On the fourth day of Christmas my true love gave to me four calling birds and a potential data breach from that small hand-held device he called me from. The technological connectivity we each experience in our daily lives is often driven by a small hand-held device that holds more data than one ever would have expected ten years ago. The device is not just for “calling” anymore. Instead, now we have one device that can track location, hold contacts, direct its user to the best meal in town, wake everyone up, talk back, and provide applications that measure how fast one runs and how many calories are burnt. While these advantages are great, these mobile devices can also serve as the gate to a data breach where the security of private confidential data is put at risk. Even without regard to confidential data, those mobile devices could be creating a potential wage and hour issue or be used as a vehicle to harass your employees. Accordingly, as we role closer to the new year, it is an important time to reassess your Electronic Use Policy, specifically your BYOD Policy, or, if you’re currenty operating without an electronic use policy, to impliment one.
The following subsections should be included in any well-developed bring your own device (“BYOD”) policy:
- No Expectation of Privacy- If the phone has company data stored on it or the employee is able to access company email, make sure that you retain the right to monitor, copy, erase, or remotely wipe the entire device (which may include personal content). If the relationship sours you want to make sure that if the employee quits or is terminated your company retains a way to delete and destroy any company data that is currently housed on the device.
- Security Requirements- Make sure that you require employees to take all precautions necessary to secure the data that is housed on their device including not altering security settings, requiring password protected devices, and not allowing the device to be used as a personal hotspot without consent.
- Appropriate Use- Make sure employees will not be using the device to harass co-workers or to participate in other illegal or inappropriate activities.
- Work hours-If you have non-exempt employees that have access to company e-mail on their mobile devices the best practice is to limit that individual’s access to the data to only work hours. If your company does not have that ability, recognize that you should be paying employees for time spent outside of regular business hours reviewing and responding to work e-mails.
- Technological Support- Make sure you include language discussing whether your company will be providing any support for the personal devices of employees.
- Cost and Reimbursement- If you choose to reimburse employees for their mobile devices make sure you specify how much and the process to obtain the reimbursement.
- General Provision- Make sure to include language that the policy is not intended to restrict communications that are protected by state or federal law to guard against an NLRB claim.
- Acknowledgment of Receipt and Review- Make sure that your employees sign and date the policy stating they are familiar with the provisions of the policy and their responsibilities under the policy.