by Practical Law Company, Guest Contributor
Rising use of smartphones, tablets and other mobile technology means that more and more employees are performing work from their own electronic devices. This is true regardless of whether employers approve of the use. Use of personal devices may benefit employees through increased flexibility and job satisfaction, and employers by increasing productivity and reducing technology costs. However, it may also raise concerns for employers regarding, for example:
- Wage and hour law.
- Employee privacy.
- Data security and confidentiality.
- Health and safety laws.
- Employer liability for employee misconduct, such as discrimination or harassment.
Employers can balance these interests and protect themselves by crafting a Bring Your Own Device to Work (BYOD) policy. Employers should customize their policy to address their primary concern. Below are Drafting Note excerpts from Practical Law’s Standard Document, Bring Your Device to Work (BYOD) Policy (accessible with a free trial) that provide tips on drafting key provisions of a BYOD policy.
Employees may not have a right to privacy in their electronic communications when using employer-provided devices, but they do have that right when using their own devices. The federal Computer Fraud and Abuse Act and state computer trespass laws criminalize some unauthorized access to another’s computer, and the federal Stored Communications Act protects the privacy of wire and electronic communications while in electronic storage (such as e-mails stored on a server).
Employers may also face liability for viewing protected personal information stored on an employee’s own device, such as an employee’s privileged communications with his attorney, or protected health information under the Genetic Information Nondiscrimination Act of 2008 or the Americans with Disabilities Act of 1990 . For more information on potential privacy violations in the workplace, see Practice Notes, Electronic Workplace Monitoring and Surveillance and Privacy in the Employment Relationship .
The employer’s BYOD policy should be crafted to avoid disclaiming an expectation of privacy in content that is related to an employer’s business but is not created or used on the employer’s behalf. Employers may modify the suggested language, but employers that are subject to the National Labor Relations Act (NLRA) (essentially all private employers) should not use language that might chill an employee’s exercise of his NLRA rights. For example, a policy that disclaims an expectation of privacy in content “related to” the employer’s business could include an employee’s personal use of the device to complain about working conditions, which may expose the employer to an unfair labor practice (ULP) charge. For more information on this topic, see Practice Note, Disciplining Employees for Social Media Posts in View of the NLRA and Disciplining Employees for Social Media Posts Checklist.
Securing Confidential, Protected and Restricted Information
Once an employee loads company data onto his personal device, it is largely out of the employer’s control and may become a security or liability risk if:
- The device is lost, stolen, hacked or exposed to malware.
- The employee’s family, friends or acquaintances gain access to the device.
- The information on the device is backed up to an employee’s local or cloud-based storage.
- The employee takes the device overseas, where it may be subject to espionage. Although this risk is fairly small, there have been reports of foreign governments remotely accessing data stored in electronic devices in their jurisdiction.
Employers with significant security risks may consider providing devices to those employees who need them, rather than adopting a BYOD policy, to retain more ownership and control over the devices and their contents.
Employers may also consider using a mobile device management, or MDM, solution to help secure, monitor, manage and support mobile devices used under a BYOD policy. In this case, this section of the policy should be revised accordingly (see Standard Document, Bring Your Own Device to Work (BYOD) Policy: Drafting Note: Security Requirements: Drafting Consideration).
Although the potential loss of business information is a concern for all employers, those with significant trade secrets or confidential information face particular security risks when permitting BYOD usage. Trade secret law is largely regulated at the state level, and in most states employers must make reasonable efforts to protect the secrecy of their information for trade secret protection to attach, making security measures for BYOD devices that much more important. For more information, see Practice Note, Protection of Employers’ Trade Secrets and Confidential Information and Trade Secret Laws: State Q&A Tool.
In addition to trade secret and confidentiality risks, employers should be aware of the following risks:
- State and federal law impose obligations on businesses to safeguard certain information, such as protected health information, and may require businesses to notify affected individuals if certain personal information has been acquired by unauthorized persons.
- Litigation holds and discovery requests requiring employers to retain and disclose information in their control may raise the question of whether an employee’s personal device is in the employer’s control, and employers may be subject to confidentiality or non-disclosure agreements requiring them to destroy information that could be on an employee’s personal device.
To get a model Bring Your Own Device to Work Policy that you can download to Word, click here (free, no obligation trial to Practical Law’s online legal know-how service required).