Compliance Issues Inherent in Bring-Your-Own-Device Programs
The increased use of personal devices in the workplace has brought with it a host of legal issues. Devices containing corporate or personal data can be lost or stolen. Viruses can infect corporate systems. Employees can use their devices to violate policies or company contracts.
A formal bring-your-own-device (BYOD) program can establish ground rules and work to prevent these technological tragedies. While the law continues to develop in this relatively new area, this article will provide some basic considerations and management strategies.
The biggest risk to companies from BYOD is a potential security breach. When a device is lost or hacked, the breach may result in compromise not only of the company’s own information, but also that of third parties to whom the company owes a duty of confidentiality.
Many employers use mobile device management (MDM) tools to manage risk, including mandatory registration of devices, password protection, encryption software for data sent through the corporate network, and remote wiping in the event a device is lost. Depending on the sophistication of an IT department, this may also limit the number of supported devices, and employees should be made aware of such limits before purchasing any device.
An effective BYOD policy should contain clear instructions on what activities are permitted on devices that have access to corporate information systems. Tools such as Siri retain information in the cloud for up to two years even if employees are not intentionally backing up.
In addition, employees may be required to give their passwords to an Apple store technician or leave their devices overnight. Employers, therefore, may want to take precautions to prevent sensitive information—especially information protected by HIPAA, financial regulations, or other state or federal law—from being downloaded into a device in the first place, or at least ensure that it is walled off from other information.
Employers may also set rules limiting access to certain websites, limiting backup to cloud-based services, letting friends use work devices, or connecting to work through unsecured wireless networks.
Consent is a key component to any BYOD program. Employees should understand that employers have the right to access, review, and delete data on their personal devices and that they have no expectation of privacy if they choose to use their devices for work purposes.
At the same time, there are limits to what employers can monitor. Federal and state laws prohibit unauthorized access to certain electronically stored information, including Social Security or driver’s license numbers, and other personally identifiable information.
Employers must also obtain consent before installing any software on an employee’s personal device. All notices and requests for consent should be clearly written and should cover all potential needs an employer might have to access data on the device.
Litigation and Discovery
Employers may need to gain access to personal devices to comply with court orders or discovery requests. Organizations cannot object to producing information stored on personal devices on the basis that they have become comingled with an employee’s personal information.
To the extent possible, employers should adopt procedures to separate work and personal data at the outset, ensuring that work data (and only work data) is periodically backed up.
Other Legal Compliance Issues
This article will not address each and every challenge that might arise from devices in the workplace. Nonetheless, beyond the right-of-access issues described above, any BYOD policy should include provisions to address the following issues:
Make sure employees are aware of the tax consequences of reimbursements for devices.
Consider who will be responsible for lost or stolen devices and who will be responsible for malware or virus attacks. Relatedly, consider what kind of IT support the company will provide to personal devices in the event of malfunction.
Make clear that harassment and discrimination policies apply equally to conduct over mobile devices.
Prohibit nonexempt employees from performing work “off the clock.” Any work conducted on a personal device counts as “hours worked” for purposes of the Fair Labor Standards Act.
Review the scope of software licenses before permitting employees to access the software from personal devices. Some licenses limit access to company-owned devices. By the same token, ensure that employees are not inappropriately using third-party software they download on their own for business use if only noncommercial use is permitted.
Prepare for an employee’s departure from the company. If an employee’s device contains sensitive information, obtain advance consent to wipe this information before discharge. Of course, if the employee’s device is subject to a legal hold as part of ongoing litigation, first preserve any necessary information.
BYOD programs create significant risks for companies and require investment in technology to mitigate those risks. Failure to create clear policies regarding use of personal devices, however, can lead to even bigger risks. Work with IT, HR, and your legal counsel to create a successful and efficient program. BW
Josh Schwartz is a partner in the employment law group with Barley Snyder and leads the law firm’s workers’ compensation practice. You can learn more about Josh’s practice and Barley Snyder at www.barley.com/joshua-schwartz.