5 Legal Issues Your Company’s BYOD Policy Must Address

Updated on June 9, 2020
RonElFran profile image

Ron is a retired engineer and manager for IBM and other high tech companies. He writes extensively and in depth about modern technology.


"Bring Your Own Device" Legal Issues

Is your company participating in the BYOD revolution? Whether you realize it or not, the answer to that question is almost certainly “yes.”

BYOD, which stands for “bring your own device,” is now a fact of life for almost all businesses. Employees not only desire to use their own personal smartphones, tablets, and laptops on the job, but are determined to do so.

A survey by Cisco reveals that more than 90 percent of employees already use their own smartphones for getting their work done. And that practice is becoming more deeply entrenched with every passing day, especially among younger workers. When security firm Fortinet polled employees aged 21-31, more than half of the 3,200 respondents said that even if their company banned use of personal devices on the job, they'd find a way to use them anyway.

BYOD Can Be Good for Both Workers and Businesses

Today’s employees love BYOD because it allows them to use devices on the job that they are already familiar with. In addition, because these mobile devices are with them wherever they are, workers also gain flexibility in when and where they can perform job related tasks. The result is higher morale and greater productivity among employees who participate in company BYOD programs.

BYOD also produces benefits for employers. Along with increases in worker productivity, companies can also profit from reduced equipment costs since they can often forego purchasing laptops, tablets, or other mobile devices for their employees to use.

Current State of BYOD

IT decision makers who believe BYOD is good for their organization
Employees who say they are more productive using their own devices
Employees who say their organization did not make them aware of security risks with BYOD
Businesses that currently have a BYOD policy in place

Statistics reported by Ontech Systems

Why Your Company Needs a Good BYOD Policy Statement

BYOD can be a good deal for both employees and employers. And it’s not something businesses can avoid, since workers will find ways to use their own devices on the job no matter what their employers say about it. But companies should be aware that whenever their employees use their own devices for work-related tasks, the organization faces potential legal responsibilities and liabilities it may not be prepared for.


5 Things to Consider for Your Company's BYOD Policy

All companies need to put well-thought-out BYOD policies in place to protect themselves from legal vulnerabilities. Here are some of the critical issues a company BYOD policy should address.

1. Fair Labor Standards Act (FLSA) Compliance

The Fair Labor Standards Act (FLSA) requires employers to pay non-exempt workers overtime for any time beyond 40 hours they spend on job-related tasks in a regular workweek. For example, if an employee decides to check emails at 11pm before going to bed, and their email inbox contains work-related items, that employee may be due overtime pay.

It doesn't matter that the company did not specifically ask employees to check emails on their own time, or that the worker chose that after-hours time purely for his or her own convenience. The law requires employers to keep accurate records of all non-exempt hours worked, whether on company premises or at home, and pay employees accordingly. Failure to do so can result in severe penalties. For example, according to Amanda Tomney, associate at the DLA Piper law firm, “in Mohammadi v. Nwabuisi, an employer was found liable for not compensating an employee for overtime work performed on an employee-owned device.”

Companies that allow non-exempt employees to use their own devices for work-related tasks should insure that off-hours time reporting policies and procedures are in place, and that workers are required to comply with them.

2. Liability for Employee Actions While Using Their Personal Devices

According to a 2011 study by the Centers for Disease Control, nearly 70 percent of adults in the U.S. report talking on their cell phones while driving. When workers use those same devices on the job, that practice is unlikely to change unless employers take effective steps to restrict such behavior.

In 2012 Coca-Cola was tagged with a $21 million judgment after one of its truck drivers hit a Texas woman while the driver was talking on her cell phone. Although Coca-Cola had a policy in place requiring use of a hands-free device while driving, the plaintiff's lawyers convinced the jury that the policy was “vague and ambiguous.” Tia Chisholm of HUB International Coastal Insurance sums up the lesson companies need to draw from Coca-Cola's experience:

“This case emphasizes just how serious the risk is – and that all employers can be vicariously implicated if they fail to manage and monitor how employees are using mobile devices while driving. Employers who want to minimize liability as much as possible must institute risk management programs to actively or passively enforce cell phone use policies.”

Your employees are used to talking on their phones while driving.
Your employees are used to talking on their phones while driving. | Source

Other areas where employers may find themselves unexpectedly liable for what employees do with their personal devices include cyberbullying and sexual harassment. For example, if a worker posts inappropriate racial or sexual remarks to a social media site using a device they also use for work, the employer may find itself being held liable. Says Visage CEO Bzur Haun, “in order for a company to be potentially liable for misdeeds committed using a BYOD device, a plaintiff has only to show that the equipment itself was used at some point to perform work.”

In order for a company to be potentially liable for misdeeds committed using a BYOD device, a plaintiff has only to show that the equipment itself was used at some point to perform work.

— Visage CEO Bzur Haun

3. Data Breach Notifications

If an employer allows employees to download personally identifiable information to their devices, the company becomes liable for how that information is handled. For example, companies involved in finance, insurance, or healthcare have a regulatory duty, under state and federal privacy laws such as HIPAA, to insure the security of that data. Yet studies show that most users don't employ even minimal security procedures with their mobile devices. A 2012 survey revealed that 62 percent of respondents didn't even use a password with their smartphones.

Another frequent point of employer vulnerability arises from the fact that personal mobile devices are frequently lost or stolen. If employees have downloaded sensitive information to a device that is no longer in their possession, the company may have a legal responsibility to publicly disclose a potential data breach. Having to do so could not only be expensive, but also quite embarrassing.

The best practice is to not allow employees to download company information into their devices at all. Instead, they can be given access to the information online through a browser or company-defined portal. If it's necessary that the information reside on the mobile device, it should be encrypted.

4. Legal Discovery

If your company or an employee engaged in BYOD should become involved in litigation, the information held on personal devices may be subject to discovery. If it's the employee who is involved in legal action, company data residing on their device may be vulnerable to being made public. If it's the company that becomes a participant in some court action, the personal data of employees may be inadvertently exposed, potentially violating that individual's privacy rights.

An area where an employer must be especially vigilant when litigation may reasonably be expected is in making sure employees don't remove any potentially discoverable information from their personal devices. In Small v. Univ. Med. Center of S. Nevada, an employer was sanctioned because they failed to issue litigation holds regarding the personal devices employees used in their work.

Again, the best policy is to not allow employees to download sensitive company information to their devices.

5. Privacy Issues

The privacy aspects of BYOD are a still-evolving subject area. For example, when a BYOD employee quits or is let go, to whom does the information on their personal devices belong? Who is responsible for complying with state or federal laws requiring that personal information held on a device no longer used for business purposes be destroyed or made indecipherable?

One approach that's gaining favor with many employers is the use of MDM (Mobile Device Management) software installed on the device. MDM allows the company to manage the information stored on a worker's phone, and remotely destroy it if necessary. However, in some instances employees' personal information, such as photos, text messages, and emails, have also been removed from the device. And since MDM allows the device to be remotely wiped clean without the intervention or even notification of the employee, the potential privacy minefield a company might find itself in is obvious.

If MDM is used with BYOD devices, the employer should insure that workers are informed up front of the possibility of their personal information being compromised, either inadvertently or deliberately, if the company exercises its right to remotely delete information from that individual's device.

Companies Need to Address BYOD Legal Issues Now!

BYOD is here to stay, and so are the legal issues it raises. Every company needs to put in place an official, comprehensive BYOD policy to insure that those potential vulnerabilities are addressed. And that policy should be fully communicated to employees in a way that makes it clear that adherence to the company’s BYOD standards is a job requirement.

If your business hasn’t yet done that, you need to act quickly. Otherwise, you may find that for your company, BYOD is a lawsuit waiting to happen.

Does your company already have a comprehensive BYOD policy statement?

See results

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2017 Ronald E Franklin


    0 of 8192 characters used
    Post Comment
    • profile image

      Scalefusion MDM 

      13 months ago

      Thanks for sharing these good insights, Ronald. Managing and securing BYOD devices in the enterprise network is essential and crucial. BYOD is a trending device policy gaining significant importance due to the huge benefits it provides but has challenges which are essential to mitigate. BYOD device management with an MDM allows easy device management, securing and complying to corporate guidelines legal policies.

    • profile image


      14 months ago

      anyone know if the company have right to force your sign the BYOD policy, although you are not using your own device at work ?

      any law in NY state protects this ?

      My company sent out new policy to all employee that we are mandatory to sign the BYOD policy , although some of us are not using any personal devices for work at all. by signing this, are we permitting the company to access and erase our person info from our phones when we leave the company? though we told them that we are not using our own devices for work at all ?

    • RonElFran profile imageAUTHOR

      Ronald E Franklin 

      3 years ago from Mechanicsburg, PA

      Thanks, Lanecia. Glad to hear your company has a good BYOD policy in place. As you know, that's often not the case. And I would guess that for most workers in the BYOD generation, using their own mobile devices on the job is so natural they don't even think about whether there's a policy about it or not.

    • lsmith131 profile image

      Lanecia Smith 

      3 years ago from United States

      Great article! Yes, BOYD policies are important for the safety and security of the company and it's employees. There are a lot of young employees that use technology in the workplace, including myself, it is the generation we are in. I work for a company that has a good standard policy in place, and it helps a lot with the legal issues you just mentioned. Thank for the information.

    • RonElFran profile imageAUTHOR

      Ronald E Franklin 

      3 years ago from Mechanicsburg, PA

      justthemessenger, I'm not sure anybody's thought a whole lot about how BYOD might apply to someone in your situation. I know there's pressure in some jurisdictions to have Uber and Lyft treat their drivers as employees. So, there's a lot still up in the air. Thanks for sharing.

    • RonElFran profile imageAUTHOR

      Ronald E Franklin 

      3 years ago from Mechanicsburg, PA

      MsDora, the whole BYOD area is still evolving. Now there are some companies that actually require employees to use their own devices. This is uncharted territory, and we'll see where it goes. Thanks for sharing.

    • justthemessenger profile image

      James C Moore 

      3 years ago from The Great Midwest

      Wow, this B.Y.O.D. policy opens up a Pandora's box of potential legal issues. I use my own device (smartphone) as a rideshare driver, which is currently my main source of income. I am an independent contractor as opposed to an employee, but I see how the issues mentioned could land the Ubers and Lyfts of the world in court. I also recall previous full time employment experiences whereby agreeing to the employer's computer/ telephone use statement with regard to use of their property was mandatory to work for them. Oh by the way, I didn't send this comment from my phone.

    • MsDora profile image

      Dora Weithers 

      3 years ago from The Caribbean

      Great that employees can be free to use their own device which is familiar to them; they might get more work done faster. However both employers and employees may take advantage of this BYOD situation to the detriment of each other, and of course, there will be higher risks of lawsuits. Just one more reason for on-the-job stress, also one more reason to practice caution. Thanks for bring this issue to our awareness.

    • RonElFran profile imageAUTHOR

      Ronald E Franklin 

      3 years ago from Mechanicsburg, PA

      Thanks, Heidi. The whole BYOx phenomenon will only grow. With wearables technology gaining momentum, pretty soon companies will have to deal with Bring Your Own Shirt!

    • heidithorne profile image

      Heidi Thorne 

      3 years ago from Chicago Area

      So important, Ron! The FLSA issues have often turned employees into 24/7 employees. Plus, the BYOS (Bring Your Own Social Media) issues have also created a legal minefield. Great review of this developing issue. Have a great week!

    • RonElFran profile imageAUTHOR

      Ronald E Franklin 

      3 years ago from Mechanicsburg, PA

      FitnezzJim, I've written a number of BYOD articles for various clients, and so have done a lot of research. I haven't run across any accounts of companies that fire workers for using their own devices on the job. I would suppose (I'm not a lawyer) that if a company had such a policy and rigorously enforced it, that would be an effective defense against liability claims.

    • FitnezzJim profile image


      3 years ago from Fredericksburg, Virginia

      I've heard some organizations fire people who use their own personal devices for work.

      Does that simple policy address all the organizations concerns?


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, toughnickel.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://maven.io/company/pages/privacy

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)