy. These laws prohibit employers from trying to gain unauthorized access to an employee’s private social networking site – including prohibitions against requesting or requiring access to an employee’s social media accounts. Privacy protections may also apply to the healthcare information stored on the device as well as the employee’s privileged communications with his or her doctor, attorney or spouse.
Best Practices: The best way to negotiate this challenge is to set out both the employer’s and employee’s rights and responsibilities, including what exactly can be accessed on a personal device, and exactly what will happen if the device is lost or compromised, or if the employee leaves the business. Companies can also mitigate damages by making employees aware of the privacy trade-offs and the reasonable expectations of privacy related to their use of a personal device for work. Although a bright line rule between access and privacy is not possible, companies can, at a minimum, train their workers on what the policies say, inform employees of privacy-related issues and, if monitoring or an investigation becomes necessary, minimize the potential exposure of employees’ personal and private information.
5. Termination of Employment Issues. When an employee is let go, or leaves the company, segregating and retrieving company data can be challenging. Accordingly, BYOD policies should include a section detailing what actions must be taken, both by the company and employees, upon termination of employment.
Best Practices: These actions might include deleting data, revoking access to a network, deleting certain apps, and/or working with the employer’s IT staff (when appropriate) to complete the exit requirements and ensure proper removal of company trade secrets and proprietary and confidential information. Employers may also want to consider adopting a policy advising employees that not complying with the exit requirements will result in a full remote factory reset of their devices (which can be achieved by the Mobile Device Management toolsets commercially available). Moreover, they should sign a waiver consenting to such activities and holding the organization harmless for any such damage, loss or use or data loss.
Although there is no standard or one-size-fits-all BYOD policy, employers should develop and disseminate a comprehensive BYOD policy that takes into account the company’s existing infrastructure and risk tolerance. As with all information security risks, how the organization defines and treats risk plays a key role in choosing the type of security controls the organization should employ. It is also essential that employers and employees engage in training, revisit the BYOD policy on a regular basis and update it as needed. In all, conducting a cost-benefit analysis at an early stage in the BYOD planning process is important for a secure and successful rollout.