With all the to-do about former U.S. Secretary of State Hillary Rodham Clinton's work-related use of her personal email account and server when in office, little has been said about what such use means for private employers, including nonprofit organizations. Politics aside, the controversy underscores a challenge that nonprofits face when they allow employees to use personal devices for work purposes because they must allow those employees access to the nonprofit's systems and internal information. Therein lies the challenge.
Prudent nonprofits develop a written Bring Your Own Device (BYOD) policy that lays out the permissible and impermissible uses of devices such as laptops and mobile phones. A comprehensive BYOD policy can set a reasonable expectation of privacy limitations while protecting against potential liabilities and losses that can come from allowing greater access to the organization's internal systems and information.
The Clinton story highlights one thorny area especially worthy of the attention of private employers, nonprofit and otherwise: BYOD policies and practices must anticipate the risks that use of certain personal devices may pose to the organization's trade secrets and proprietary information.
The mutual benefits of BYOD policies are becoming well known. They spare employees from having to juggle multiple devices, allow them to use a device of their choosing, and sometimes employers reimburse certain costs associated with a personal device. Nonprofits may enjoy an increase in employee responsiveness with a decrease in spending on technology.
But those benefits come with a different kind of cost: reduced protection of employer information. A prudent nonprofit must consider how any current or contemplated BYOD policy affects its ability to protect trade secrets and other proprietary information.
The Uniform Trade Secrets Act, which 40 states and the District of Columbia have enacted in one form or another, generally defines a trade secret as:
information (such as a formula, pattern, compilation, program, device, method, technique, or process);
that derives independent economic value from not being generally known to or readily ascertainable through appropriate means by other persons; and
that is the subject of reasonable efforts to maintain its secrecy.
Being able to categorize information as a "trade secret" under these state laws is important, as it provides a significant added layer of protectability to the information. But is "information" that is available to employees through a BYOD policy "not…readily ascertainable"? Is such information "the subject of reasonable efforts to maintain its secrecy"?
Protecting trade secrets and proprietary information accessed by employees on employer (i.e., not personal) equipment is hard enough. In addition to normal IT protections integrated into its devices, employers derive some protection by requiring employees to sign non-disclosure agreements. As a practical matter, nonprofits with BYOD policies cede some degree of control over the devices storing the organization's data. Employee personal devices are more likely to be lost, stolen, hacked, or otherwise compromised. When this happens, trade secrets are more likely to be misappropriated.
Intentional employee misconduct further complicates an employer's difficulty in securing trade secrets and other proprietary information under a BYOD policy. Such employees may be tempted to store sensitive information of the organization because the employee has less fear of routine monitoring by their employer. Such an employee who fears s/he is about to be caught can more easily destroy or scrub a personal device than a piece of their employer's equipment.
Nonprofits that adopt BYOD policies must draft them knowing they will have to answer the following question in litigation: Does this policy reflect "reasonable efforts" to maintain the secrecy of the trade secrets and proprietary information that employees are accessing on their personal devices? What constitutes "reasonable efforts" likely will vary by organization, industry, work setting, and the nature of the information sought to be protected. Appropriate protections might include prohibiting apps on a smartphone that might jeopardize the security of data on the phone; limiting the information an employee can access on a personal device; allowing the organization to remotely wipe the device upon termination of employment or other situation of concern; and electronically monitoring the personal devices.
Whether you are thinking about adopting a BYOD policy, or are reviewing an existing BYOD policy, it is essential to remember: Like their for-profit counterparts, nonprofits have trade secrets and proprietary information. They may be lists of actual or potential donors, members, sponsors, advertisers, grantors, exhibitors, or program partners; strategic plans; marketing strategies; proposed budgets or financial projections; or communications among the nonprofit's leadership, to name a few. Protecting the organization's pursuit of its mission requires protecting such information, with or without a BYOD policy.
The difficulty in protecting electronically stored trade secrets did not begin with BYOD, and it is not eliminated by forbidding the use of personal devices. Whether BYOD makes sense for your organization is a case-by-case determination. If it does make sense, there is no one-size-fits-all BYOD policy. In the end, with or without BYOD, nonprofits must remain aware of and be sensitive to the challenges of protecting trade secrets and proprietary information – politics aside.