Please ensure Javascript is enabled for purposes of website accessibility

Employers face risk if rules on work use of personal devices aren’t clear

Kimberly Atkins//August 8, 2012//

Employers face risk if rules on work use of personal devices aren’t clear

Kimberly Atkins//August 8, 2012//

Listen to this article

Employers are increasingly allowing their employees to use their own laptops, tablets, smartphones and other mobile devices for work purposes – and that is creating a plethora of potential legal issues.

defense lawyers say that every business should have a clear, written policy covering all aspects of the use of personal electronic devices, regardless of whether the company allows such use. Failing to do so could have serious consequences, from loss of sensitive proprietary information to discovery-related litigation nightmares to potential liability for privacy or wage-and-hour violations.

“The issue is coming up regularly,” said Philip L. Gordon, a Denver lawyer who chairs his firm’s Privacy and Data Protection Practice Group. “I have advised between a dozen and two dozen clients on ‘Bring Your Own Device’ issues in the last 18 months.”

The increasing use of employees’ personal gadgets for work-related purposes is driven in part by a desire on the part of businesses, particularly smaller companies, to save money on the computer and mobile equipment used by workers.

But what is also fueling the trend is the sharp decline in the use of BlackBerry devices – once a company-provided office staple – as employees increasingly acquire touch-screen phones and tablet computers.

“It’s really the rise of what I call the iPhone-ization of the American workforce,” said Cleveland lawyer Jonathan T. Hyman.

Employees, from executives down to part-time or freelance workers, want to get the benefit of their iPhones and other gadgets at the office, he said.

“In many cases the genie is already out the bottle and employees are already using their devices for work purposes,” said David Navetta, a partner in the Denver office of InfoLawGroup, a law firm concentrating on privacy, data security, consumer protection, information and intellectual property issues.

In a recent survey conducted by software company MokaFive, 88 percent of respondents reported that their companies had some form of Bring Your Own Device practice, whether sanctioned or not. But one-third of those surveyed said their companies had no formal policy, and 10 percent didn’t know if a policy existed.

Keeping data under company’s control

The most immediate problem created by the use of personal devices for work is the potential breach of the company’s data security system.

In many cases people that have their personal devices probably don’t have the security in place that would be present in devices that were issued internally,” Navetta said.

Not only do disparate security protections open the company’s internal data services up to potential breach, but also they could fail to protect business data that is stored on individual devices.

Written BYOD agreements should specifically address these issues by explicitly requiring security software on all devices used for work purposes. Policies should also require that employees allow the company to have access to any company data saved on their devices, and even give the company’s IT department the ability to wipe the hard drives of lost or stolen devices.

These provisions may not go over well with workers, but they can save the company money and headaches later, particularly in the event of litigation and accompanying discovery requests.

“Companies must take steps to make sure that company data isn’t walking out the door when the employee does,” said Daniel A. Schwartz, a lawyer in Hartford, Conn.

A good policy will provide that the company will use its best efforts to preserve personal data on devices while recovering company-owned information.

For example, “you can say the Words with Friends apps are going to be protected,” Schwartz said.

But regardless of the specific provisions of the agreement, it should “make clear to employees that the use of their personal device for work is a privilege and not a right,” Gordon said. “If they want to take advantage of the privilege … they need to give the employer access.”

Privacy, wage-and-hour claims

The mixing of company and personal data on a mobile device could lead to privacy claims from employees.
The law is unclear on this issue. The question of whether employees have an actionable privacy claim when employers seek information from mobile phones was left open by the U.S. Supreme Court in its 2010 decision in City of Ontario v. Quon.

Although that case involved mobile devices issued by an employer, the reasoning could be extended to employee-owned devices, Navetta said.

“In that case the court assumed that there was an expectation of privacy on the employee’s part, but it didn’t explicitly hold that there was,” he said. Instead, the court focused on the reasonableness of the employer’s search.

Company BYOD policies should do the same.

“Just because [a policy] may say that employees have no expectation of privacy in the information on these devices, you should try to really narrow down the scope of any investigation and try to avoid sweeping in personal information,” Navetta said.

Personal use of private devices can also give rise to wage-and-hour claims. Workers who receive work-related emails, texts and other communications on their devices even when outside of the workplace may seek to be paid for the time spent on that correspondence.

The issue “has been a concern for a number of years now,” due to the previously widespread use of company-issued BlackBerry devices, Schwartz said.

BYOD policies should expressly address when employees are expected to respond to such correspondence, and specify that any additional wage or overtime claims must be preapproved.

Verdicts & Settlements

See All Verdicts & Settlements

Opinion Digests

See All Digests