Employees seem permanently attached to their smart phones today, but allowing employees to use their personal devices to make work calls, and send and receive work emails can carry substantial risks. Before allowing employees to use their personal cell phones or other devices for work purposes, make sure you have strong electronic communications and Bring Your Own Device policies in place that cover not only the use of your company email and phone systems, but also the use of personal cell phones, tablets and laptops for work. Among the issues to be addressed:
- Recording Time Worked. For non-exempt employees, time spent writing or receiving work-related emails, taking work-related phone calls, and sending or receiving work related text messages generally is compensable time worked, whether the work was performed in the office or not. Your electronic communications policy should, at a minimum, require employees to record and timely submit all time worked, whether in or out of the office, reading or writing emails or text messages or making work-related calls. Depending on business needs, employers may choose to prohibit after-hours calls and emails for non-exempt employees without prior management approval.
- Eliminate Any Employee Expectation of Privacy. If you allow employees to use personal cell phones for work, your electronic communications systems and BYOD policies should require employees to acknowledge that they have no expectation of privacy in the work-related content on their personal devices, and that such information may be reviewed, intercepted, copied, deleted, and disclosed without any notice to the employee, in the employer’s sole discretion. If the employer is reserving the right to monitor personal data on an employee’s cell phone, the policy should make clear that the employee has no expectation of privacy in such information as well.
- Other Policies Apply. If you allow employees to use their personal devices at work, make clear that the company’s other policies governing employee conduct still apply. For example, employees should understand that harassment, discrimination and threats of violence are prohibited regardless of the means or method used, including personal cell phones. Consider updating your policies to specifically encompass conduct engaged in using the employee’s own devices.
- Reserve the Right to Monitor. If an employee uses his or her personal phone for work, the employer will inevitably have reason to monitor such use. Monitoring may be required, for example, when there is an internal investigation, during the discovery phase of litigation, or in the case of a data breach. Allowing an employee to use his or her phone for work-related purposes should be conditioned on the employee explicitly authorizing the employer to review and monitor work-related information and data on the employee’s phone.Employers may wish to utilize mobile device management (“MDM”) solutions to monitor cell phone use efficiently. (In the tech world, MDM refers to security software and applications used to monitor and manage employee’s mobile devices.) In addition to allowing the employer to manage and control employee devices, MDM software can reduce risk by keeping personal and business data separate.
- Protect Your Data. Establish security protocols. The protocols needed will vary based on the nature of your industry and your jurisdiction. Ensure that company confidentiality policies apply to the data stored on the employee’s own devices, both during and after employment.
Some employers will need substantial additional protections, such as those working with Protected Health Information in the health care sector. Conventional data protection may not be enough when it comes to such information. Employers who allow employees to use their personal devices for work where Protected Health Information is involved should require employees to register their cell phones, tablets and laptops, and report to the company if they are lost or stolen. Employers should also prohibit employees from allowing anyone else to access such information on their personal devices, and from storing, downloading or transmitting company data without company approval. To help enforce these requirements, employers should implement secure data management procedures, including use of passwords for mobile devices, encryption of company data stored on a mobile device, and wiping technology in the event a device is lost or stolen.
In addition, some states have stringent laws requiring protection of personal data. For example, as we have previously noted employers in Illinois with biometric information of Illinois residents are required to receive written consent from employees and have a retention policy in place that establishes reasonable security measures to protect that data from unauthorized access, use, modification, or disclosure. The Illinois Biometric Information Privacy Act applies to biometric identifiers, defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
6. Address Reimbursement. If you allow employers to use their phones for work, your policy should address how employees will be reimbursed for use of their cell phones. Under federal law, employers may not require an employee to pay for the employer’s business expenses if doing so would reduce the employee’s earnings to below the required minimum wage or overtime rate.
Some state laws may impose stricter requirements. In California, for example, when an employee is required to use his/her personal cell phone for work-related purposes, the employer must always reimburse the employee for such cell phone use, even if the employee does not incur any extra expense as a result of the cell phone use.
7. Labor Issues. Be mindful of employee rights under the National Labor Relations Act (NRLA). Regardless of any restrictions imposed by your policies, employees maintain the right to engage in protected concerted activity under the NLRA, such as discussing their wages, voicing concerns about the workplace, joining labor unions, and otherwise.
Earlier this year, the NLRB advice division issued several memoranda, one of which discussed an employer policy banning personal use of its email system, even on non-working time. As we have previously noted, under current Board law, employers that provide employees with access to email as part of their work must allow employees personal use of the email system during non-working time such as meal or break periods and before and after work, unless they can show “special circumstances” necessary to maintain production and discipline. While the employer’s policy did permit “incidental personal use,” the memorandum stated that this did not save the policy since it specifically forbids such use for messages that “are not considered in support of the [Employer] objective,” which could be interpreted as a reference to union or protected concerted activity.
Where employers do not supply company-issued phones, and require or allow employees to use their own devices for work, comprehensive policies are essential.