Where are you reading this? And upon what device are you reading it? More importantly, what about your employees? Who owns the technology they use during the course of any given workday?
You might think people are making more out of BYOD (the trend for employees to bring their own laptops, smartphones, tablets, and other electronic devices to work) than it deserves, that this is a relatively benign issue. Alas, as evidenced by the words of caution below, you’d be wrong. We recently asked JD Supra contributors:
In your experience, what is the single most important item to include in a workplace ‘Bring Your Own Device’ policy?
Here’s what we heard back (spoiler alert, it's time to start being smart about your employee’s smartphones):
1. Clarification Over Who Owns Any Business Communications, No Matter What Device They’re On
Employers should include language in their policy explaining that business communications remain the employer’s property...
From Alison Alpert, Labor & Employment practice group leader at Best Best & Krieger LLP: “One of the major issues facing employers whose employees use their own phones or other electronic devices for business is when there is a complaint of misconduct against an employee. The employer may not have the right to access the employee’s device, like they would if it were the employer’s device. Employers should include language in their policy explaining that business communications remain the employer’s property and that employees using their own phones or other electronic devices are required to provide access to the employer of all business communications. This access will still be more limited than employers would be entitled to if employees used employer-provided devices.”
2. Rules Regarding Work on Personal Devices After Normal Working Hours
Over the past three years, the number of wage and hour lawsuits seeking damages for work performed ‘off the clock’ has increased by more than 300%
Grant D. Petersen, shareholder with Ogletree Deakins: “The single most important item to include in a workplace BYOD policy is language prohibiting hourly paid employees from performing work with their BYODs outside of normal working hours unless they obtain prior approval from management and accurately record any approved time worked. Over the past three years, the number of wage and hour lawsuits seeking damages for work performed ‘off the clock’ has increased by more than 300%. Under the federal Fair Labor Standards Act (FLSA) and several state wage and hour laws, employers are required to pay non-exempt, hourly paid employees at least the minimum wage for all time worked and to pay these employees overtime pay for hours worked in excess of 40 hours per week. Under these laws work time includes time spent on smartphones, tablets, and laptops responding to emails, calling customers, and completing projects and reports whether the work is performed at home or during off hours. Unless employers restrict the amount of work performed outside of normal working hours and require a strict accounting of any such approved work, they will be liable for paying for the time spent by unsupervised employees working on their BYODs at home or outside of normal working hours, often at overtime pay rates.”
3. Security Protocols to Protect Confidential Information
...the policy should require that the device has a password, data encryption capabilities, and that it locks after a certain period of inactivity.
Gordon Berger, a partner in FordHarrison’s Atlanta office: “When the employer does not own the device, trying to protect confidential or proprietary information, such as customer lists, pricing data, plans, formulas, and other similar information belonging to the company, can be problematic. If the device is left unsecure, the company data can be lost or compromised. For example, the employee could lose the device (such as a cell phone), or could back it up to a third party cloud or other back up source that may not be secure. So, the ‘best practice’ is to create a company BYOD policy that requires safeguards to reduce the risk of a security breach. For instance, the policy should require that the device has a password, data encryption capabilities, and that it locks after a certain period of inactivity. It should also require the data to be backed up to an approved location or source and should prohibit use of the device over Wi-Fi (by providing that only secure connections be used for browsing, for example).”
4. Clear Expectations Around Employee Privacy (Or Lack Thereof)
A successful BYOD program must protect proprietary and/or trade secret information both during employment and after employment ends...
Cynthia Fair Moir, attorney at Buchalter Nemer: “A successful BYOD program must carefully balance an employer’s legitimate need to protect proprietary and trade secret information against employee privacy interests. The most effective way to accomplish this is to limit employee expectations of privacy by obtaining a written acknowledgement from employees that the employer may monitor, access, and, if necessary, remotely wipe the device if there is a security risk (such as a lost or stolen device, a breach in policy, etc.). Correspondingly, employees should be advised to routinely back up personal information on the device.
In addition to policies allowing the employer to monitor, access, and remotely wipe the device in the event of a security risk, employers should obtain a written acknowledgement from employees that they will provide the employer with access to the device upon termination or in the event of anticipated or actual litigation for the purpose of imaging company data and/or removing the data from the device."
5. Written Acknowledgement of Your BYOD Policy
Tracey Diamond, attorney at Pepper Hamilton: “BYOD poses many challenges for employers, from protecting confidential data to ensuring that employees do not text and drive. The single most important component to a workplace BYOD policy is a written acknowledgement from employees indicating that they understand the policy and consent to employer monitoring of the device for work purposes. In the absence of such employee consent, employers risk violating the Stored Communications Act and many recent state statutes when they monitor employee devices to ensure compliance.”