BYOD: Where tech, employment law meet

Bring Your Own Device programs offer an array of benefits in the modern workplace, but also raise some daunting concerns, both legal and practical.
BYOD is the growing practice of allowing employees to use their personal devices – smartphones and tablets – to access and use corporate content.
Implemented properly, effective BYOD policies can improve employee morale and convenience, reduce business costs and boost productivity and revenue. A formal BYOD program can offer an organization significant cost savings through eliminating the burden of selecting a data provider, administering a plan and purchasing mobile devices.
However, in blurring the line between our professional and personal lives, implementing a BYOD program may also create a conundrum around the security of confidential information, data retention, employee privacy, wage-and-hour issues and beyond.
From the employee perspective, BYOD programs are popular. They provide the convenience of having only one device; increase job satisfaction by allowing employees to select their personal device and service provider; and, ultimately, create the potential for a more-efficient workflow during travel or even at home. BYOD programs can also be helpful in talent recruitment, as tech-savvy employees appreciate the ability to use their preferred device. In fact, close to half of college students and young professionals say they would accept lower pay in exchange for flexibility on device choice, mobility and social media.
Organizations eager to reap the benefits of BYOD programs are wise to create and adhere to a carefully crafted BYOD policy aimed at protecting corporate data and respecting employee privacy.
On the corporate side, the most obvious risk is loss or theft. If you are a bank, for instance, lost data could result in a reportable security breach. Even if you are not in a regulated industry, lost data may trigger a duty to inform customers, if their personal information is no longer secure, or business partners, if confidential information is released. In addition, many employees working at home share their devices with family or other household members. Almost three-quarters of Americans report that they have no malware protection on their mobile devices.
If an employer does not require employees to install and maintain an adequate level of information security, cyberthreats to company data may increase dramatically.
Employee privacy is also at the forefront of BYOD considerations. When an employee owns the device he or she is using to perform work functions, privacy expectations and rights diverge quite a bit from when they use company-owned equipment.
Most devices track their location at all times and can record a broad range of their activities, including the items and services they buy, photos they take, financial institutions they use, Internet sites they frequent, games they play, books they read and calls and texts they send.
As a lawyer, of paramount importance to me is a company’s ability to access and retrieve company data stored locally on the devices, in the event the organization gets sued or the employee leaves the company.
Organizations adopting BYOD should provide the utmost in transmission security. More specifically, those in highly regulated industries such as finance and health care must address compliance requirements, including: encryption, authentication, password management and access controls.
A range of technology options are available, from device-level security, to mobile-device management solutions, to virtual-desktop infrastructure. As a practical matter, a company policy should require participating employees to use a strong password, enable file encryption for data stored on the device, require installation of GPS-type software, and permit the employer to remotely lock the device and erase its contents if it is lost or stolen. The policy should expressly notify employees that personal data may be remotely wiped immediately upon discovery that the device cannot be located.
More generally, a company should establish protocols to protect against exposure to software viruses and consider backup requirements to safeguard against loss or corruption of corporate data.
The employer should outline how it will monitor communications to and from the employee-owned device and whether work-related and private information will be segregated to avoid unnecessary invasion into the employee’s privacy. It must also require diligent preservation of locally stored documents prior to modification or deletion in the event a threat of litigation arises.
Other considerations vary by industry. For example, health care professionals must comply with HIPAA, which mandates stricter measures. Public companies must comply with Sarbanes-Oxley anti-fraud law, and anyone processing credit card payments has to follow Payment Card Industry Data Security Standard.
The reality is that employees will likely continue to use their personal devices for work regardless of whether your organization has a formal BYOD policy. Like it or not, it may be time to implement a policy of your own, to ensure employees are using devices in a way that will not damage your company. •


A partner at the law firm of Duffy & Sweeney, Rachelle Green regularly counsels clients on employment issues. She can be reached at rgreen@duffysweeney.com.

No posts to display