A non-exempt employee spends an hour responding to work emails on her day off. A sales associate leaves the company and takes with him the contact information of existing and potential customers. During a family dinner out, your six-year-old plays with your iPad and emails confidential company information to your personal contacts.
While any company can face the risks posed by these scenarios, they are especially prevalent for companies with BYOD (bring-your-own-device) programs. Companies with BYOD programs allow employees to use their own devices, such as mobile phones and tablets, for work rather than providing company-issued devices. The issue is that when personal and work devices are one and the same, the non-exempt employee is more likely to see work-related emails on her down time and respond; the sales associate is more likely to walk away from the job with proprietary information in hand (and there’s less the company can do to stop it); and a child is more likely to have access to — and inadvertently disclose — confidential information.
These and other risks for companies allowing or requiring BYOD are significant, and it’s important that companies take appropriate steps to protect both themselves and their employees in connection with BYOD programs. The first of those steps is to honestly assess whether a BYOD program is in the company’s best interests.
BYOD programs have become popular due to employees’ near-universal preference to carry only one mobile device, and the sometimes unfounded belief among employers that BYOD programs offer cost savings.
Even so, companies — guided by their legal departments — should balance the benefits of a BYOD program against the risks it raises. This is an individualized analysis, as the risks presented by BYOD will be much different for a physician’s practice group, for instance, than an auto parts distributor. There are four primary threats, however, common to virtually all employers:
BYOD blurs the line between work and personal lives. In particular, BYOD raises the risk that non-exempt (overtime-eligible) employees will work off the clock. When an employee uses one device for work and personal purposes, she’ll likely have it with her, and respond to work emails during off-hours (and her supervisor will likely expect her to); employers must track and compensate these hours or risk violating federal and state law. On the flip side, if employees receive both work and personal emails on the same device, they’re more likely to spend work time handling personal matters.
The company’s right to access the device is likely limited. Paying for service (often the case with BYOD programs) or giving employees access to company systems on personal devices doesn’t give the employer carte blanche to access those devices or the information on them. Even if the company’s reason to access a personal device is legitimate, it must have the employee’s authorization (in advance or on the spot) to do so, or it risks liability under various laws, including the federal Computer Fraud and Abuse Act and Stored Communications Act.
It’s more difficult to maintain confidentiality of information on personal devices. When an employee uses a personal device — rather than a company-owned one — there are more opportunities for people unaffiliated with the company to access it. Whether it’s the child using an iPad, an app that sends information to a third party, or an employee who takes her phone to Apple’s Genius Bar, people who shouldn’t have access to your information are getting access to it.
BYOD raises the question of who owns certain information on the device when the employee departs. Separating personal from business information on a device when an employee leaves can get messy. Assuming the company regularly backs up the device, a complete wipe of the phone may be in its best interests; doing so, however, requires the employee’s cooperation, which will be unlikely if the employee feels that her property or privacy is being violated. Similarly, even when a policy stipulates that the company can keep the phone number of a device, that mandate may be difficult to enforce if the employee refuses to cooperate.
Even if an employer determines that the benefits of BYOD outweigh the costs, the process isn’t over. Employers need to establish clear policies surrounding BYOD and train employees on them. The BYOD policy should be a separate document that employees must sign to participate in the program.
There are several key provisions to include:
- Make it clear that while the employee owns the device, company information on the device remains company property, and the company reserves the right to access and wipe that information.
- Include a provision authorizing third-parties — such as service providers — to respond to requests from the company for information regarding the device, including usage history and any information stored on or relating to the device (such as text messages).
- Remind employees that all company policies — including confidentiality, harassment and discrimination — apply while they’re using the device.
- Clearly outline security measures — passwords, firewalls, lost-device reporting requirements, and limitations on use — that must be implemented on the device.
- Explain what employees should do if they need technical support, including who is authorized to provide assistance.
- Clarify whether and how costs relating to the device (the device itself, service, apps, etc.) will be reimbursed and any limitations on off-the-clock work. Note some states require reimbursement.
- Define what happens to the device and its contents when employment ends, including who keeps the number, the company’s right to wipe the phone (and procedures for doing so), how incoming calls will be handled, and any other requirements to ensure that confidential information stays confidential and that those trying to contact the company actually reach the company.
BYOD programs create a number of risks, but the reality is that they’re here to stay. What’s important is that companies mitigate these risks with a focused, deliberate BYOD policy that sets the framework for the partnership between the company and the employee that BYOD requires.