Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Employment and privacy law issues
What employment issues must companies consider in deciding whether to switch to the bring your own device (BYOD) model?
The relevant employment issues relate principally to wage and hour concerns. First, if non-exempt employees are permitted to participate in a BYOD programme, the employer should address in its BYOD policy the possibility that non-exempt employees will respond to emails or phone calls while off the clock.
Second, several states require that employers reimburse employees for the costs associated with the business use of personal tools. These laws likely apply to the business use of a personal mobile device. In fact, the California Court of Appeal recently ruled on this issue in favour of employees seeking reimbursement from their employer of phone-related expenses.
Unionised employers should also note that the terms of a BYOD policy could potentially be a mandatory subject of collective bargaining if bargained-for employees will be permitted to participate in the BYOD programme.
Are there any specific issues that organisations with a global presence, or those in highly regulated sectors, should bear in mind?
Employers considering rolling out their BYOD programme on a global basis should engage counsel on the ground to vet the application of local legal requirements to the programme. In some countries, employers cannot lawfully ask employees to use personal tools for work. In others, employees may be unable to provide valid consent either to participation in the BYOD programme or to the employer’s access to information stored on the personal device. In others still, the categories of employees who are exempt from overtime are very narrow, substantially increasing the risk of off-the-clock claims.
Privacy and confidentiality
How do privacy laws, employment laws and protecting a company's confidential information overlap or intersect on this issue – and how can they be reconciled, given their disparate aims?
Employers that roll out a BYOD programme need to implement certain steps, both at the outset of the programme and throughout the employee’s participation in the programme, to facilitate access to corporate and other information stored on the employee’s personal mobile device. These steps include:
- installing certain security software and settings on the employee’s personal device;
- accessing information stored on the device when conducting internal investigations;
- imaging the device to preserve evidence in conjunction with a litigation hold; and
- remotely wiping the device in various circumstances, such as when it is lost or stolen or when the employment relationship terminates.
In light of federal and state computer trespass laws and the employee’s common law privacy interests, the employer cannot engage in any of these activities without the employee’s consent. The employer can reconcile these interests by:
providing employees with robust notice of the implications of participation in the BYOD programme through a comprehensive BYOD policy; and
obtaining employees’ prior express authorisation to engage in these activities before allowing them to access the employer’s information systems using a personal mobile device.
For those that make the switch to BYOD, how can the confidentiality of both employer and employee be preserved?
The employer can preserve the confidentiality and security of corporate information by requiring that employees permit the installation of certain security measures as a condition of participation in the BYOD programme. Such measures include encryption, password protection, automatic log-out after a short period of inactivity, automatic lock-down after a small number of unsuccessful log-in attempts and remote wipe capability.
Employers can also install a ‘sandbox’ on the employee’s personal mobile device. The sandbox is typically encrypted and password protected, holds only corporate applications and data, and can be removed from the employee’s device without deleting any of the employee’s personal information. However, the sandbox may not be a panacea because employees may intentionally or accidentally save corporate data outside it, minimising the effectiveness of its removal from the device as a means of protecting corporate data.
The employer can reduce the potential for infringement of employees’ own confidential information by:
- limiting the circumstances in which it requests access to employees’ personal devices;
- carefully limiting the scope of such requests to its legitimate business needs; and
- conducting any search in a way that avoids accessing information outside the defined scope of the search.
Separation and ownership of data
How can companies separate out what information sent or received on the device is official and business related? Who owns this information – the employer or the employee? And how can employer access to information be assured?
The employer always owns corporate information. The BYOD policy should be clear on this point. The fact that the employer permits the employee to store corporate data on the employee’s personal device should not affect the employer’s ownership of the data. However, as a practical matter, the employee’s ownership of the device could impede the employer’s access to corporate data stored on the device. The employer can preserve its right of access by requiring the employee to consent to such access as a condition of participating in the BYOD programme. Even when employees agree in writing to the employer’s access to corporate data stored on their devices, the employer’s access is not assured. Disgruntled employees and employees whose relationship with the employer has terminated will often refuse access.
As a practical matter, the employer’s best protection in those circumstances is the ability to remotely wipe the device, including the employer’s own data stored on the device – albeit the remote wipe will result in the loss of any unique corporate data stored on the employee’s personal device. However, employers should not remotely wipe a current or former employee’s personal device unless the employee has consented in writing to the deletion of all data – both personal and corporate – stored on the device.
Finally, an organisation can best separate its own data from employees’ own information either by:
- implementing a sandbox solution; or
- restricting employees’ use of a personal device for work to certain corporate applications – such as email, contacts and calendar – and requiring that employees store all corporate data only within those applications.
Breach events and departing employees
Handling a breach
What happens in the event of a security breach? Is the employee protected from liability?
The BYOD policy should instruct employees to report immediately to the employer the actual or suspected compromise of any information stored on the personal device. The policy should designate the person or group to whom such reports should be made and provide contact information. The recipient of the report should be trained on how to respond to such reports.
The most common cause of a security breach involving a mobile device is the loss or theft of the device. The employer can typically mitigate the risk of a security breach in those circumstances by confirming that the device is encrypted and password protected, and by remotely wiping the device promptly after receiving the report of the device’s loss or theft. Because the employer is the data owner for purposes of security breach notification laws, it retains ultimate responsibility for responding to the incident if it in fact constitutes a security breach as defined by applicable law.
Because the employer will almost always have the deeper pockets and the employee acts as the employer’s agent, the likelihood of the employee’s direct liability is low. However, the employer may theoretically have a claim for indemnification against the employee to recover breach-related costs. Most employers likely would not seek indemnification as a practical matter.
What steps can a company take to prevent an employee leaving the company from taking company confidential information via his personal device? And how can the employee's own personal information be safeguarded in the process?
Employers that implement a BYOD programme should modify their exit interview process to address corporate data stored on the employee’s personal mobile device. The person conducting the exit interview should coordinate the removal of corporate data with the employee and the employer’s IT department. Where the employee cooperates, he or she can back up personal files to an external storage medium, so that they can be reloaded to the personal mobile device after the device has been wiped.
If the employee leaves the organisation without participating in an exit interview, the IT department should promptly issue a remote wipe command to delete all corporate data on the personal device. As noted previously, the remote wipe command generally should not be issued unless the employee has previously agreed in writing to allow the employer to remotely wipe the device. If the employee does not cooperate, the employer will typically have no choice but to remotely wipe all data on the employee’s device, even where the employer has adopted a sandbox solution, because it generally will have no other way to assure itself that all corporate data has been removed from the employee’s personal device.