In the BYOD movement, we’ve discussed the employer’s right to maintain its confidential business information and trade secrets from being exposed. This time we will discuss the employee’s right to privacy, in regards to this movement.
Employees’ Right to Privacy Does this right cease to exist?
The right to privacy that the employee has in the personal device may indeed cease to exist once the device is used for business purposes. The need to protect a company’s confidential information and trade secrets can often conflict with the need to respect an employee’s right to privacy. Indeed, violating employee privacy rights is another risk that employers face in properly implementing BYOD programs. A well thought-out policy, however, can help minimize the risk of potential criminal and civil liability under state and federal laws that protect employees’ privacy rights.
A BYOD policy should state that employees choosing to participate in the company BYOD program have no expectation of privacy with respect to any communications made with the device in connection with their employment. As far as the personal information on employees’ devices, the employer’s BYOD policy should set forth clear disclosures explaining that employees are forfeiting some of their privacy rights, should they choose to participate in the BYOD program. Employees must understand, and consent to, their responsibilities under the company’s policy and the specific privacy rights they are surrendering. Accordingly, the employer should also require all employees participating in its BYOD program to sign a written acknowledgment consenting to the policy.
What if the Company gets sued? Does Electronic Discovery include employee’s personal information?
The simple answer to this question is that it can include the employee’s personal information. Competing with the need to respect employee privacy rights is the employer’s duty to comply with litigation and discovery obligations. A transparent policy and employee consent are vital to protecting the employer. Thus, an employer’s BYOD policy should notify employees that they must treat any business-related documents and information stored on their personal devices in accordance with the company’s document retention policy. The BYOD policy should further notify employees that their personal data may be reviewed if the information becomes subject to discovery in litigation or in the course of an investigative proceeding, including internal investigations by the company.
Employers with BYOD programs must also ensure that any litigation identifies employees’ personal devices for preservation of data. Another electronic discovery risk associated with BYOD programs is increased litigation costs for employers. For instance, if a company has to respond to a discovery request for electronically stored information, BYOD programs could markedly increase the number of additional devices subject to review. Indeed, a single employee could easily use three different personal devices for work, such as a smartphone, an iPad, and a personal laptop.
One avenue of mitigating potential future litigation costs is the use of technology that creates two different workspaces within an employee’s personal device. Such technology can separate employees’ corporate and personal workspaces, preventing employees’ personal applications from accessing work information and preventing work information from being copied and pasted into personal applications or personal email messages. Use of this type of technology will not only enable a company to collect corporate data in a more efficient manner, should the need arise, but will also act as an additional safeguard against inadvertent disclosure of company information.
What about work done off the clock?
The risk of off-the-clock work also is noteworthy. BYOD programs essentially allow employees to work 24 hours a day. On one hand, around-the-clock work may present an attractive benefit for employers. On the other hand, this type of work can pose a significant risk of liability under the Fair Labor Standards Act (FLSA) and state wage and hour laws.
The easiest and safest way to avoid the risk of wage and hour litigation is to make a BYOD program available only to exempt employees not covered by the FLSA overtime provision. For some employers, however, that is not a practical business solution. Consequently, those employers must ensure that their BYOD policies clearly outline the obligations of nonexempt employees. For instance, a company could implement a policy that prohibits nonexempt employees from utilizing their personal devices for work purposes when they are off the clock. The policy should define what constitutes “working” on their personal devices, such as checking company emails or answering company calls. Employees should also be made aware that any violations of the policy will subject them to disciplinary measures. Employers may wish to consult their IT departments regarding the use of software programs that block after-hours use of company emails and calls.
Even where nonexempt employees are prohibited from working on their personal devices after hours, however, a company still must ensure that its employees are aware that nonexempt employees will be paid for all time worked, that nonexempt employees must report all time worked and that employees should feel safe to report any pressure or encouragement to work off the clock. These policy statements should be set forth in an employer’s BYOD policy, as well as in its specific FLSA policies. Regular employee training and signed acknowledgments are also key in mitigating the risk of off-the-clock work.
What’s the Bottom Line?
Employers will not likely be able to completely ignore employee demand for BYOD programs. Accordingly, employers should confront the BYOD movement head-on by drafting and implementing a clearly defined BYOD policy that not only considers, but balances and manages all of the competing interests and issues. If you need help, consult your attorney.