This article first appeared in an edited format in North Carolina Bar Association Labor & Employment Section Newsletter in December 2014.
When I started practicing law some time ago, we did not have “mobile devices” that connected us to work. We had a phone. If something urgent came up after hours, they called us. Otherwise, it waited until the next day. Those days are long gone. In today’s business world, we are constantly connected to work no matter where we are
or what time it is. Many years ago, the business world wholeheartedly adopted mobile devices as a way to improve communication and efficiency. After smart phones and tablets gained widespread popularity, employees started insisting that they be able to use their own preferred device (i.e., the latest and greatest gadget) rather than standard corporate-issued devices. The result is that employees are now constantly connected to work and the company’s data with various mobile devices, raising a host of concerns for the employment law practitioner.
An Introduction to the Terminology
First, we need to understand the terminology. When we speak of mobile devices, we most often think of smart phones like an iPhone or BlackBerry, but we are really talking about any device that uses telecommunications to access the network of the employer, including tablets, portable computers and—in the not-too-distant future—wearable technology like Google Glass and the Apple Watch.
Corporate liable means that the employer is responsible for paying all expenses (fees for monthly services, etc.) to maintain the device. Corporate owned means it is a device purchased and owned by the employer.
Corporate Owned Personally Enabled or COPE means the device is corporate owned and liable, but the software
on the phone allows the employee to use it for personal reasons (for example, adding her personal email account or personal applications). Bring Your Own Device or BYOD is the opposite. Under BYOD, the employee buys a personal device and the employer, through software
(often called mobile device management or MDM software), allows the employee’s device to access the employer’s network. Since you are probably hoping for more acronyms, CYOD or Choose Your Own Device is a subset of BYOD in which the employer provides a list of approved devices which the employee can purchase, and the employee will be allowed to access the employer’s network through MDM software. A final term, Corporate Liable Employee Owned or CLEO is where the company adopts BYOD but establishes a method for paying for most or all of the costs of maintaining the device. In this scenario, you will often see the employer add the device to its corporate account with a carrier after the employee purchases the device.
The range of risks when mobile devices are allowed access to the employer’s network is vast and disconcerting. I try to summarize some of the risks below and what an employment law practitioner could do to help address them.
There are two major wage and hour issues with mobile devices. The first and more common one involves non- exempt employees and off-the-clock work. The definition of work time is fairly liberal under the Fair Labor Standards Act such that basic use of a mobile device for work may result in off-the-clock work. For example, in Allen v. City of Chicago, 2013 WL 146389 (N.D. Ill. Jan. 14, 2013), a sergeant brought a class action alleging that he, along with similarly-situated police officers, were entitled to overtime pay because they were expected to “monitor and perform work on employer-issued BlackBerry devices while off-duty.” The City countered that any such work was de minimus and that it had a written policy and procedure allowing employees to submit a time due slip to their supervisor for such work time. The plaintiff argued that even though the time due slip was an explicit written policy of the employer, in reality the unwritten practice (perhaps encouraged by supervisors) was to use their BlackBerrys after hours without submitting such slips. Despite the court’s reservations about the commonality of the claims (whether everyone in the proposed class used their BlackBerrys in sufficiently similar ways to justify class treatment), the court allowed the class to be conditionally certified by acknowledging an unwritten policy or practice could trump a written policy and the de minimus argument was not for it to decide at the conditional class certification stage.
Failure to Reimburse Risks
The second wage and hour risk is more prevalent in states with advanced wage laws, such as California. The issue in BYOD situations is whether the employer has properly reimbursed the employee for all expenses arising out of the business use of the employee owned device. For example, in Cochran v. Schwan’s Home Services, Inc., No. B247160 (Cal. Ct. App. Aug. 12, 2014), the plaintiff brought a class action on behalf of customer service managers. The California Court of Appeals held that the labor code was violated if an employee “was required to use a personal cell phone to make work-related calls, and he or she was not reimbursed.” The ruling was particularly interesting because the court held it does not matter whether it actually cost the employee anything (e.g., if the employee had an unlimited minutes calling plan), which would more appropriately be a damages issue.
Either with corporate owned or employee owned devices, there will be issues of liability for charges associated with the mobile device. For a corporate owned device, it may involve overages or excessive use. For employee owned, there may be charges the employer did not anticipate being asked to reimburse the employee.
Corporate Data Security Risks
Mobile devices have impressive storage and access capabilities. Just think about how one email could contain an Excel spreadsheet of all employee personal information for benefits purposes, or an email containing the company’s strategic marketing plan for the upcoming year. The U.S. Department of Health and Human Services breach reporting site, nicknamed the “wall of shame,” lists over two dozen entities that have had personal health information breaches involving 500 or more individuals because of the loss or theft of a mobile device just this year. Many mobile devices can hold over a dozen gigabytes of information, and you can buy a laptop capable of storing terabytes. To give you an idea of the amount of data this could include, in January 2010, all of Wikipedia had approximately 5.87 terabytes of data. Most states have data breach notification laws. In North Carolina, the Identity Theft Prevention Act, N.C. Gen. Stat. §§ 75-60 to 66, requires a business to send notification to a consumer in the event there is a security breach involving unencrypted personal information. The Act also requires the business to notify the North Carolina Attorney General’s Office. Breach notifications may trigger investigations by federal and state regulators, as well as consumer class actions.
Some Suggested Solutions
So what is an employer to do? First, it should assess the business need for providing access through mobile devices in the first place. Does every employee need this access, particularly non-exempt employees? Does this need outweigh the risks discussed above? This is a decision that must be made on a company by company, sometimes department by department or employee by employee basis. Essentially, the question is whether the business needs outweigh the risks.
Second, the employer should assess whether there are technology controls (perhaps through MDM software) to reduce or eliminate some of these risks. When it comes to sensitive data, robust MDM software and encryption are important pieces of the puzzle. A data incident may not trigger many state data breach notification laws if the data was effectively encrypted. The ability to remotely wipe devices of data if they are lost or the employee departs is another critical component. One difficult challenge that technology may be the answer for is restricting sensitive data such that it cannot be sent to a mobile device or personal email account; at a minimum, consider whether the network should immediately alert someone of such activity. Remote wiping technology is only effective if the data is restricted to the mobile device and employer networks, as opposed to a flash drive or personal email account. For non-exempt employees, consider whether the enterprise could restrict access and/or communication to certain times using technology. The employer should also take the time to understand what its MDM software is doing. For example, is it passively or actively collecting data about the employee (such as location, movements, photographs). It is incumbent upon an employer to understand what this software may be capable of doing, and how it may be intruding on the lives of employees, before it installs it on the employees’ devices. It is important that the employer know the limits and capacity of such technology controls, and take steps to prevent abuse or circumvention.
Third, the employer needs to consider what policies, procedures and employee training should be implemented to minimize risk. For wage and hour concerns, the employer also needs to think about the training and enforcement necessary to make sure that both employees and supervisors strictly adhere to these policies and practices, and quash any “unwritten” practice of allowing off-the-clock work without a method for receiving pay that is actually utilized. Keep in mind that every time that a non- exempt employee sends an email to a supervisor off-the-clock, or vice versa, that could be notice to the employer of a potential wage and hour issue. Also, policies should address the costs and liability associated with the mobile device. The policy should address when the employer may seek reimbursement or wage deductions (and whether a deduction authorization is needed) in the case of corporate liable, and what will be reimbursed in the case of employee liable. Finally, with regard to data security, the employer needs to warn the employee of the possible loss of personal information if it becomes necessary for the employer to wipe the device as a result of loss, theft, or the employee’s departure.