"Don't Fear BYOD. Here's How to Cope," InsideCounsel
The proliferation of Internet-enabled devices in recent years has caused a major shift in corporate enterprise support. Ten years ago, company-issued laptops and desktops were the major focus of IT policies for most businesses. For senior executives and mobile workforce functions, including sales teams, there also might have been support of a device such as a Blackberry. But, in all cases, the company owned and exclusively configured the device, controlled network access inside and outside the office, and had stringent policies about use, privacy and ownership of work product created on or transmitted via company devices.
The world has changed since the first true smartphone hit the market in June 2007. Today, employees at all levels expect remote access to your company's system via their phones, tablets, laptops, PCs and other mobile devices. This “bring your own device” (BYOD) model creates new technological challenges – access, security and bandwidth, to name a few – and also presents operational challenges relating to employee relations, litigation management and intellectual property.
This article outlines some of the issues you should consider with respect to BYOD practices and suggests ways in which to navigate them.
There are myriad questions attached to BYOD. In addition to having a policy covering support matters, it is well worth the time and effort required to develop one for the legal/risk issues. Many of the questions and issues outlined in this article can be planned for and mitigated via an appropriately-drafted policy. It is not always necessary to draft a new, separate policy to cover employee devices and connections; adding a few paragraphs or pages to existing employee handbooks or enterprise IT policies may be sufficient.
Establish Standard Procedures
If you allow BYOD, one goal of your written policy is to clearly communicate the degree to which the company will support (configure, pay for, maintain, troubleshoot, etc.) those devices.
For example, you should state whether you will require the installation of enterprise mobility management (EMM) programs, which can provide physical security on employee devices through the use of device passwords, workspace passwords, hardware-level encryption and centralized password management. Also, notify employees if you install mobile device management solutions (MDMs) on their devices. MDMs will give you the ability to lock and wipe devices that have access to the network, as well as allow you to back up data, monitor traffic and manage applications stored on devices.
If you think your workforce would resist such safety measures, consider mandating that employee use PINs or other authentication on their devices, in order to protect valuable confidential if the employee loses control of the device.
For the same reason, it is wise to require that “find my device” functions be enabled, along with remote “wiping” capabilities, and that employees be required to notify you of a lost or stolen device, thereby activating your right to “wipe” or find it.
Likewise, if the employee leaves you (voluntarily or not), your policy should give you the right to inspect the device and remove or disable any proprietary connections such as mail accounts. Making clear that these policies apply to all user devices can help minimize anxiety about corporate access, as well as demonstrate (in the case of litigation) how your records management and IT policies work in the normal course of business.
Because of the vast amounts of (personal) information on mobile devices, employees may be nervous about turning their devices over to an employer. But, it is important for employees to understand that anything transmitted through company systems, including Wi-Fi, is subject to review and inspection by the company (or litigants) at any time.
Moreover, to the extent you have installed EMM or MDM programs on employee devices, privacy warnings may be mandated by the FTC or under other laws. While most companies are unlikely to want access to family photos, text messages from boyfriends and children, and so forth, you will have access to much of that information just by supporting an employee device.
Therefore, consider asking employees to use separate accounts or apps for work and personal
communications. Warn them, however, that in case of litigation, the device itself, and therefore all accounts on it, may be subject to inspection.
Finally, the possibility of lost data in the event of having to “wipe” a device means that a reminder to back up sensitive personal data regularly may be a useful part of a BYOD policy.
If you allow BYOD, your policy should account for the commingled nature of private and corporate data on the employee device to address the foregoing privacy issues. In addition, litigation holds present a special case for the company and employee devices in the data area. You should check with litigation counsel about what would be sufficient as a “hold” for discovery purposes, but you may need, for example, to consider imaging the employee’s device upon notice of a claim, or having the right to repeated access to it if data during the course of litigation is likely to be at issue. This is particularly true for mobile device-only applications, such as text messaging, which are not otherwise backed up in your servers. Your policy also may need to contain a blanket statement to the effect that all employees must observe any general litigation hold notices that are likely to implicate their information, even if their specific device(s) has not been requested.
Wage and hour issues: You should carefully consider which class of employees will be allowed to access company systems remotely. Remember that under the Fair Labor Standards Act, employers are required to compensate non-exempt employees minimum wage for all hours worked and overtime for all hours worked above 40 in a given week. Time spent reading and sending emails and texts related to work, regardless of how short, has been declared compensable time and served as the basis for collective (class) actions. Therefore, to the extent you are permitting a non-exempt employee to BYOD, ensure that your policies clearly set forth whether after-hours access is permitted and if so, how the employee is to report such worked time. Also consider making managers subject to discipline to the extent they are aware that their subordinates are working off-the-clock by emailing or texting after hours.
Other HR considerations: BYOD policies should incorporate language reminding employees that all company-related communications are subject to all company policies, including its anti-discrimination and anti-harassment policies, as well as those related to driving safety,
workplace violence and solicitation. And while it should also remind employees of their duties to protect confidential information, it cannot be so restrictive as to violate your employees’ National Labor Relations Act (NLRA) Section 7 rights, regardless of whether you have a unionized company.
Ownership of Work Product
If you have policies in place already governing your ownership of intellectual property (IP) created by employees during the course of their employment, you may want to review them to be sure that they also cover material created outside the office, after hours, and otherwise not as part of a normal, supervised working environment.
Signing such a policy, together with an assignment of rights, might become part of your standard on-boarding procedure if you routinely support employee devices.
Do you have international operations, or employees who travel internationally? Some foreign jurisdictions have data privacy laws that are vastly different than those in the U.S.
For example, the European Union has rejected the attorney-client privilege for in-house counsel, so your in-house lawyers’ devices enjoy no more protection than any other person’s. Further, some international jurisdictions have omnibus data protection laws with restrictions on cross-border transfers of personal data.
As a result, your organization may need to consider whether it has any compliance issues regarding data transfer caused by supported devices.
Finally, consider whether U.S. operations personnel need to have access to foreign operations data on their supported devices; such access may subject the data to U.S. courts’ jurisdiction in litigation.
A smart and active plan for managing employee devices can help forestall not only technological issues, but also thorny legal and risk questions that arise when the lines are blurred between employee property and sovereignty, on the one hand, and employer interests on the other. Your in-house or outside counsel should be able to help draft or adapt policies as needed to protect your interests while accounting for the gray areas.
Reprinted with permission from the April 20, 2016, edition of InsideCounsel © 2016 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877.257.3382 or firstname.lastname@example.org.