A guest posting by
HKM Employment Attorneys LLP
The bring your own device (BYOD) business trend has become increasingly popular with employers and employees at all levels using their personal devices (think laptops, tablets, or smartphones) for work or to access company resources via the cloud.
Millennials, mostly in white-collar positions, have primarily driven the BYOD trend because they have come to rely on personal technology for work and play.
Almost all professionals send and receive work emails on either a company-owned or personal mobile device away from the office or when working remotely. An increasing number are also accessing company data, documents, and other resources using personal mobile devices.
Why Embrace BYOD Policies?
BYOD can significantly increase efficiency because it allows businesses to provide flexibility and 24/7 access to company resources. It can also lower operating costs and improve effectiveness and employee morale. However, it raises security, compliance, and legal concerns. Fortunately, a well-crafted BYOD policy can address most of these concerns.
IT and legal Experts advise companies against the outright prohibition of the use of employee-owned devices for work. Employees have proven to circumvent IT restrictions and ignore such policies to access company resources when they want.
Therefore, adopting a BYOD policy may be the better option for businesses since it allows them to define the access parameters, ensure the security of their information and resources by using appropriate technical infrastructure, and comply with existing industry regulations and legal requirements. Hence, the need to consult IT experts and legal counsel such as employment lawyers.
Legal Issues to Consider for Your Company’s BYOD Policy
Your company’s BYOD policy should address the following critical issues:
1. FLSA Compliance
The Fair Labor Standards Act, or FLSA, requires employers to pay any non-exempt worker overtime for their time on job-related tasks beyond 40 hours per regular workweek. For example, if your employee decides to check their work emails at home before they go to sleep, you may owe them overtime pay whether or not you specifically asked them to do it.
The law requires you (the employer) to keep accurate records of the non-exempt hours worked and pay your employees accordingly. Therefore, you need to ensure that you have put in place off-hours time reporting policies and procedures and that your workers comply with them.
2. Data Breach Notifications
If you as the employer allow your employees to download personally identifiable information to personal devices, your business becomes liable for its handling or use. For instance, companies operating in insurance, finance, or healthcare industries have a regulatory duty under federal, state, or even industry privacy laws to ensure the security of that information.
Unfortunately, most people fail to employ even minimal security procedures when accessing personal devices. These devices also get lost and stolen, which is a potential data breach risk.
The best practice is to disallow employees from downloading company information using personal devices. You can also set up a company-defined portal or browser where your employees can access information and ensure it’s encrypted.
3. Company Liability for Employee Actions while Using Personal Devices
As an employer, your employees’ actions can vicariously implicate you if you fail to monitor and manage how they use personal mobile devices – for example, checking work emails while driving. To minimize your liability, you need to institute risk management programs to passively and actively enforce proper mobile device use policies.
What’s more, there are several areas, other than driving while using personal devices for work purposes, where employers may find themselves liable for their employees’ actions. These include sexual harassment and cyberbullying.
4. Privacy Issues
Your BYOD policy must clearly define and implement a privacy-related policy for security and legal purposes. For example, you should determine:
- How to handle the information on a recently-fired or resigned employee’s device
- To whom the information contained in a personal device belongs
- Who is responsible for complying with federal and state laws concerning protecting personally identifiable information or how to destroy or make it indecipherable
Today, a popular approach uses Mobile Device Management (MDM) software that allows the employer to manage or destroy work data stored on an employee’s personal device.
5. Legal Discovery
Suppose your company or one of your employees is involved in litigation, and you have a BYOD policy in place. In that case, the information contained on any personal devices could be subject to discovery. It means that depending on the party to the litigation; either company data could be vulnerable or personal data could be inadvertently exposed.
However, one area you should remain vigilant as an employer is to ensure that employees never remove any potentially discoverable data from their devices.
BYOD Policy Provisions to Consider
One of the significant issues that arise when adopting and enforcing a BYOD policy is protecting the employer’s assets. Security provisions are critical in any BYOD policy because they protect your company’s confidential information from data breaches, misuse, or exposure to the public. They include:
- Requiring the registration of all BYOD devices with the company and having them configured and loaded with security and monitoring software
- Requiring all BYOD devices to have password protection
- Requiring devices to contain software that allows the company to lock, locate, or wipe them remotely
- Prohibiting the download or upload of company data to and from personal devices
- Banning the use of public hotspots and networks
- Requiring employees to delete company information upon their employment termination
- Requiring employees to waive or disclaim any privacy expectations concerning BYOD devices
Other policy provisions to consider are the limits of using BYOD devices, balancing security with company culture, and enforcing a BYOD policy.
The Bottom Line
All companies should address BYOD legal issues immediately and in-depth to protect themselves if any legal problem arises. They should address potential vulnerabilities comprehensively and communicate BYOD policies in detail to ensure adherence. It’s also wise to consult employment lawyers to cover all their bases.