León Cosgrove

Bring Your Own Device to Work: Balancing Data Protection, Employee Privacy, and Litigation Risks

By: John D. Bosco

byod_(1)

According to a recent article in Fast Company magazine, 60 percent of respondents said their companies already have a “Bring Your Own Device (BYOD)” policy, and another 14 percent said their employers are developing one.  Fast Company also published a prediction by Gartner research that half of all employers would require staff to use their own devices for work by 2017.

The BYOD phenomenon started more than a decade ago with young recruits wanting to use their personal tablets, then smartphones, in the workplace, and employers acquiescing in order to compete for young talent.  Today, tech-savvy employees are also pushing their companies to implement online training and benefits enrollment that are accessible on workers’ personal devices.

Proprietary & Privacy Issues in Data Ownership

Once personal technology entered the workplace, it didn’t take long for legal challenges to emerge from the inevitable use of personal devices for a mix of business and personal purposes. “Data spillage” from the company’s secure network—as well as unsecured new pathways for unauthorized access to that network, became major, new risks.  Deliberate theft—proprietary data like customer lists and sales leads walking out the door with departing employees—became another challenge.  Employers have legitimate unfair competition concerns in such a scenario, especially when the departing employee goes to work for a competitor. In still another scenario, companies risk having their data accidentally lost or misplaced when an employee loses a mixed-use tablet or smartphone.

From the employee side of the equation, data privacy is the issue when employers want to monitor or remove data on the worker’s own personal device. Clearly, employees own the data on any device with a wireless/Internet plan they have paid for that is used solely for private, non-work purposes. However, exclusively personal use is rare in an environment where employee tablets and smartphones are brought to the office and/or used to work from home. And once the employee brings a personal device into the workplace, uses an employer’s wireless Internet connection, and starts doing work on that device instead of using the employer’s equipment, data ownership issues become legally complex.

The BYOD Policy: Top Legal Issues

Privacy: Monitoring privately-owned devices presents significant dilemmas for structuring a BYOD policy. If the company monitors too often or too much data, it can be seen as invading employee privacy–and in some jurisdictions, even as breaking the law. Yet if the company does not exercise enough control, it places the company’s data at a huge risk. Balancing these two seemingly opposing interests is the single greatest challenge to successfully implementing a BYOD program, and it is the role of legal counsel and the in-house legal department to make sure implementation is carried out within the law, transparently, and without exposing the company to unnecessary legal risk.

Off-The-Clock Work: Providing a non-exempt employee with a mobile device on which she can check work-related email or exchange text messages with supervisors invites a wage and hour enforcement action because many employees will perform these tasks away from the workplace and after their regular working hours. To avoid liability, employers must instruct non-exempt employees not to check or respond to messages after their regular work hours.

Security/Data Protection: Companies are concerned about security, keeping confidential data from falling into a competitor’s hands, and preventing customers’ account numbers and their personal and financial information from being stolen by hackers. Businesses that fall under compliance mandates such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or Gramm-Leach-Bliley Act (GLBA) have certain requirements related to information security and safeguarding specific data. These compliance mandates extend to company-owned data on the personal laptop of an employee.

Litigation/Legal Holds: If a company becomes the subject of a lawsuit, work-related items on employee-owned devices will have to be preserved for discovery purposes. Failure to do so can bring stiff spoilage sanctions. One example of this came in January 2014 when the U.S. District Court for the Southern District of Illinois slapped pharmaceutical manufacturer Boehringer Ingelheim with a $900,000-plus fine, in part, because the company did not tell its employees to save work-related text messages on their personal phones.

Consent: A BYOD policy should explicitly obtain the employee’s consent to review the content on the employee’s personal device.  Failure to obtain an employee’s consent can result in liability under privacy tort law, federal and state computer trespass statutes, and state wiretap statutes. Furthermore, notification and consent—especially regarding any new or different employer monitoring of the employee device that may not otherwise be detectible by the employee–can only empower the company to update, and if necessary, expand necessary controls to counter any new technology-based threats, for example, from hackers.  Employer transparency on the details of monitoring, including any new software to be installed on personal devices, protects the employer-employee relationship, prevents the impression of deception or secrecy on the part of the employer, and reduces the risk of privacy-related litigation.

Specific Elements of the BYOD Policy

The only way an employer can assert a legal right to monitor activity on an employee’s personal device that is used for mixed purposes is to develop, and have employees execute, a BYOD workplace policy.  BYOD policies should include a definition of acceptable use, describing: the purposes for which the device may be used to collect, communicate, and store company data; any restrictions on network access or software applications; security measures that the company will use to secure any business data on the device; when any company monitoring of the device can occur and how the company will access the employee’s device; informed employee consent allowing an employer to access, back up, audit, and monitor the device and the various types of data on it; device-loss and data-loss policies, including any related obligations of the employee; ownership of the device and its service contract; and finally, management of the device, including the data and business software on it upon termination of employment.

To safeguard the company network and protect customer and proprietary data, IT departments may want the power to “enter” and wipe data on employee devices at any time. However, extrapolating from the court’s reasoning in City of Ontario, California v. Quon, employees have a reasonable expectation of privacy for devices they personally own. In the BYOD arena, this means that employees must be informed of, and consent to all employer “passive” or “background” security access to their devices.

Workers must be told exactly what user activity is being tracked and how that information will be used and stored by the company. Any planned location tracking of the device must also be revealed, including who will have access to that data and why. Transparency and consent should be the employer’s rules of thumb. If any new software is to be installed changing the breadth, scope, or frequency of employee device monitoring, the company should provide specific notice and revise its BYOD policy accordingly. The change should be explained in detail, and employees should be asked to acknowledge that they understand the change and that they give their specific consent.


Conclusion: BYOD at Your Own Risk

An employee’s use of a personal device for work purposes, while convenient, comes with many risks and obligations for both employers and employees. As the legal landscape continues to evolve, prudent employers should ensure that they have a sound BYOD policy to address privacy concerns, wage and hour liability, and security risks.


JohnBosco_BW_WebJohn D. Bosco
is a partner in the Dallas, Texas, office of León Cosgrove LLC who focuses his practice on the defense and trial of complex labor & employment and accessibility matters in state and federal courts across the country.

The author gratefully acknowledges the assistance of León Cosgrove Miami associate Tiffany L. Anderson in preparing this article.