BusinessFinding a JobFrugal LivingIndustriesInsurancePersonal FinanceReal EstateScams & FraudSelf-EmploymentStarting a Business

5 Legal Issues Your Company’s BYOD Policy Must Address

Updated on March 20, 2017
RonElFran profile image

Ron is a retired engineer and manager for IBM and other high tech companies. He writes extensively and in depth about modern technology.

Source

Is your company participating in the BYOD revolution? Whether you realize it or not, the answer to that question is almost certainly “yes.”

BYOD, which stands for “Bring Your Own Device,” is now a fact of life for almost all businesses. Employees not only desire to use their own personal smartphones, tablets and laptops on the job, but are determined to do so.

A survey by Cisco reveals that more than 90 percent of employees already use their own smartphones for getting their work done. And that practice is becoming more deeply entrenched with every passing day, especially among younger workers. When security firm Fortinet polled employees aged 21-31, more than half of the 3,200 respondents said that even if their company banned use of personal devices on the job, they'd find a way to use them anyway.

BYOD Can Be Good For Both Workers and Businesses

Today’s employees love BYOD because it allows them to use devices on the job that they are already familiar with. In addition, because these mobile devices are with them wherever they are, workers also gain flexibility in when and where they can perform job related tasks. The result is higher morale and greater productivity among employees who participate in company BYOD programs.

BYOD also produces benefits for employers. Along with increases in worker productivity, companies can also profit from reduced equipment costs since they can often forego purchasing laptops, tablets, or other mobile devices for their employees to use.

Current State of BYOD

Issue
Percentage
IT decision makers who believe BYOD is good for their organization
69%
Employees who say they are more productive using their own devices
49%
Employees who say their organization did not make them aware of security risks with BYOD
77%
Businesses that currently have a BYOD policy in place
64%

Statistics reported by Ontech Systems

Why Your Company Needs a Good BYOD Policy Statement

BYOD can be a good deal for both employees and employers. And it’s not something businesses can avoid, since workers will find ways to use their own devices on the job no matter what their employers say about it. But companies should be aware that whenever their employees use their own devices for work-related tasks, the organization faces potential legal responsibilities and liabilities it may not be prepared for.

Does your company already have a comprehensive BYOD policy statement?

See results

All companies need to put well-thought-out BYOD policies in place to protect themselves from legal vulnerabilities. Here are some of the critical issues a company BYOD policy should address.

1. Fair Labor Standards Act (FLSA) Compliance

The Fair Labor Standards Act (FLSA) requires employers to pay non-exempt workers overtime for any time beyond 40 hours they spend on job-related tasks in a regular workweek. For example, if an employee decides to check emails at 11pm before going to bed, and their email inbox contains work-related items, that employee may be due overtime pay.

It doesn't matter that the company did not specifically ask employees to check emails on their own time, or that the worker chose that after-hours time purely for his or her own convenience. The law requires employers to keep accurate records of all non-exempt hours worked, whether on company premises or at home, and pay employees accordingly. Failure to do so can result in severe penalties. For example, according to Amanda Tomney, associate at the DLA Piper law firm, “in Mohammadi v. Nwabuisi, an employer was found liable for not compensating an employee for overtime work performed on an employee-owned device.”

Companies that allow non-exempt employees to use their own devices for work-related tasks should insure that off-hours time reporting policies and procedures are in place, and that workers are required to comply with them.

Source

2. Liability For Employee Actions While Using Their Personal Devices

According to a 2011 study by the Centers for Disease Control, nearly 70 percent of adults in the U.S. report talking on their cell phones while driving. When workers use those same devices on the job, that practice is unlikely to change unless employers take effective steps to restrict such behavior.

In 2012 Coca-Cola was tagged with a $21 million judgment after one of its truck drivers hit a Texas woman while the driver was talking on her cell phone. Although Coca-Cola had a policy in place requiring use of a hands-free device while driving, the plaintiff's lawyers convinced the jury that the policy was “vague and ambiguous.” Tia Chisholm of HUB International Coastal Insurance sums up the lesson companies need to draw from Coca-Cola's experience:

“This case emphasizes just how serious the risk is – and that all employers can be vicariously implicated if they fail to manage and monitor how employees are using mobile devices while driving. Employers who want to minimize liability as much as possible must institute risk management programs to actively or passively enforce cell phone use policies.”

Your employees are used to talking on their phones while driving.
Your employees are used to talking on their phones while driving. | Source

In order for a company to be potentially liable for misdeeds committed using a BYOD device, a plaintiff has only to show that the equipment itself was used at some point to perform work.

— Visage CEO Bzur Haun

Other areas where employers may find themselves unexpectedly liable for what employees do with their personal devices include cyberbullying and sexual harassment. For example, if a worker posts inappropriate racial or sexual remarks to a social media site using a device they also use for work, the employer may find itself being held liable. Says Visage CEO Bzur Haun, “in order for a company to be potentially liable for misdeeds committed using a BYOD device, a plaintiff has only to show that the equipment itself was used at some point to perform work.”

3. Data Breach Notifications

If an employer allows employees to download personally identifiable information to their devices, the company becomes liable for how that information is handled. For example, companies involved in finance, insurance, or healthcare have a regulatory duty, under state and federal privacy laws such as HIPAA, to insure the security of that data. Yet studies show that most users don't employ even minimal security procedures with their mobile devices. A 2012 survey revealed that 62 percent of respondents didn't even use a password with their smartphones.

Another frequent point of employer vulnerability arises from the fact that personal mobile devices are frequently lost or stolen. If employees have downloaded sensitive information to a device that is no longer in their possession, the company may have a legal responsibility to publicly disclose a potential data breach. Having to do so could not only be expensive, but also quite embarrassing.

The best practice is to not allow employees to download company information into their devices at all. Instead, they can be given access to the information online through a browser or company-defined portal. If it's necessary that the information reside on the mobile device, it should be encrypted.

4. Legal Discovery

If your company or an employee engaged in BYOD should become involved in litigation, the information held on personal devices may be subject to discovery. If it's the employee who is involved in legal action, company data residing on their device may be vulnerable to being made public. If it's the company that becomes a participant in some court action, the personal data of employees may be inadvertently exposed, potentially violating that individual's privacy rights.

An area where an employer must be especially vigilant when litigation may reasonably be expected is in making sure employees don't remove any potentially discoverable information from their personal devices. In Small v. Univ. Med. Center of S. Nevada, an employer was sanctioned because they failed to issue litigation holds regarding the personal devices employees used in their work.

Again, the best policy is to not allow employees to download sensitive company information to their devices.

5. Privacy Issues

The privacy aspects of BYOD are a still-evolving subject area. For example, when a BYOD employee quits or is let go, to whom does the information on their personal devices belong? Who is responsible for complying with state or federal laws requiring that personal information held on a device no longer used for business purposes be destroyed or made indecipherable?

One approach that's gaining favor with many employers is the use of MDM (Mobile Device Management) software installed on the device. MDM allows the company to manage the information stored on a worker's phone, and remotely destroy it if necessary. However, in some instances employees' personal information, such as photos, text message, and emails, have also been removed from the device. And since MDM allows the device to be remotely wiped clean without the intervention or even notification of the employee, the potential privacy minefield a company might find itself in is obvious.

If MDM is used with BYOD devices, the employer should insure that workers are informed up front of the possibility of their personal information being compromised, either inadvertently or deliberately, if the company exercises its right to remotely delete information from that individual's device.

Companies Need to Address BYOD Legal Issues Now!

BYOD is here to stay, and so are the legal issues it raises. Every company needs to put in place an official, comprehensive BYOD policy to insure that those potential vulnerabilities are addressed. And that policy should be fully communicated to employees in a way that makes it clear that adherence to the company’s BYOD standards is a job requirement.

If your business hasn’t yet done that, you need to act quickly. Otherwise, you may find that for your company, BYOD is a lawsuit waiting to happen.

© 2017 Ronald E. Franklin

Comments

    0 of 8192 characters used
    Post Comment

    • FitnezzJim profile image

      FitnezzJim 5 days ago from Fredericksburg, Virginia

      I've heard some organizations fire people who use their own personal devices for work.

      Does that simple policy address all the organizations concerns?

    • RonElFran profile image
      Author

      Ronald E. Franklin 5 days ago from Mechanicsburg, PA

      FitnezzJim, I've written a number of BYOD articles for various clients, and so have done a lot of research. I haven't run across any accounts of companies that fire workers for using their own devices on the job. I would suppose (I'm not a lawyer) that if a company had such a policy and rigorously enforced it, that would be an effective defense against liability claims.

    • heidithorne profile image

      Heidi Thorne 4 days ago from Chicago Area

      So important, Ron! The FLSA issues have often turned employees into 24/7 employees. Plus, the BYOS (Bring Your Own Social Media) issues have also created a legal minefield. Great review of this developing issue. Have a great week!

    • RonElFran profile image
      Author

      Ronald E. Franklin 4 days ago from Mechanicsburg, PA

      Thanks, Heidi. The whole BYOx phenomenon will only grow. With wearables technology gaining momentum, pretty soon companies will have to deal with Bring Your Own Shirt!

    • MsDora profile image

      Dora Isaac Weithers 4 days ago from The Caribbean

      Great that employees can be free to use their own device which is familiar to them; they might get more work done faster. However both employers and employees may take advantage of this BYOD situation to the detriment of each other, and of course, there will be higher risks of lawsuits. Just one more reason for on-the-job stress, also one more reason to practice caution. Thanks for bring this issue to our awareness.

    • justthemessenger profile image

      James C Moore 3 days ago from The Great Midwest

      Wow, this B.Y.O.D. policy opens up a Pandora's box of potential legal issues. I use my own device (smartphone) as a rideshare driver, which is currently my main source of income. I am an independent contractor as opposed to an employee, but I see how the issues mentioned could land the Ubers and Lyfts of the world in court. I also recall previous full time employment experiences whereby agreeing to the employer's computer/ telephone use statement with regard to use of their property was mandatory to work for them. Oh by the way, I didn't send this comment from my phone.

    • RonElFran profile image
      Author

      Ronald E. Franklin 3 days ago from Mechanicsburg, PA

      MsDora, the whole BYOD area is still evolving. Now there are some companies that actually require employees to use their own devices. This is uncharted territory, and we'll see where it goes. Thanks for sharing.

    • RonElFran profile image
      Author

      Ronald E. Franklin 3 days ago from Mechanicsburg, PA

      justthemessenger, I'm not sure anybody's thought a whole lot about how BYOD might apply to someone in your situation. I know there's pressure in some jurisdictions to have Uber and Lyft treat their drivers as employees. So, there's a lot still up in the air. Thanks for sharing.

    Click to Rate This Article