Ron is a retired engineer and manager for IBM and other high-tech companies. He writes extensively and in depth about modern technology.
"Bring Your Own Device" Legal Issues
Is your company participating in the BYOD revolution? Whether you realize it or not, the answer to that question is almost certainly “yes.”
BYOD, which stands for “bring your own device,” is now a fact of life for almost all businesses. Employees not only desire to use their own personal smartphones, tablets, and laptops on the job but are determined to do so.
A survey by Cisco reveals that more than 90 percent of employees already use their own smartphones to get their work done. And that practice is becoming more deeply entrenched with every passing day, especially among younger workers. When security firm Fortinet polled employees aged 21 to 31, more than half of the 3,200 respondents said that even if their company banned the use of personal devices on the job, they'd find a way to use them anyway.
BYOD Can Be Good for Both Workers and Businesses
Today’s employees love BYOD because it allows them to use devices on the job that they are already familiar with. In addition, because these mobile devices are with them wherever they are, workers also gain flexibility in when and where they can perform job-related tasks. The result is higher morale and greater productivity among employees who participate in company BYOD programs.
BYOD also produces benefits for employers. Along with increases in worker productivity, companies can also profit from reduced equipment costs since they can often forego purchasing laptops, tablets, or other mobile devices for their employees to use.
Current State of BYOD
IT decision-makers who believe BYOD is good for their organization
Employees who say they are more productive using their own devices
Employees who say their organization did not make them aware of security risks with BYOD
Businesses that currently have a BYOD policy in place
Statistics reported by Ontech Systems
Why Your Company Needs a Good BYOD Policy Statement
BYOD can be a good deal for both employees and employers. And it’s not something businesses can avoid since workers will find ways to use their own devices on the job no matter what their employers say about it. But companies should be aware that whenever their employees use their own devices for work-related tasks, the organization faces potential legal responsibilities and liabilities it may not be prepared for.
5 Things to Consider for Your Company's BYOD Policy
All companies need to put well-thought-out BYOD policies in place to protect themselves from legal vulnerabilities. Here are some of the critical issues a company BYOD policy should address.
1. Fair Labor Standards Act (FLSA) Compliance
The Fair Labor Standards Act (FLSA) requires employers to pay non-exempt workers overtime for any time beyond 40 hours they spend on job-related tasks in a regular workweek. For example, if an employee decides to check emails at 11 pm before going to bed, and their email inbox contains work-related items, that employee may be due overtime pay.
It doesn't matter that the company did not specifically ask employees to check emails on their own time or that the worker chose that after-hours time purely for his or her own convenience. The law requires employers to keep accurate records of all non-exempt hours worked, whether on company premises or at home and pay employees accordingly. Failure to do so can result in severe penalties. For example, according to Amanda Tomney, an associate at the DLA Piper law firm, “in Mohammadi v. Nwabuisi, an employer was found liable for not compensating an employee for overtime work performed on an employee-owned device.”
Companies that allow non-exempt employees to use their own devices for work-related tasks should ensure that off-hours time reporting policies and procedures are in place and that workers are required to comply with them.
2. Liability for Employee Actions While Using Their Personal Devices
According to a 2011 study by the Centers for Disease Control, nearly 70 percent of adults in the U.S. report talking on their cell phones while driving. When workers use those same devices on the job, that practice is unlikely to change unless employers take effective steps to restrict such behavior.
In 2012 Coca-Cola was tagged with a $21 million judgment after one of its truck drivers hit a Texas woman while the driver was talking on her cell phone. Although Coca-Cola had a policy in place requiring the use of a hands-free device while driving, the plaintiff's lawyers convinced the jury that the policy was “vague and ambiguous.” Tia Chisholm of HUB International Coastal Insurance sums up the lesson companies need to draw from Coca-Cola's experience:
“This case emphasizes just how serious the risk is—and that all employers can be vicariously implicated if they fail to manage and monitor how employees are using mobile devices while driving. Employers who want to minimize liability as much as possible must institute risk management programs to actively or passively enforce cell phone use policies.”
Other areas where employers may find themselves unexpectedly liable for what employees do with their personal devices include cyberbullying and sexual harassment. For example, if a worker posts inappropriate racial or sexual remarks to a social media site using a device they also use for work, the employer may find itself being held liable. Says Visage CEO Bzur Haun, “in order for a company to be potentially liable for misdeeds committed using a BYOD device, a plaintiff has only to show that the equipment itself was used at some point to perform work.”
In order for a company to be potentially liable for misdeeds committed using a BYOD device, a plaintiff has only to show that the equipment itself was used at some point to perform work.
— Visage CEO Bzur Haun
3. Data Breach Notifications
If an employer allows employees to download personally identifiable information to their devices, the company becomes liable for how that information is handled. For example, companies involved in finance, insurance, or healthcare have a regulatory duty, under state and federal privacy laws such as HIPAA, to ensure the security of that data. Yet studies show that most users don't even employ minimal security procedures with their mobile devices. A 2012 survey revealed that 62 percent of respondents didn't even use a password with their smartphones.
Another frequent point of employer vulnerability arises from the fact that personal mobile devices are frequently lost or stolen. If employees have downloaded sensitive information to a device that is no longer in their possession, the company may have a legal responsibility to publicly disclose a potential data breach. Having to do so could not only be expensive, but also quite embarrassing.
The best practice is to not allow employees to download company information into their devices at all. Instead, they can be given access to the information online through a browser or company-defined portal. If it's necessary that the information resides on the mobile device, it should be encrypted.
4. Legal Discovery
If your company or an employee engaged in BYOD should become involved in litigation, the information held on personal devices may be subject to discovery. If it's the employee who is involved in legal action, company data residing on their device may be vulnerable to being made public. If it's the company that becomes a participant in some court action, the personal data of employees may be inadvertently exposed, potentially violating that individual's privacy rights.
An area where an employer must be especially vigilant when litigation may reasonably be expected is in making sure employees don't remove any potentially discoverable information from their personal devices. In Small v. Univ. Med. Center of S. Nevada, an employer was sanctioned because they failed to issue litigation holds regarding the personal devices employees used in their work.
Again, the best policy is to not allow employees to download sensitive company information to their devices.
5. Privacy Issues
The privacy aspects of BYOD are a still-evolving subject area. For example, when a BYOD employee quits or is let go, to whom does the information on their personal devices belong? Who is responsible for complying with state or federal laws requiring that personal information held on a device no longer used for business purposes be destroyed or made indecipherable?
One approach that's gaining favor with many employers is the use of MDM (Mobile Device Management) software installed on the device. MDM allows the company to manage the information stored on a worker's phone and remotely destroy it if necessary. However, in some instances, employees' personal information, such as photos, text messages, and emails, have also been removed from the device. And since MDM allows the device to be remotely wiped clean without the intervention or even notification of the employee, the potential privacy minefield a company might find itself in is obvious.
If MDM is used with BYOD devices, the employer should ensure that workers are informed upfront of the possibility of their personal information being compromised, either inadvertently or deliberately, if the company exercises its right to remotely delete information from that individual's device.
Companies Need to Address BYOD Legal Issues Now!
BYOD is here to stay, and so are the legal issues it raises. Every company needs to put in place an official, comprehensive BYOD policy to ensure that those potential vulnerabilities are addressed. And that policy should be fully communicated to employees in a way that makes it clear that adherence to the company’s BYOD standards is a job requirement.
If your business hasn’t yet done that, you need to act quickly. Otherwise, you may find that for your company, BYOD is a lawsuit waiting to happen.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2017 Ronald E Franklin
Scalefusion MDM on May 16, 2019:
Thanks for sharing these good insights, Ronald. Managing and securing BYOD devices in the enterprise network is essential and crucial. BYOD is a trending device policy gaining significant importance due to the huge benefits it provides but has challenges which are essential to mitigate. BYOD device management with an MDM allows easy device management, securing and complying to corporate guidelines legal policies.
getsuko on May 02, 2019:
anyone know if the company have right to force your sign the BYOD policy, although you are not using your own device at work ?
any law in NY state protects this ?
My company sent out new policy to all employee that we are mandatory to sign the BYOD policy , although some of us are not using any personal devices for work at all. by signing this, are we permitting the company to access and erase our person info from our phones when we leave the company? though we told them that we are not using our own devices for work at all ?
Ronald E Franklin (author) from Mechanicsburg, PA on May 22, 2017:
Thanks, Lanecia. Glad to hear your company has a good BYOD policy in place. As you know, that's often not the case. And I would guess that for most workers in the BYOD generation, using their own mobile devices on the job is so natural they don't even think about whether there's a policy about it or not.
LS from United States on May 22, 2017:
Great article! Yes, BOYD policies are important for the safety and security of the company and it's employees. There are a lot of young employees that use technology in the workplace, including myself, it is the generation we are in. I work for a company that has a good standard policy in place, and it helps a lot with the legal issues you just mentioned. Thank for the information.
Ronald E Franklin (author) from Mechanicsburg, PA on March 21, 2017:
justthemessenger, I'm not sure anybody's thought a whole lot about how BYOD might apply to someone in your situation. I know there's pressure in some jurisdictions to have Uber and Lyft treat their drivers as employees. So, there's a lot still up in the air. Thanks for sharing.
Ronald E Franklin (author) from Mechanicsburg, PA on March 21, 2017:
MsDora, the whole BYOD area is still evolving. Now there are some companies that actually require employees to use their own devices. This is uncharted territory, and we'll see where it goes. Thanks for sharing.
James C Moore from Joliet, IL on March 21, 2017:
Wow, this B.Y.O.D. policy opens up a Pandora's box of potential legal issues. I use my own device (smartphone) as a rideshare driver, which is currently my main source of income. I am an independent contractor as opposed to an employee, but I see how the issues mentioned could land the Ubers and Lyfts of the world in court. I also recall previous full time employment experiences whereby agreeing to the employer's computer/ telephone use statement with regard to use of their property was mandatory to work for them. Oh by the way, I didn't send this comment from my phone.
Dora Weithers from The Caribbean on March 20, 2017:
Great that employees can be free to use their own device which is familiar to them; they might get more work done faster. However both employers and employees may take advantage of this BYOD situation to the detriment of each other, and of course, there will be higher risks of lawsuits. Just one more reason for on-the-job stress, also one more reason to practice caution. Thanks for bring this issue to our awareness.
Ronald E Franklin (author) from Mechanicsburg, PA on March 20, 2017:
Thanks, Heidi. The whole BYOx phenomenon will only grow. With wearables technology gaining momentum, pretty soon companies will have to deal with Bring Your Own Shirt!
Heidi Thorne from Chicago Area on March 20, 2017:
So important, Ron! The FLSA issues have often turned employees into 24/7 employees. Plus, the BYOS (Bring Your Own Social Media) issues have also created a legal minefield. Great review of this developing issue. Have a great week!
Ronald E Franklin (author) from Mechanicsburg, PA on March 19, 2017:
FitnezzJim, I've written a number of BYOD articles for various clients, and so have done a lot of research. I haven't run across any accounts of companies that fire workers for using their own devices on the job. I would suppose (I'm not a lawyer) that if a company had such a policy and rigorously enforced it, that would be an effective defense against liability claims.
FitnezzJim from Fredericksburg, Virginia on March 19, 2017:
I've heard some organizations fire people who use their own personal devices for work.
Does that simple policy address all the organizations concerns?