Bring Your Own Devices (BYOD) Policies and Practical Considerations

As more and more employees are using their own mobile, electronic devices for work, employers must recognize and address the many issues that arise from this practice. Today employees typically own three separate electronic devices (smart phones, tablets and laptops), which all potentially can be used for work. In the very near future, e-mails and other work-related information may be viewed and exchanged through Google glasses, smartwatches, smart cars and even smart homes. One estimate indicates that by next year, there will be over fifteen billion electronic devices in existence.

What happens if one of these devices that contain an employer’s important business information is lost or stolen? What happens if an employee is terminated and refuses to remove company data from their device? Who owns the phone number or LinkedIn site that an employee has used to amass significant contacts with the employer’s customers and clients? Does checking e-mails at home constitute work for which an employee must be paid? Are employee-owned devices subject to discovery in the event that litigation occurs? All of these are important questions that an employer must address in a comprehensive BYOD policy.

WHY ARE COMPANIES ALLOWING EMPLOYEES TO BYOD?

The simple answer to this question is that employees are asking to BYOD. Employees enjoy the convenience of using their own personal devices, which eliminates the need for an employee to carry multiple devices. BYOD also improves employee efficiency. Employees are readily available, are always reachable, and can work anywhere at any time.

Some claim that a BYOD policy also reduces employer costs. Employees provide all of their own devices and all of the accessories that go with those devices, while the company provides only IT support. However, employers must monitor the cost associated with the BYOD policy. Who pays for the employee’s data plan? Is there an increase in IT and help desk support costs associated with employees bringing their personal devices to IT for repairs or updates?

EMPLOYEE CONCERNS

BYOD policies must address the two primary issues that concern employees. The first involves the loss of any expectation of privacy when an employee uses personal devices for work. These devices need to be accessed by employers, and such access can reveal personal, financial, or even health information about the employees.

Another area of employee concern is the potential for loss of information. Employers must have the ability to secure confidential and proprietary information that may be contained on employees’ personal devices. In this process, access and the ability to remotely delete such information may cause damage or the deletion of personal information belonging to the employee.

EMPLOYER CONCERNS

The employer’s concerns with regard to a BYOD policy are many and change as fast as new technology changes the way in which these devices work.

Employers must address the security risks associated with protecting trade secrets and confidential business data. Protections may include internal firewalls that prevent the combination of company data with personal employee information; password protections; and the ability to remotely lock or wipe this information from employee devices.

Employer policies on harassment and/or hostile work environment must also address the use of these personal devices.

Employers must take into account the possibility that the company data on employee personal devices will need to be preserved and accessed in the event of litigation. Electronic discovery is potentially an enormous cost, which only increases with the number of devices that contain this information.

Finally, the ability of a BYOD policy to allow an employee to work any time at any place must be specifically addressed for non-exempt employees. These employees get paid for all of the time that they work. BYOD policy must address the issue of potential “off the clock” claims and must clearly set forth the company’s policy that prohibits employees from using their devices to answer e-mails or to do other related work after their normal working hours.

POLICY CONSIDERATIONS

A well-crafted BYOD policy requires the coordination of a variety of company resources. Human Resources must ensure that the policies are coordinated with company handbooks, other personnel policies, and in the company’s termination process. The company’s finance group must monitor the policies to make sure that the cost of a BYOD policy is truly worth the benefit. The company’s legal advisors must ensure that the policy specifically addresses privacy, harassment, wage and hour, and other legal concerns. And finally, the company’s IT group must be actively involved in making sure that company proprietary information is always being protected.

While there is “no one policy fits all” template for an employer to use in adopting a BYOD policy, the following considerations should be addressed in every BYOD policy.

1. The IT department must be actively involved to insure company confidential information is secured. Appropriate software should be installed on all devices, and an employee should be trained on password protection and other security-related practices and obligations.
2. An employer’s anti-harassment and social media policies should be updated to reflect the terms of the BYOD policy, and all relevant policies need to be cross-referenced.
3. The employer’s right to access information on an employee’s personal device must be clearly set forth in the BYOD policy. In this regard, the company may wish to reserve the right to request copies of an employee’s cell phone bills and to monitor appropriate use of an employee’s device.
4. Non-exempt employees must be advised that they may not use their devices for work outside of their normal working hours. This policy also needs to be monitored on a regular basis to insure compliance.
5. There should be no employee expectation of privacy, and this must be clearly and unambiguously set forth in a policy. The employer should reserve to right to review and access information without any sort of notification to the employee and without any prior authorization.
6. The cost associated with the BYOD policy should be addressed. If the employee bears the burden of paying for their own devices this should be stated in the policy. If some sort of cost sharing is made available by the employer, it should be clearly set forth in the policy as well.
7. The employer’s practice with regard to devices that are lost, hacked or damaged must also be addressed. The ability of the employer to remotely lock or wipe a device must be clearly set forth. If employees are responsible for repair costs for damaged or lost devices, this also should be addressed.
8. The process of dealing with personal devices and the information contained on them at the termination of an employee must also be addressed and followed in an employer’s termination procedure.

The BYOD movement is not only here to stay but is increasing every day. Employers must stay ahead of the constantly changing issues associated with BYOD practices by adopting appropriate work policies, by monitoring these practices on a frequent basis, and by keeping apprised of the changes in technology as they occur, so that their policies and practices can be updated accordingly.

This information should not be construed as legal advice, and readers should not act upon it without professional counsel.  It was originally written by Patrick T. Collins of Norris McLaughlin & Marcus, P.A and is reused here with Mr. Collin’s permission.  If you have any questions regarding the information in this alert or any other labor & employment matters, please feel free to contact him.