With studies showing that 91 percent of Americans over age 18 own and regularly use cell phones and related devices, and 67 percent of U.S. workers use their cell phones at least once a day at work, employers are left wondering how to handle personal technology in the workplace. Human resources professionals would argue those numbers are much higher, presenting legal issues related to managing and monitoring employee uses of these devices for work.
Workplace policies are still playing catch up with technology. Just when employers got a handle on email and personal computer use, instant messaging, texting, and social media came along. But while employers can easily monitor employer-owned telephone and computer systems, more employees are using their own devices to access their employer's systems-and the question is how to legally monitor and perhaps control these communications without running afoul of privacy protections.
That's why employers should adopt a Bring Your Own Device (BYOD) policy. BYOD policies manage employee expectations about privacy when using these devices for work and define when the employer can claw back or delete its confidential business information from the device. Below are key things to keep in mind for BYOD policies.
No Expectation of Privacy
Yes, you read that right. By now, most employers inform employees they should have no expectation of privacy in any data that is sent from, received by, or transmitted through any employer computer. That policy should be extended to the employee's personal device when it uses or accesses company resources, or contains company data. Employees should be reminded that emails sent from a smartphone via a company email address are routed through the company's servers and can be examined at any time. Employers should reserve the right to request an employee's device to inspect it. Employers with unionized employees may need to revisit the employee privacy issues in a collective bargaining agreement.
Security and Privacy
Companies should limit remote access via personal devices in order to secure trade secrets, confidential business information, and customers' private information. The BYOD policy should also address approved (and prohibited) data storage techniques, particularly third-party cloud storage apps. Employers should be familiar with the security protocols of these apps. If employers are not satisfied with their security protocols, those apps should be prohibited.
Safeguarding Devices
BYOD policies should require employees to protect their devices against damage and theft. Prompt notice will allow the company to take steps to lock or wipe clean the device remotely, if appropriate. Employees should be prohibited from sharing their device with family or friends. The policy should also require employees to coordinate with IT staff when a device is going to be replaced so data can be transferred and wiped clean. BYOD policies should mandate that all devices be password protected and that employees use distinct passwords.
Supported Apps and Devices
Define what apps and devices will be supported by the company. It may be useful to describe approved devices by operating system (Android or Apple iOS, for example) as models change frequently.
To ease the burden of supporting multiple device platforms, some employers opt for mandating particular apps for email, calendar, contact management and other business functions. The policy should identify any prohibited apps.
Keeping Devices up to Date
BYOD policies should require employees to download and install all updates and patches when they become available. This will keep the employees' devices current and address any security vulnerabilities. Doing so will also limit the number of platforms the company's IT department will need to support as technologies advance.
Management Applications
Employers should consider investing in mobile device management or mobile application enterprise software that allows them to monitor employee usage and adherence to company policy.
Commingled Data
The BYOD policy should instruct employees to segregate company data stored on a device from employee personal data. This will avoid disputes when it comes time to collect data from employee-owned devices.
Compliance
Employees should be required to comply with state and federal laws regarding use of smartphones and tablets, including any state traffic laws prohibiting their use while driving.
Reserve Termination Rights
Employees should be made aware that access to company data through a personal device is a privilege that can be taken away. The BYOD policy should state that compliance is a prerequisite for continued access.
Policy Limits
Because BYOD allows employees to work remotely any time of day, employers face increased liability with non-exempt employees who work after hours. Employers can be subject to wage and unfair labor claims if employees are not paid for work done outside the office. This might mean non-exempt employees can't use the BYOD program.
Cessation of Employment
A company's exit interview process must include procedures for ensuring that company data does not reside on an employee's smartphone after the employment relationship terminates.
Litigation Hold Procedures
Employers should revisit their litigation hold procedures (the procedures used to preserve relevant information in anticipation of litigation) to ensure they include the preservation and collection of data contained on employees' personal devices that might be relevant to a dispute.
Who Pays
The BYOD plan should specify the company's (and conversely, the employee's) financial responsibility for the purchase of any device and for voice and data access charges.
Sign the Deal
Employees should be required to sign an acknowledgement that they received and reviewed the BYOD policy. It should include the employees' certification that they understand and will abide by its terms. It should also include the employees' acknowledgement that they may be disciplined for failing to follow the policy terms. Employers should keep a copy of this form.
BYOD plans offer some promising benefits to employers, but they also create unique legal challenges that should be addressed in writing. No two employers' BYOD plans will be identical, so consult with a lawyer when crafting a BYOD plan for your workplace.
Jim Reidy and JP Harris are shareholders at Sheehan Phinney Bass + Green in Manchester. Reidy is chair of the firm's labor and employment group, and Harris practices in the areas of commercial and employment litigation. For more information, visit www.sheehan.com.
Current Issue - May 2024