According to a recent press release by Gartner, Inc., a global technology research and advisory company, half of all employers are expected to require their employees to supply their own devices for work by 2017. A well-implemented and maintained mobile initiative, like a bring-your-own-device (BYOD) workplace, has its benefits, such as driving innovation, creating new mobile workforce opportunities, increasing employee job satisfaction, and reducing, or completely eliminating, the expense of constantly replacing outdated devices. Many employers, however, will not fully explore the breadth of security and legal risks that are associated with maintaining a BYOD workplace. While the following is not an exhaustive list of precautions an employer may take to address these concerns, they are a step in the right direction.
Security should be a primary concern for employers. Many companies invest heavily in the development of their trade secrets and rely on those trade secrets to give them a competitive advantage over other businesses. In general, the law affords certain protections to those trade secrets that prevent them from falling into a competitor’s hands. In order to obtain such protection, however, the company must demonstrate that the trade secret is in fact “secret.” One way to determine whether information is “secret” is by looking at the measures the company has taken to ensure secrecy of the information and restrict physical access to the information.
In addition to requiring confidentiality and non-disclosure agreements from all employees, companies should adopt and enforce policies and procedures that address the fact that its trade secrets will end up on an employee’s personal device and that employee may ultimately leave the company with that device. A policy alerting an employee to the fact that, if an employee elects to use their own device, their internal email and voicemail may be searched and monitored is encouraged and could also protect the company from employee complaints.
Employers should also consider requiring employees to password protect their devices and implement procedures for employees to report a lost or stolen device so the company has the opportunity to remotely wipe its information from the device. Further, employers are encouraged to prohibit employees from using public WiFi networks to conduct business on their devices since it is easy to intercept traffic on those networks. In confidentiality agreements, employers should require employees upon termination of their employment to return, not delete, all company documents and information and temporarily relinquish to the company any devices that may have been connected to the company’s systems. Measures should then be taken to permanently remove and preserve the company’s information and disconnect access to the company’s systems and email servers from the device.
Another risk that many employers often overlook until it is too late is the negligent destruction of evidence that exists solely on an employee’s device, which is also known as spoliation. In general, spoliation occurs when a party to a lawsuit has notice that certain evidence is relevant, fails to take adequate steps to preserve that evidence, and the other party’s case is harmed by the destruction of evidence. A court that determines spoliation has occurred may impose sanctions on the spoliator or, even worse, instruct a jury that it is to presume that the destroyed evidence would have been unfavorable to spoliator. Employers should implements policies and procedures for preserving company information that resides on an employee’s personal device and educate employees about their duties to preserve those records. At the very least, employers should have procedures in place for preserving company information when it first receives notice that a lawsuit is looming, including the distribution of a litigation hold memorandum.