We have all become attached to our cell phones, integrating them into our daily lives in ways our parents could not have fathomed. However, with the ability to do more at the touch of a button comes the expectation of immediate, constant communication. In order to meet this demand, lawyers and their employees are using mobile devices and other technology every day, all day, both in and out of the office – and the devices they uses are usually their personal ones. While allowing this use of personal devices for work purposes has distinct advantages – employees appreciate the convenience, efficiency, and flexibility brought about with personal device usage, and employers appreciate the ability to save on the expense of purchasing and updating devices – permitting the use of personal devices for work purposes raises a host of unique issues.
Bring Your Own Device (BYOD) policies, governing the use of personal devices for work purposes, offer advantages for both employees and employers. However, BYOD policies also present a plethora of unique challenges to an employer, including data security, privacy, and wage and hour issues. An effective BYOD policy addresses your employees’ desire for flexibility and balances them with the legal and cultural needs of your office. Below are the predominant risks of BYOD policies, along with a few suggested ways to address these issues through effective policy implementation.
DATA SECURITY
Confidential and proprietary information is secured on company devices for a reason. If employees are allowed to access and hold corporate data on their personal devices, the data can be (intentionally or unintentionally) compromised if the employer does not have clear security measures and requirements in its BYOD policy. For example, software, intellectual property, confidential and/or proprietary information could be lost or stolen through employee negligence when the employee fails to take proper precautions, thus resulting in lost and/or stolen devices. In addition, losses can occur as the result of malware software, or if the employee becomes the victim of a phishing scam by clicking a malicious link. Other threats to data security include the use of unsecured or public Wi-Fi networks and an employee’s (or former employee’s) use of protected information for improper purposes.
Employers also have legal obligations related to their clients’ intellectual property, and personal medical and other confidential or propriety information an employee may be required to store on their own device. Ultimately, the liability for the protection of such client information falls on the company. According to Mary Akhimien in “An Employment Law Primer on BYOD Policies,” the best way to lessen the likelihood of data loss and security breaches is by educating employees on the importance of sustaining strong passwords, varying passwords, and encrypting data stored on the device. A BYOD policy should clearly state the company’s ownership rights to any data on the device pertaining to the company, and require employees to back up company data and notify the employer as soon as possible in the event their personal device is lost, stolen, or damaged.
PRIVACY
An employer must carefully balance its duty to safeguard its corporate data with employee privacy rights. Some companies have turned to Mobile Device Management (MDM) software, which can remotely manage the information stored on an employee’s device, and remotely destroy the data if necessary. Employee privacy is still an issue being explored in the courts; however, according to the National Conference of State Legislatures, 26 states plus District of Columbia and Guam have protections of social media in their state statute that applies to employers. Other privacy protections may also apply to an employee’s data on the device, such as healthcare information or privileged communications between his or her doctor, attorney or spouse. The best practice for mitigating these privacy concerns in a BYOD policy is to clearly state in your policy the employer’s and employee’s rights and responsibilities, including what information can be accessed by the company, and what will happen if the device is lost or compromised, or if the employee leaves the company. Employers should also educate employees on the privacy tradeoffs associated with BYOD policies and set up clear and reasonable expectations of privacy in their policy.
WAGE AND HOUR ISSUES
The Fair Labor Standards Act mandates that employers must pay non-exempt employees at least minimum wage for all hours the employee is “suffered or permitted” to work by the employer. If an employee decides to respond to their work emails from their mobile device at 11 p.m., this valid work for compensation and possible overtime. In Mohammadi v. Nwabuisi, the court found that if employers do not want non-exempt employees working from their phones at night, the duty falls on the employer “to exercise its control and see that the work is not performed if it does not want it to be performed…. The mere promulgation of a rule against such work is not enough.” Mohammadi v. Nwabuisi, SA:12- CV-00042-DAE, 2013 WL 1966746, at *5 (W.D. Tex. May 10, 2013), aff’d in part, rev’d in art and remanded, 605 Fed. App’x 329 (5th Cir. 2015) (quoting 29 C.F.R. § 785.13).
Thus when implementing a BYOD policy, employers should protect themselves from wage and hour issues by incorporating measures that: (a) require employees to keep record and report all time worked, (b) set clear guidelines for working outside regularly scheduled hours, and (c) guarantee minimum wage compliance by compensating employees for device fees or paying an hourly rate that keeps employees at or above minimum wage after device expenses and fees.
While the popularity of BYOD policies is growing, no standard policy works for every employer. Nevertheless, an effective BYOD policy should always include a record of consent on behalf of the employee, definition(s) of permissible use, other IT policies and training, exit procedures, reimbursement, and technical support. While many companies may feel as though they are not ready to allow employees to utilize their own tablets or computers for work purposes, employers should recognize many of their employees likely already use their own cell phones and tablets to check their work emails. How much work are they doing on there? Maybe it’s time to ask. Tiffanie Clausewitz