Bring Your Own Device, Don't Bring Your Own Drama
From the Experts
The Bring Your Own Device (BYOD) movement is in full swing. A Cisco Survey revealed that 71 million BYOD devices are in use today in the United States, and that number is expected to grow to 108 million by 2016. These numbers are not surprising given the reduced costs a BYOD program can offer employers. Cisco has estimated that, if done correctly and comprehensively, U.S. companies can save as much as $3,150 per employee per year with a BYOD program.
In the face of these numbers, a company is putting itself at risk, not to mention an economic disadvantage, by moving forward without a clearly defined BYOD policy. Below are some key issues to consider as a starting point when crafting a BYOD policy.
Confidential Business Information and Trade Secrets
A crucial concern associated with BYOD programs is the protection of an employer’s confidential information and trade secrets. The use of personal devices in the workplace opens up a myriad of different avenues through which company information might be accidentally leaked to the public. And accidental disclosures of company information may result in the loss of a company’s trade secrets.
An employer could certainly choose to eliminate or prohibit all personal devices in the workplace. Many employers, however, choose to allow employees to use their personal devices for work. Rather than turning a blind eye to the realities and demands of today’s workforce, an employer should take a proactive approach in preserving its confidential business information and trade secrets. Indeed, an employer that has failed to take any measures to protect the secrecy of its data is in serious danger of losing it. A BYOD policy can be a game-changer.
A written BYOD policy is one of the first steps an employer can take to help demonstrate to a court that the company has made reasonable efforts to protect the secrecy of its confidential information. Not only must a BYOD policy meet the company’s individual goals and facilitate smooth day-to-day business practices, it also must be easily understood and followed by the company’s employees. If the employees cannot understand it, a court may not view the policy as an adequate protective measure.
Implementing a well-written policy should not be the end of the road. An employer should be able to show a court that the company provides sufficient instruction and training—not only at initial hiring, but also on a regular basis. And in light of the increasing capabilities of employees’ personal devices, employers must also periodically review their policies to ensure that these stay current, and must manage any new security risks created by technological advances. (When updates to the policy are necessary, additional employee training should be conducted.)
During any employee BYOD training, an employer needs to address the security risks associated with employees’ using their personal devices. Many employees are simply unaware of the various ways in which company information might be vulnerable to disclosure. Some common examples include employees:
- Losing personal devices or having them stolen.
- Sharing personal devices with family and friends.
- Connecting personal devices to unsecured wireless networks; upgrading their personal devices.
- Resigning or being fired from their jobs, and taking the data on their devices with them.
By considering and addressing the various ways in which confidential business information might leak—both in the policy itself and in training—employers and employees can manage security risks at the outset.
The considerations identified above are just a starting point. Employers should consult with their IT departments to identify and implement measures to secure company data on employees’ personal devices.
Employees’ Right to Privacy
The need to protect a company’s confidential information and trade secrets can often conflict with the need to respect an employee’s right to privacy. Indeed, violating employee privacy rights is another risk that employers face in implementing BYOD programs.
A well thought-out policy, however, can help minimize the risk of potential criminal and civil liability under state and federal laws that protect employees’ privacy rights. First and foremost, a BYOD policy should state that employees choosing to participate in the company BYOD program have no expectation of privacy with respect to any communications made with the device in connection with their employment.
As far as the personal information on employees’ devices, the employer’s BYOD policy should set forth clear disclosures explaining that employees are forfeiting some of their privacy rights should they choose to participate in the BYOD program. Employees must understand, and consent to, their responsibilities under the company’s policy and the specific privacy rights they are surrendering. Accordingly, the employer should also require all employees participating in its BYOD program to sign a written acknowledgment consenting to the policy.
Competing with the need to respect employee privacy rights is the employer’s duty to comply with litigation and discovery obligations. A transparent policy and employee consent are vital to protecting the employer. Thus, an employer’s BYOD policy should notify employees that they must treat any business-related documents and information stored on their personal devices in accordance with the company’s document retention policy. The BYOD policy should further notify employees that their personal data may be reviewed if the information becomes subject to discovery in litigation or in the course of an investigative proceeding, including internal investigations by the company.
Employers with BYOD programs must also ensure that any litigation holds identify employees’ personal devices for preservation of data.
Another electronic discovery risk associated with BYOD programs is increased litigation costs for employers. For instance, if a company has to respond to a discovery request for electronically stored information, BYOD programs could markedly increase the number of additional devices subject to review. Indeed, a single employee could easily utilize three different personal devices for work—such as a smartphone, an iPad and a personal laptop.
One avenue of mitigating potential future litigation costs is the use of technology that creates two different workspaces within an employee’s personal device. Such technology can separate employees’ corporate and personal workspaces, preventing employees’ personal applications from accessing work information and preventing work information from being copied and pasted into personal applications or personal email messages. Use of this type of technology will not only enable a company to collect corporate data in a more efficient manner, should the need arise, but will also act as an additional safeguard against inadvertent disclosure of company information.
The risk of off-the-clock work also is noteworthy. BYOD programs essentially allow employees to work 24 hours a day. On one hand, around-the-clock work may present an attractive benefit for employers. On the other hand, this type of work can pose a significant risk of liability under the Fair Labor Standards Act (FLSA) and state wage and hour laws.
The easiest and safest way to avoid the risk of wage and hour litigation is to make a BYOD program available only to exempt employees not covered by the FLSA overtime provision. For some employers, however, that is not a practical business solution. Consequently, those employers must ensure that their BYOD policies clearly outline the obligations of nonexempt employees. For instance, a company could implement a policy that prohibits nonexempt employees from utilizing their personal devices for work purposes when they are off the clock. The policy should define what constitutes “working” on their personal devices, such as checking company emails or answering company calls. Employees should also be made aware that any violations of the policy will subject them to disciplinary measures. Employers may wish to consult their IT departments regarding the use of software programs that block after-hours use of company emails and calls.
Even where nonexempt employees are prohibited from working on their personal devices after hours, however, a company still must ensure that its employees are aware that nonexempt employees will be paid for all time worked, that nonexempt employees must report all time worked and that employees should feel safe to report any pressure or encouragement to work off the clock. These policy statements should be set forth in an employer’s BYOD policy, as well as in its specific FLSA policies. Regular employee training and signed acknowledgments are also key in mitigating the risk of off-the-clock work.
The Bottom Line
Employers will not likely be able to completely ignore employee demand for BYOD programs. Accordingly, employers should confront the BYOD movement head-on by crafting and implementing a clearly defined BYOD policy that considers, balances and manages all of the competing interests and issues.
Allegra J. Lawrence-Hardy is a partner at the law firm Sutherland Asbill & Brennan, where she co-heads both the business and commercial litigation team and the labor and employment team. Lisa M. Haldar is a staff attorney at the firm. She advises her clients on labor and employment matters, primarily concentrating on wage and hour matters arising under the Fair Labor Standards Act.