As a result of rapidly changing technology, many employees are shedding corporate-issued cell phones and computers in favor of using their own smartphones and tablets for both work and personal purposes.
This new phenomenon — commonly referred to as bring your own device (BYOD) — does have its benefits, yet it also creates a number of legal challenges. For employees, it may result in greater efficiency, fewer devices to manage and the ability to use the most up-to-date technology. For employers, it presents opportunity to reap substantial benefits from lower costs in software, hardware and IT support. But for in-house counsel, it raises a host of legal and practical issues, and an ounce of prevention is certainly worth far more than a pound of cure.
Smartphones, tablets and other personal electronics often contain huge amounts of personal data. When those devices go from personal property to tools of the trade, employers and employees must understand where the privacy lines fall between personal versus work-related information.
Employers must balance their needs to monitor employee usage, employees’ privacy concerns, and the risk of legal liability or economic loss. Prior to implementation of any BYOD policy, the legal department should educate employees that they may have a limited or even nonexistent expectation of privacy related to information sent to or stored on personal devices used for work.
An important BYOD privacy concern frequently arises during an investigation of a workplace matter that reveals the need to inspect the contents of a device an employee owns but uses, in part, for work. For example, a forensic examiner who evaluates a dual-purpose device’s storage medium may capture and view the owner’s personal and private information.
While companies may aspire only to evaluate work-related data, sometimes it’s not immediately apparent what information is business-related and what is personal. Employers may face severe litigation sanctions if a court finds that they or their employees negligently withheld, altered, corrupted or destroyed important evidence.
Practical problems abound. It can be difficult to recover a device and its data when the company loses custody and/or control of it, the device’s owner no longer works for the company, or the owner simply refuses to provide it for inspection. If a company permits employees to use personal devices for work, it usually will shoulder significant legal responsibility for the consequences of employee misuse.
Another area of enormous concern involves the consequences of electronic security breaches. Depending upon the sensitivity of information stored in or sent from personal devices, an employer may need to wipe data remotely from lost or stolen BYOD devices. Employers must notify employees about such contingencies in the event of security breaches and secure their consent. Such data deletion may include the possibility that employees will lose personal emails, pictures and other stored information. The wise in-house counsel usually will require employees to sign waivers consenting to hold the employer harmless from personal data losses under well-conceived BYOD policies.
The Federal Trade Commission requires companies to provide reasonable security for technology infrastructure. As the BYOD trend spreads, in-house counsel face challenges as their companies relinquish control of such devices but remain accountable for use and misuse.
With employee-owned devices, employers may lose the ability to routinely encrypt company data, install security-related software, or monitor for malware and hacking attacks. If an employee refuses to install security controls or to update security software and related protocols, the company may be vulnerable to loss or corruption of highly valuable and proprietary information.
The legal department should scrutinize company policies; what was appropriate before employees started using their own devices may not be sufficient now. For example, a company policy may state that all company-owned devices must meet a minimum standard of care for data integrity and protection. But if an employee’s personal device is the source of a leak, the company could be accused of negligence for failure to include employee-owned devices in the policy.
Because technology changes constantly, scrutiny of BYOD policies should be ongoing. In-house counsel should consider policies to address security and viruses, passwords, encryption, acceptable use, wireless access, remote working and privacy.
Now is the time to establish security and privacy policies governing employees’ use of their personal devices for work functions. Attorneys must counsel their clients about the importance of educating, informing and training employees about privacy, security and evidence-recovery implications associated with use of personal devices for work. All is not yet clear about the boundaries of a BYOD workplace, but those parameters likely will be hashed out at the courthouse.