Bring Your Own Device- Part II- Employee’s Rights

By Debby Winters

In the BYOD movement, we’ve discussed the employer’s right to maintain its confidential business information and trade secrets from being exposed. This time we will discuss the employee’s right to privacy, in regards to this movement.

Employees’ Right to Privacy Does this right cease to exist?

The right to privacy that the employee has in the personal device may indeed cease to exist once the device is used for business purposes. The need to protect a company’s confidential information and trade secrets can often conflict with the need to respect an employee’s right to privacy.  Indeed, violating employee privacy rights is another risk that employers face in properly implementing BYOD programs.  A well thought-out policy, however, can help minimize the risk of potential criminal and civil liability under state and federal laws that protect employees’ privacy rights.

A BYOD policy should state that employees choosing to participate in the company BYOD program have no expectation of privacy with respect to any communications made with the device in connection with their employment.  As far as the personal information on employees’ devices, the employer’s BYOD policy should set forth clear disclosures explaining that employees are forfeiting some of their privacy rights, should they choose to participate in the BYOD program.  Employees must understand, and consent to, their responsibilities under the company’s policy and the specific privacy rights they are surrendering.  Accordingly, the employer should also require all employees participating in its BYOD program to sign a written acknowledgment consenting to the policy.

What if the Company gets sued? Does Electronic Discovery include employee’s personal information?

The simple answer to this question is that it can include the employee’s personal information.  Competing with the need to respect employee privacy rights is the employer’s duty to comply with litigation and discovery obligations.  A transparent policy and employee consent are vital to protecting the employer.  Thus, an employer’s BYOD policy should notify employees that they must treat any business-related documents and information stored on their personal devices in accordance with the company’s document retention policy.  The BYOD policy should further notify employees that their personal data may be reviewed if the information becomes subject to discovery in litigation or in the course of an investigative proceeding, including internal investigations by the company.

Employers with BYOD programs must also ensure that any litigation identifies employees’ personal devices for preservation of data. Another electronic discovery risk associated with BYOD programs is increased litigation costs for employers. For instance, if a company has to respond to a discovery request for electronically stored information, BYOD programs could markedly increase the number of additional devices subject to review.  Indeed, a single employee could easily use three different personal devices for work, such as a smartphone, an iPad, and a personal laptop.

One avenue of mitigating potential future litigation costs is the use of technology that creates two different workspaces within an employee’s personal device. Such technology can separate employees’ corporate and personal workspaces, preventing employees’ personal applications from accessing work information and preventing work information from being copied and pasted into personal applications or personal email messages. Use of this type of technology will not only enable a company to collect corporate data in a more efficient manner, should the need arise, but will also act as an additional safeguard against inadvertent disclosure of company information.

What about work done off the clock?

The risk of off-the-clock work also is noteworthy. BYOD programs essentially allow employees to work 24 hours a day. On one hand, around-the-clock work may present an attractive benefit for employers. On the other hand, this type of work can pose a significant risk of liability under the Fair Labor Standards Act (FLSA) and state wage and hour laws.

The easiest and safest way to avoid the risk of wage and hour litigation is to make a BYOD program available only to exempt employees not covered by the FLSA overtime provision. For some employers, however, that is not a practical business solution. Consequently, those employers must ensure that their BYOD policies clearly outline the obligations of nonexempt employees. For instance, a company could implement a policy that prohibits nonexempt employees from utilizing their personal devices for work purposes when they are off the clock.  The policy should define what constitutes “working” on their personal devices, such as checking company emails or answering company calls.  Employees should also be made aware that any violations of the policy will subject them to disciplinary measures. Employers may wish to consult their IT departments regarding the use of software programs that block after-hours use of company emails and calls.

Even where nonexempt employees are prohibited from working on their personal devices after hours, however, a company still must ensure that its employees are aware that nonexempt employees will be paid for all time worked, that nonexempt employees must report all time worked and that employees should feel safe to report any pressure or encouragement to work off the clock.  These policy statements should be set forth in an employer’s BYOD policy, as well as in its specific FLSA policies. Regular employee training and signed acknowledgments are also key in mitigating the risk of off-the-clock work.

What’s the Bottom Line?

Employers will not likely be able to completely ignore employee demand for BYOD programs. Accordingly, employers should confront the BYOD movement head-on by drafting and implementing a clearly defined BYOD policy that not only considers, but balances and manages all of the competing interests and issues.  If you need help, consult your attorney.

You’ve heard of BYOB, but have you heard of BYOD? Bring Your Own Device?

By Debby Winters

Many companies have moved to a “Bring Your Own Device “(BYOD) movement allowing workers to use their personal devices for work-related functions. This movement is in ful
l swing and has proven to save companies a substantial amount of money. As people own their own smart phones, tablets and laptops this will become more and more of a reality in the workplace.  However, a company is putting itself at risk, not to mention an economic disadvantage, by moving forward in this movement without a clearly defined BYOD policy. Let’s consider some key issues for putting just such a BYOD policy in place.

Confidential Business Information and Trade Secrets

Employers should take a proactive approach in preserving confidential business information and trade secrets as the use of personal devices in the workplace opens up a myriad of different avenues through which company information might be accidentally leaked to the public. And accidental disclosures of company information may result in the loss of a company’s confidential business information as well as company trade secrets. A written BYOD policy is a must. This is only one of the first steps an employer can take to show a court that the company has made reasonable efforts to protect the secrecy of its confidential information. Not only must a BYOD policy meet the company’s individual goals and facilitate smooth day-to-day business practices, it also must be easily understood and followed by the company’s employees. If the employees cannot understand it, a court may not view the policy as an adequate protective measure. Adequate training is often necessary in implementing a policy. This training should not be limited to initial hiring, but should be on a regular basis. And in light of the increasing capabilities of employees’ personal devices, employers must also periodically review their policies to ensure that these stay current, and must manage any new security risks created by technological advances. When updates to the policy are necessary, additional employee training should be conducted. This is an ongoing process of redrafting the policy and retraining the employees to ensure understanding and compliance.

During any employee BYOD training, an employer needs to address the security risks associated with employees’ using their personal devices. Many employees are simply unaware of the various ways in which company information might be vulnerable to disclosure. Some common examples include employees:

  • Losing personal devices or having them stolen.
  • Sharing personal devices with family and friends.
  • Connecting personal devices to unsecured wireless networks; upgrading their personal devices.
  • Resigning or being fired from their jobs, and taking the data on their devices with them.

By considering and addressing the various ways in which confidential business information might leak, both in the policy itself and in training, employers and employees can manage security risks at the outset.

In the next installment of BYOD we will explore whether Employees have any right (or expectation to a right) to privacy.