These days, most employers can’t keep pace with technology as nimbly as their workforce can. That’s why many forward-thinking companies are now adopting bring-your-own-device (BYOD) policies that allow employees to work on their personal laptops, tablets and smartphones instead of on company-issued equipment. The BYOD trend has been driven in part by Millennials in white-collar positions who have come to rely on using their own technology for both work and play.
While asking people to bring their own devices can lower costs and improve efficiency, effectiveness and morale, it also raises a host of security and legal compliance concerns. Fortunately, most of these concerns can be addressed through a well-crafted policy.
From the employee perspective, the biggest concern is that BYOD practices could lead to a loss of employee privacy. Workers may worry that their company will have inappropriate access to their financial and health data, as well as to their personal photographs, videos, contacts and other information—and that they could lose all that information if the company attempts to remove or “wipe” business information from the worker’s device, which typically happens after a person’s employment has concluded.
On the employer side, the primary apprehension is related to security. For example, personal devices might not have an automatic lock code or timeout function, and many people do not use passwords to protect their laptops, tablets and smartphones. Equally troubling are worries that employees may connect to their devices via unsecured Wi-Fi hotspots, share them with others or simply lose them. All of these possibilities raise the risk for the unauthorized disclosure or destruction of business data.
But other legal problems could crop up as well. For instance, allowing people to use their personal devices for work may make it easier for them to defame the company, their co-workers, customers, vendors, competitors and others or to unlawfully harass their co-workers or subordinates—whether via social media, texting or good, old-fashioned phone calls. Employees using their personal devices may feel more at ease to engage in such inappropriate activity than they would on company-provided equipment.
Moreover, if nonexempt employees are asked to use personal devices for work, the employer opens itself up to exposure under the federal Fair Labor Standards Act and state overtime and wage payment laws. Since nonexempt workers will have ready access to the technology, they will be in a position to respond to e-mails and text messages or to otherwise engage in work activities outside their scheduled work hours.
Expense reimbursement is another headache. Is a company obliged to pay for the costs incurred in connection with the use of a personal device for work? It depends on state law. For example, California Labor Code Section 2802 imposes broad obligations on employers to cover their employees’ business expenses, which could include at least part of the costs of a wireless voice and data plan if the employee is permitted or required to use a personal device for work.
Employers also face challenges in terms of ensuring that business records stored on an employee’s personal device have been saved long enough to satisfy electronic discovery requests during litigation. Failing to retrieve information stored on a worker’s personal device that should have been produced may lead to severe adverse consequences for the employer in the underlying litigation.
Key Policy Features
To address these challenges, employers should develop and disseminate a comprehensive BYOD policy. A good policy will take into account the concerns of both the company and its employees.
There is no one-size-fits-all approach. What works best for a particular employer will depend on the employer’s business, the available IT support and the type of data that needs protecting. However, there are some key features to consider when crafting your policy:
- Use mobile device management technology (often referred to as MDM) to create a virtual partition in each device that separates work data from personal data. This will facilitate security measures the employer wishes to impose and will limit employer access to work data only.
- Determine which devices will be permitted and supported and which types of company data people will be able to access from them.
- Decide which classes of employees will be permitted to use their own devices and why, and require employees to agree with acceptable-use terms when they first connect with the employer’s computer network. Will any nonexempt employees be eligible for BYOD practices? If so, develop specific guidelines for when they may work off the clock (for example, when they may send or respond to work-related e-mails and text messages). Consider using mobile device management technology that limits the ability of nonexempt employees to use their devices for business purposes outside normal work hours.
- Clearly state the employer’s right to access, monitor and delete information from employee-owned devices. If the company is allowed to access personal information, state the circumstances under which it might do so. Consider keeping a registry of all personal devices being used for business purposes.
- Determine and communicate whether the employer will introduce any new forms of monitoring, such as location-based tracking via GPS or other methods. If so, specify when the monitoring will be used by the employer and for what purpose.
- Explain how the company will protect an employee’s personal information, with any limitations of that protection expressly stated. Identify the personal information that can be saved by the employer through routine backups and maintenance.
- Provide reasonable notice to employees as to when employer data will be “wiped” from personal devices. The company should determine whether all data (personal and work) will be deleted or just work information. How will the company make the distinction between work and personal information? Will employees be afforded the opportunity to review the data being removed or to preserve personal files? In which instances will employees be asked to surrender their personal devices for inspection and removal of employer records (for example, e-discovery, investigations, IT servicing or termination of employment)? The use of mobile device management technology can facilitate these considerations.
- Put data protection practices in place, including requiring strong passwords and automatic locking after periods of inactivity, establishing protocols for reporting lost or stolen devices, mandating certain antivirus and protective software, and requiring or strongly encouraging regular backups.
- Designate who is responsible for authorizing work-related software and other downloads, as well as a main point of contact for questions about the policy. It may also be a good idea to post a resource page or frequently-asked-questions page on your company’s intranet.
- Develop your BYOD policy in partnership with IT, risk management, operations personnel, and inside or outside legal counsel.
- Revise current policies and protocols that may be affected by BYOD practices. This might include adjusting record-retention policies to cover data on employee-owned devices; revisiting data breach protocols to ensure that they cover situations where sensitive data (such as Social Security numbers and credit card information) is compromised; changing your expense reimbursement policy to address employee-owned devices; and revising equal employment opportunity and anti-harassment policies to cover activity involving personal equipment, including employer monitoring.
While BYOD policies raise some thorny issues, they can work well when employers balance security, compliance and privacy concerns. The key is being thoughtful and collaborative in your approach.
Paul G. Lannon is an attorney at Holland & Knight in Boston. Phillip M. Schreiber is an attorney at Holland & Knight in Chicago.