Mory, when we last spoke, you discussed your recent transition from private practice to an in-house position. Now that you have become entrenched in the daily grind of corporate America, I wanted to follow up and get your thoughts on an issue impacting many organizations in which employees work remotely in some capacity (i.e., via smart phone, tablet, or laptop). With the proliferation of mobile devices in all aspects of our lives, including workplace communications and information storage, more employers are considering the implementation of “Bring Your Own Device” (“BYOD”) policies that allow employees to connect their own personal devices to the employer’s network to complete job tasks remotely. As an in-house attorney, what are your primary concerns regarding BYOD policies and how do they impact the daily operations of the business from the employer’s perspective?
There is no question that the use of personal technology has permanently invaded the corporate world. Adding to the technology explosion is the fact that many employees are using more than one personal device for corporate purposes; it is not uncommon to see executives, lawyers, and other employees carrying smart phones and an iPad or laptop while on business travel or even if just stepping away from the office for a few hours. Certainly these devices have significant benefits to the employee by increasing productivity and responsiveness, and allowing employees more flexibility in when, where, and how they work. As a result, no longer are employees wondering if they may use personal devices for work purposes; they expect it. With this rise in use of personal devices for work purposes is a whole new mountain of concerns for the employer. Indeed, from the employer’s side, the concerns are widespread and touch on everything from HR to litigation to compliance issues:
- Identification of device ownership and information located on the device – Ownership of the device sounds like a black-and-white issue when, in fact, there is a vast gray area here that require advance consideration and resolution by the employer. Relatedly, while personal devices are inevitably full of the employee’s personal information, applications, and documents, drawing the line between those personal effects and the potentially-confidential and proprietary corporate information and documents that co-exist on the device, without invading the employee’s virtual personal space, is a new challenge for employers.
- Security of corporate information on the device – Although employers are accustomed to securing the documents, servers, and computers located within their office confines, personal devices get lost, stolen, and even hacked with sufficient regularity that the security of corporate information stored within those devices is a new and growing concern.
- Application of records management to corporate information on the device – Employers are generally aware of the type of records management and storage policies required for compliance purposes. When these policies fail to address the retention of corporate information and documents inevitably saved within employees’ personal devices, however, these policies are inadequate to realistically and wholly address records management.
- Discovery requests in litigation – Requests for production of documents in litigation are no longer confined to the documents on company servers or in company hard files. Appropriate responses to these requests would necessarily include corporate documents and e-mails, which is an added layer of concern both for outside attorneys representing the company as well as the in-house counsel assisting in compiling documents responsive to the requests.
- Labor law concerns - Controlling the hours worked by non-exempt employees and compliance with the Fair Labor Standards Act was a much simpler task before the rise of the personal device. Now, employers must be careful not to violate labor laws if they require, encourage, or even condone the answering of work-related e-mails by non-exempt employees outside of explicit work hours.
Given the breadth of this list, for any corporation, no matter how large or how small, the question is not, should we implement a BYOD policy, but rather, what should our BYOD policy cover?
Mory, these are all valid concerns for any employer: privacy issues, data management, and potential litigation. Identifying the risks associated with employees’ use of personal devices is certainly the first step to addressing them through a carefully-drafted BYOD policy. So, to answer your question, all these topics can and, indeed, should be addressed in a BYOD policy. Not only does a thorough policy help establish the parameters for the employees and define the employer’s role, but drafting a written policy may serve useful in litigation — but more on that in a moment.
As with most employer policies, a BYOD policy should be written and can be given to employees when they receive their handbook and other pre-employment materials. At that time, the employee can acknowledge his or her receipt and understanding of the policy. By drafting the policy as a stand-alone document, the employer can highlight the importance of the policy and potentially avoid having to produce the entire employment handbook if the policy is later requested by an administrative agency, an opposing party, or the court. Given the NLRB’s recent crusade against employee handbooks -including overly-restrictive or “chilling” social media policies – employers would be better suited to provide a requesting party with only a few pages of a BYOD policy, as opposed to opening Pandora’s Box and providing the entire handbook for examination.
To your specific concerns, a robust BYOD policy can cover the primary labor law issues by implementing proper restrictions on employees’ work activities and off-the-clock work. Of course, a policy cannot prevent an employee from electing to disregard that policy and work off the clock, but a valid policy could limit an employee’s recovery on an FLSA claim or frustrate the certification of a collective action by requiring the plaintiff to establish that the entire class similarly violated the BYOD policy. See, e.g., Wood v. Mid-America Mgmt. Corp., 2006 WL 2188706, 192 F. App’x 378, 381 (6th Cir. 2006) (“[T]he employee bears some responsibility for the proper implementation of the FLSA’s overtime provisions. An employer cannot satisfy an obligation that it has no reason to think exists.”); Anderson v. Cagle’s Inc., 448 F.3d 945, 953 (11th Cir. 2007) (requiring the court to review the record for “legally significant differences” between the members of the proposed class to determine whether decertification of a collective action is appropriate).
Likewise, an effective policy can identify who “owns” or possesses certain data accessed by employees on their devices, including the employee’s personal information – private email correspondence, text messages, and voicemails. By identifying who possesses the data, an employer can better regulate the data and potentially limit its discovery burden, based on application of Fed. R. Civ. P. 34, which requires litigants to produce documents – including ESI – in their “possession, custody, or control.” If the employer divests itself of ownership or control of certain data, during discovery, the employer will have a stronger argument for not preserving, collecting, or producing that data, based on the employee’s ownership of the data and the employer’s inability to access the data.
The remaining privacy and data management concerns you mentioned can also be addressed in a policy through language detailing the employer’s ability to access the corporate data contained on an employee’s personal device, requiring all employees to password-protect or encrypt their devices, and expressly stating that the employer reserves the right to remotely wipe any or all data from the device, in the event the device is lost or compromised. These concerns, of course, are dependent upon the sensitivity of the data on the device; however, by placing more information in a BYOD policy with respect to the rules and controls in place over the employee’s use of the device, the more an employer can assert that the employee has consented to those rules, if the employer is forced to implement them.
Employers should also consider whether the devices or the software contained therein allow employees to bifurcate personal and corporate data to prevent any comingling. This would allow the employer to maintain greater search and control capabilities of its data, without interfering with the personal data of the employee – thus mitigating employee privacy concerns. Additional employer considerations include which employees or departments are eligible to participate in BYOD, how to define eligible employees in a non-discriminatory manner, reimbursement issues (including tax compliance) associated with the devices and data plans, what types of devices are supported, and consistent enforcement of the policy, including violations of the policy (i.e., inconsistent application of discipline for violating the BYOD policy would provide a fertile area for discrimination and retaliation lawsuits, depending on the circumstances of the employees involved and the reasons for the discipline).
With all the issues and considerations we have discussed, what do you think are the biggest practical or logistical challenges to implementing and consistently applying a BYOD policy in the workplace?
Practically speaking, aside from the inevitable technical issues that will arise when attempting to sync up a myriad of available personal devices to the employer’s system (and the cost, in both time and money, to do so), the employer must also be cognizant of ensuring its BYOD policy remains consistent with its other corporate policies. This can be a tricky task that ultimately requires an editing of a myriad of other policies, including acceptable use of computer resources (including email and Internet use), compliance and ethics, security policies, document retention policies, social media, harassment and discrimination, litigation holds, and employee privacy policies. When you marry that dance with the challenge of addressing the overall security of information and protecting information from outside risks (i.e., lost or stolen devices; viruses and malware, which increasingly infiltrate devices through the downloading of innocent-looking personal applications), keeping compliance with BYOD policy reasonable for employees, and including within the policy enough “teeth” to make it enforceable, the most daunting challenge is the drafting of the policy itself. Numerous templates for BYOD policies are available online, but these should be used only as a reference, and care taken to narrowly, but thoroughly, tailor the policy to each employer’s individual needs.
Mory, thanks for taking the time to discuss these important issues. The breadth of this discussion underscores the significant role BYOD policies can play for employers and the need for narrowly tailored policies that address an individual organization’s unique workplace dynamic and existing data structure. A “one size fits all” policy is likely too imprecise for most organizations and counsel, whether in-house or external, should take the time to cater the policy to the organization’s specific needs. Now, if you’ll excuse me, they just released a new level of Angry Birds, so I must run.