5 Legal Issues Your Company’s BYOD Policy Must Address
Is your company participating in the BYOD revolution? Whether you realize it or not, the answer to that question is almost certainly “yes.”
BYOD, which stands for “Bring Your Own Device,” is now a fact of life for almost all businesses. Employees not only desire to use their own personal smartphones, tablets and laptops on the job, but are determined to do so.
A survey by Cisco reveals that more than 90 percent of employees already use their own smartphones for getting their work done. And that practice is becoming more deeply entrenched with every passing day, especially among younger workers. When security firm Fortinet polled employees aged 21-31, more than half of the 3,200 respondents said that even if their company banned use of personal devices on the job, they'd find a way to use them anyway.
BYOD Can Be Good For Both Workers and Businesses
Today’s employees love BYOD because it allows them to use devices on the job that they are already familiar with. In addition, because these mobile devices are with them wherever they are, workers also gain flexibility in when and where they can perform job related tasks. The result is higher morale and greater productivity among employees who participate in company BYOD programs.
BYOD also produces benefits for employers. Along with increases in worker productivity, companies can also profit from reduced equipment costs since they can often forego purchasing laptops, tablets, or other mobile devices for their employees to use.
Current State of BYOD
IT decision makers who believe BYOD is good for their organization
Employees who say they are more productive using their own devices
Employees who say their organization did not make them aware of security risks with BYOD
Businesses that currently have a BYOD policy in place
Statistics reported by Ontech Systems
Why Your Company Needs a Good BYOD Policy Statement
BYOD can be a good deal for both employees and employers. And it’s not something businesses can avoid, since workers will find ways to use their own devices on the job no matter what their employers say about it. But companies should be aware that whenever their employees use their own devices for work-related tasks, the organization faces potential legal responsibilities and liabilities it may not be prepared for.
Does your company already have a comprehensive BYOD policy statement?
All companies need to put well-thought-out BYOD policies in place to protect themselves from legal vulnerabilities. Here are some of the critical issues a company BYOD policy should address.
1. Fair Labor Standards Act (FLSA) Compliance
The Fair Labor Standards Act (FLSA) requires employers to pay non-exempt workers overtime for any time beyond 40 hours they spend on job-related tasks in a regular workweek. For example, if an employee decides to check emails at 11pm before going to bed, and their email inbox contains work-related items, that employee may be due overtime pay.
It doesn't matter that the company did not specifically ask employees to check emails on their own time, or that the worker chose that after-hours time purely for his or her own convenience. The law requires employers to keep accurate records of all non-exempt hours worked, whether on company premises or at home, and pay employees accordingly. Failure to do so can result in severe penalties. For example, according to Amanda Tomney, associate at the DLA Piper law firm, “in Mohammadi v. Nwabuisi, an employer was found liable for not compensating an employee for overtime work performed on an employee-owned device.”
Companies that allow non-exempt employees to use their own devices for work-related tasks should insure that off-hours time reporting policies and procedures are in place, and that workers are required to comply with them.
2. Liability For Employee Actions While Using Their Personal Devices
According to a 2011 study by the Centers for Disease Control, nearly 70 percent of adults in the U.S. report talking on their cell phones while driving. When workers use those same devices on the job, that practice is unlikely to change unless employers take effective steps to restrict such behavior.
In 2012 Coca-Cola was tagged with a $21 million judgment after one of its truck drivers hit a Texas woman while the driver was talking on her cell phone. Although Coca-Cola had a policy in place requiring use of a hands-free device while driving, the plaintiff's lawyers convinced the jury that the policy was “vague and ambiguous.” Tia Chisholm of HUB International Coastal Insurance sums up the lesson companies need to draw from Coca-Cola's experience:
“This case emphasizes just how serious the risk is – and that all employers can be vicariously implicated if they fail to manage and monitor how employees are using mobile devices while driving. Employers who want to minimize liability as much as possible must institute risk management programs to actively or passively enforce cell phone use policies.”
In order for a company to be potentially liable for misdeeds committed using a BYOD device, a plaintiff has only to show that the equipment itself was used at some point to perform work.— Visage CEO Bzur Haun
Other areas where employers may find themselves unexpectedly liable for what employees do with their personal devices include cyberbullying and sexual harassment. For example, if a worker posts inappropriate racial or sexual remarks to a social media site using a device they also use for work, the employer may find itself being held liable. Says Visage CEO Bzur Haun, “in order for a company to be potentially liable for misdeeds committed using a BYOD device, a plaintiff has only to show that the equipment itself was used at some point to perform work.”
3. Data Breach Notifications
If an employer allows employees to download personally identifiable information to their devices, the company becomes liable for how that information is handled. For example, companies involved in finance, insurance, or healthcare have a regulatory duty, under state and federal privacy laws such as HIPAA, to insure the security of that data. Yet studies show that most users don't employ even minimal security procedures with their mobile devices. A 2012 survey revealed that 62 percent of respondents didn't even use a password with their smartphones.
Another frequent point of employer vulnerability arises from the fact that personal mobile devices are frequently lost or stolen. If employees have downloaded sensitive information to a device that is no longer in their possession, the company may have a legal responsibility to publicly disclose a potential data breach. Having to do so could not only be expensive, but also quite embarrassing.
The best practice is to not allow employees to download company information into their devices at all. Instead, they can be given access to the information online through a browser or company-defined portal. If it's necessary that the information reside on the mobile device, it should be encrypted.
4. Legal Discovery
If your company or an employee engaged in BYOD should become involved in litigation, the information held on personal devices may be subject to discovery. If it's the employee who is involved in legal action, company data residing on their device may be vulnerable to being made public. If it's the company that becomes a participant in some court action, the personal data of employees may be inadvertently exposed, potentially violating that individual's privacy rights.
An area where an employer must be especially vigilant when litigation may reasonably be expected is in making sure employees don't remove any potentially discoverable information from their personal devices. In Small v. Univ. Med. Center of S. Nevada, an employer was sanctioned because they failed to issue litigation holds regarding the personal devices employees used in their work.
Again, the best policy is to not allow employees to download sensitive company information to their devices.
5. Privacy Issues
The privacy aspects of BYOD are a still-evolving subject area. For example, when a BYOD employee quits or is let go, to whom does the information on their personal devices belong? Who is responsible for complying with state or federal laws requiring that personal information held on a device no longer used for business purposes be destroyed or made indecipherable?
One approach that's gaining favor with many employers is the use of MDM (Mobile Device Management) software installed on the device. MDM allows the company to manage the information stored on a worker's phone, and remotely destroy it if necessary. However, in some instances employees' personal information, such as photos, text messages, and emails, have also been removed from the device. And since MDM allows the device to be remotely wiped clean without the intervention or even notification of the employee, the potential privacy minefield a company might find itself in is obvious.
If MDM is used with BYOD devices, the employer should insure that workers are informed up front of the possibility of their personal information being compromised, either inadvertently or deliberately, if the company exercises its right to remotely delete information from that individual's device.
Companies Need to Address BYOD Legal Issues Now!
BYOD is here to stay, and so are the legal issues it raises. Every company needs to put in place an official, comprehensive BYOD policy to insure that those potential vulnerabilities are addressed. And that policy should be fully communicated to employees in a way that makes it clear that adherence to the company’s BYOD standards is a job requirement.
If your business hasn’t yet done that, you need to act quickly. Otherwise, you may find that for your company, BYOD is a lawsuit waiting to happen.
Questions & Answers
© 2017 Ronald E Franklin