SI Review: July/August 2014

Print

Benefit of Counsel: Getting Personal at Work

Is a bring-your-own-device program right for you?

By Diane J. Geller, Esq.

An increasing number of companies are adopting bring- your-own-device (BYOD) programs, which require or allow employees to use their personal electronic devices to connect to their employer’s computer network for work reasons. Companies adopting BYOD programs believe these programs increase productivity and lower operational costs by not having to invest in equipment for staff. However, these present both operational and legal challenges to employers.

The IT challenge. BYOD programs enable employees to use various types and brands of devices, which can pose serious issues for a company’s IT department such as inability to run company-required software, configuration issues, incompatible software, etc. Further, employee-owned devices open the company’s network to the possibility of intrusion from outsiders including hacking and malware. Policies that in the past were able to be enforced when the employer provided the device, like password protection, auto lock and non- sharing of devices are more difficult if not impossible to enforce in a BYOD environment.

What makes a good policy. Recent surveys have estimated that the number of personal devices in the workforce is expected to grow exponentially. Adoption of policies, procedures and proto- cols become essential as employees access, view, download, edit and transmit work materials (some of which are confidential) using mobile devices not within their employer’s control.

A BYOD policy must be in writing and tailored to the needs of the specific company and its environment— a one- size-fits-all policy does not work for a successful BYOD program. An effective policy should include the company’s expectations, including those relating to the use of their device, procedures regarding passwords/encryptions, loaning of devices, reporting of lost/stolen devices, disposal of devices, upgrading the device and the transfer of the device to another person (i.e. a family member). It must also address confidentiality, security, retention and protection of the company’s data that may reside on the device.

The policy must speak to protection of the employee’s private data, ensuring reasonable efforts to protect such data while providing the company with access to the device for legitimate business purposes, such as retrieval of work-related emails or documents for e-discovery, business purposes and upon departure from employment. The company must expressly retain the ability to utilize a program for access of data for litigation, remote wiping, deletion of its data in the event of a lost device, transfer of device and termination of employment in the policy, and disclaim the risk of loss of personal data while doing so.

Security and the ability to wipe the device and shut it down remotely becomes even more critical if your company permits its employees to use their personal device to access personal information of candidates and employees on their personal device. This is especially true because the company must concern itself with a data breach related to sensitive personal information (such as Social Security numbers) if the device is lost or stolen.

Employment-related concerns. Other employment-related considerations are expense reimbursement, and even more important, which employees you intend to allow to participate in the program. The use by all employees without restriction raises significant wage and hour issues if the employee is non-exempt. The Fair Labor Standards Act and its hourly pay and overtime regulations must be considered when allowing hourly employees to access their work email or engage in work-related activities without restriction. The FLSA requires an employer to pay hourly employees for all of their work, whether or not specifically authorized, and there- fore, necessitates a method of record- keeping related to hourly employees’ use of devices while on what would other- wise be considered personal time.

Conclusion

Employers need to assess the risks of a BYOD program to determine if it is right for their business. Companies that decide to adopt such a program must adopt a clear policy and a strategy for implementation and maintenance.

This article is intended for informational purposes only. Nothing herein should be construed as offering legal advice or creating an attorney- client relationship. Always consult with competent local counsel on any legal issues.

Diane Geller is an attorney at Fox Rothschild. She can be reached at dgeller@foxrothschild.com