Corporate Counsel
ALM Properties, Inc.
Page printed from: Corporate Counsel

Back to Article

Select 'Print' in your browser menu to print this document.

Legal Challenges Arise to 'Bring Your Own Device' Policies

By Philip M. Berkowitz

New York Law Journal

07-16-2012


The rapid adoption of mobile devices by employees -- iPhones, iPads, Android smartphones, and other devices -- creates new challenges for employers. Many companies have adopted formal policies that permit employees to use their personal mobile devices to create, store, and transmit work-related data. These new policies may turn an employee's personal device into a "dual use" device used for both personal and company data and activities. This trend is generally referred to as "Bring Your Own Device," or BYOD.

While these policies may reduce expenses, aid in recruiting new employees, and allow employers to more quickly take advantage of new technologies, having corporate data transferred and stored on employee-owned personal devices creates significant legal challenges.

For example, maintaining and storing data is a highly regulated area. Many states have enacted laws that impose information security obligations on businesses that collect or store Social Security numbers, drivers' license numbers, credit and debit card numbers, and financial account numbers. Other states impose a general statutory duty on businesses to safeguard personal information.[FOOTNOTE 1]

Security breach notification laws may have application to employee devices. If an employee's dual use device is lost, stolen, hacked, or otherwise subject to unauthorized access, the employer will, at a minimum, be required to evaluate whether notification is necessary unless all personal information stored on the compromised dual use device is encrypted.

Legally mandated encryption requirements may require encryption of portable storage media containing personal information.[FOOTNOTE 2] The HIPAA Security Rule, moreover, requires that covered entities at least consider whether encryption of personal health information in electronic form is feasible and, if not, to document the basis for that conclusion.[FOOTNOTE 3]

Many states require the secure destruction of certain types of sensitive information, and regulations promulgated under the Fair Credit Reporting Act require the secure destruction of consumer report information.[FOOTNOTE 4]

Most confidentiality or non-disclosure agreements and court protective orders obligate parties to securely destroy confidential information obtained from the counterparty. If the records are stored on employee devices or with cloud providers beyond the company's control, compliance with these obligations can be challenging.

LITIGATION HOLDS AND INVESTIGATIONS

A BYOD environment implicates a host of e-discovery challenges. A threshold e-discovery obligation, once the duty to preserve is triggered, is to identify and preserve relevant sources of data.[FOOTNOTE 5] Under a BYOD model, the employer may have little information about where all of its data is stored. The employer may be left with very little, if any, ability to preserve information from these sources, and may be completely at the mercy of its employees for this information.

An employer's IT department may not have the expertise to defensibly collect data from the variety of devices used by their employees for purposes of litigation. A corporation may have the internal qualifications and resources to forensically copy hard drives formatted with a Microsoft Windows operating system, but may have difficulty making copies of an iPhone or iPad.[FOOTNOTE 6] The ability and method for collecting data on dual use devices may vary greatly depending upon the operating system (OS) (e.g., Apple iOS, Windows Mobile, Android, Palm, etc.).

Fed. R. Civ. P. 34 requires a party to produce responsive documents and electronically stored information in its possession, custody or control. The rule applies equally to preservation.[FOOTNOTE 7] Under Rule 34, the term "control" does not require that a party have legal ownership or actual physical possession of the information at issue.[FOOTNOTE 8] In Hagerman v. Accenture,[FOOTNOTE 9] the U.S. District Court in Minnesota held data that employees stored on a remote server was under the employer's control if the employees were able to access the information during the normal course of their duties.

In Hatfill v. New York Times,[FOOTNOTE 10] plaintiff filed a motion to compel interview notes stored on a non-party reporter's personal flash drive. The U.S. District Court in the Eastern District of Virginia held that the Times formally ceded to its reporter employees any right to possess or control dissemination of notes and unpublished materials. The policy was reflected in a bargaining agreement, and was found to not have been created for the purpose of avoiding discovery requests. Accordingly, the Times did not have the legal right, over the reporter's objection, to obtain the flash drive.

When the employer is put on notice of its preservation obligation, notice may be imputed to its employees.[FOOTNOTE 11] Under general agency law, an employer may be deemed responsible for the spoliation of relevant evidence done by its employees.[FOOTNOTE 12] In contrast, in Nucor Corp. v. Bell,[FOOTNOTE 13] the U.S. District Court in South Carolina found that an employee destroyed confidential information on a thumb drive in order to protect his own interests (as opposed to those of his employer). The employee did not consult with his employer prior to his deletion, indicating that he was acting for his own benefit, and not within the scope of his employment.

TRADE SECRET INFORMATION

Prior to BYOD programs, many employers would have disciplined or terminated an employee who brought their own storage devices into the workplace, or who copied company data onto their personal devices. Now, however, these actions may be the intended result of a company BYOD program.

Companies adopting BYOD policies should update confidentiality agreements, take practical steps to safeguard confidential information and trade secrets, and take post-termination efforts to preserve (if necessary) and delete company information from departing employees.

BYOD policies may make it more challenging for an employer to prove misappropriation, because the employee was permitted to store the company's trade secrets on the employee's dual use device.[FOOTNOTE 14]

Companies also need to focus on the risks of employees who join their organization and bring with them confidential or trade secret data from their prior employment. This problem is especially acute in the case of contingent workers. The new employer needs to ensure that the contingent worker's former employer's confidential or trade secret information does not find its way into the new company's systems through the worker's dual use device or other storage media.

New attention also needs to be paid to contracts with agencies providing contingent workers. Many of these contracts are form agreements that may ignore these issues.

RISK OF WAGE AND HOUR CLAIMS

Allowing non-exempt employees to use their own mobile devices to conduct work-related business involves the risk that those employees will raise wage and hour claims for "off-the-clock" work. Even if a non-exempt employee uses his or her personal device voluntarily and without directive from the employer, the employee may need to be compensated for the time spent making work-related calls or reading and writing emails.

Employers should have a policy in place requiring employees to record all time worked, including time worked out of the office and outside regular office hours.[FOOTNOTE 15] This policy can be expanded and clarified to expressly require employees to record time spent responding to emails and answering phone calls while out of the office.

An employer may also institute a policy requiring prior written authorization to work remotely via mobile device. The policy could also address the timing for responding to after-hours emails and instruct employees that, unless they are directed to provide an immediate response, all emails should be responded to only during work hours.

Managers should be trained to comply with the policy and recognize when they are putting non-exempt employees in jeopardy of working outside of working hours (e.g., sending an email to a non-exempt employee after hours).

Leave-of-absence policies should remind employees that they are not to be performing work during a leave of absence, and emphasize that this prohibition includes avoiding and not responding to all calls and emails received during this period, including any on their personal device. The most complete solution is to deactivate the employee's connection to the company's data and systems or reconfigure the system so calls and emails are redirected to another employee.

CONCLUSION

BYOD policies may be on their way to being the new normal, but they carry with them significant risks. To take advantage of the promise offered by these policies, while avoiding potential liability on many fronts, companies need to educate themselves and their employees and establish appropriate policies and practices concerning the use of, and employers' and employees' respective rights and responsibilities concerning, dual use devices.[FOOTNOTE 16]

::::FOOTNOTES::::

FN1 See, e.g., Cal. Civ. Code §§1798.80 et seq.

FN2 See, e.g., Mass. Regs. Code tit. 201, §17.04(5).

FN3 See 45 C.F.R. pt. 164.312(a)(2),(e)(2).

FN4 16 CFR Part 682.

FN5 Zubulake v. UBS Warburg, 229 F.R.D. 422, 439 (S.D.N.Y. 2004).

FN6 See e.g., Triple-I v. Hudson Assoc. Consulting, 2009 U.S. Dist. LEXIS 37447, *10, n. 8 (D. Kan. May 1, 2009) (noting that both parties should confer to resolve production problems that could be as simple as a bad disk or the difference in the parties' respective computer formats (Mac vs. PC)).

FN7 See, e.g., Columbia Pictures Indus. v. Fung, 2007 U.S. Dist. LEXIS 97676, * 3 (C.D.Cal. 2007) (holding defendants must preserve data within their possession, custody or control).

FN8 See, e.g., In re NTL Securities Litigation, 2007 U.S. Dist. LEXIS 6198 (S.D.N.Y. 2007).

FN9 2011 U.S. Dist. LEXIS 121511 (D. Minn. Oct. 19, 2011).

FN10 242 F.R.D. 353, 354-355 (E.D.Va. 2006).

FN11 Nat'l Ass'n of Radiation Survivors v. Turnage, 115 F.R.D. 543, 557 (N.D. Cal. 1987) (imputed knowledge prevents "an agency, corporate officer, or legal department [from shielding] itself from discovery obligations by keeping its employees ignorant"); cf. New Times v. Arpaio, 217 Ariz. 533, 541, 177 P.3d 275, 283 (App. 2008).

FN12 E.I. Du Pont de Nemours & Co. v. Kolon Indus., 803 F.Supp.2d 469, 499 (E.D. Va. 2011); Victor Stanley v. Creative Pipe, 269 F.R.D. 497, 516 n.23 (D.Md. 2010).

FN13 251 F.R.D. 191 (D.S.C. 2008).

FN14 Cf. USI Ins. Servs. v. Miner, 801 F.Supp.2d 175, 196, n. 21 (S.D.N.Y. 2011) (evidence of misappropriation where employee uses work email address to email file to personal email account).

FN15 Employers must keep accurate records of all time worked by non-exempt employees. See 29 C.F.R. §516.2.

FN16 For a more comprehensive review of the issues addressed in this article, see Littler Mendelson's Report on the "Bring Your Own Device" to Work Movement, http://www.littler.com/publication-press/publication/bring-your-own-device-work-movement.

This article originally appeared in the New York Law Journal.