In today's connected world, employees often ask their employers to permit use of their personal smartphones, tablets, laptops or even their home desktops for work. Workplaces differ, and there is no "one size fits all" bring your own devices (BYOD) to work policy for employers.
Before allowing employees to use their personal devices for work without any limitations, employers should carefully analyze the risks. After that analysis, employers should adopt a BYOD policy tailored to their workplaces and businesses.
This article reviews some of the risks of employees using personal devices for work matters that employers should consider before adopting a BYOD policy.
1. Wage-and-hour risks
A potential risk of BYOD practices is that nonexempt employees will file wage-and-hour claims based on their use of personal devices outside of normal working hours. Time spent using such devices counts as "hours worked" under applicable wage-and-hour laws. If employees are not compensated for such time, it could lead to claims for unpaid minimum wages or overtime by individual employees or even a class of employees.
Another wage-and-hour risk is that if exempt employees use their devices during a week in which they are off work, the employer may be obligated to pay the employees' full salary for the week in which the work on the device is performed (unless it is an initial or terminal week).
Other than having to pay unpaid wages or salaries for these violations, employers may be faced with attorneys' fees for their own counsel, as well as attorneys' fees and costs for prevailing employees and liquidated damages
2. Risk of losing confidential information and trade secrets
By authorizing employees to use their own devices for work, employers are allowing confidential information and/or trade secrets to reside on devices that the employer does not own or control. Departing employees can then take the confidential information and use it for their own purposes.
For example, if an employee resigns and accepts employment with a competing business, he could easily download the information from his device to the competitor's computer system. This loss of confidential information and trade secrets could be devastating to the employer's business.
Even if a departing employee does not intentionally download the information, it could be inadvertently downloaded when he synced his device to the competitor's system. By allowing these kinds of inadvertent breaches and not taking reasonable action to protect the information, the employer may find it more difficult to enforce confidentiality and nondisclosure agreements or its rights under other laws.
3. Risk of third-party data breach
As with breaches of confidentiality and the dilution of trade secret protections, the risks of third-party data breaches can be catastrophic for an employer with a BYOD practice. Businesses whose employees handle protected health information, customer financial information and similarly-sensitive customer information can unwittingly create exposures through their BYOD practices.
This could allow such information to leave a secure, protected corporate information technology infrastructure. It could also result in the transfer of sensitive, third-party information to companies and persons who are not authorized to possess it.
The costs for such breaches can include claims filed by third parties whose sensitive information has been lost or disclosed, penalties and compliance violations under federal and state regulatory authorities, and data breach notice and notification costs.
4. Risks of employee claims of invasion of privacy
Employers face risks when their BYOD practices are not coordinated with workplace policies that permit employers to search personal devices used by employees for work.
Employers can create unintended exposure for privacy violations if they review employee emails found on cellphones that were transferred through personal, password-protected email accounts. Also problematic would be ordering an employee to turn over a password, which would allow the employer to access an employee's social media account on an employee-owned device.
For these reasons, it is important that employers review their BYOD policy to make sure it is consistent with the other policies that should authorize employers to access, monitor and review electronically stored information residing on the employer's computers and electronic communications systems.
5. Risks of increased electronic discovery and litigation hold burdens
An underappreciated risk associated with BYOD policies is the added burden such policies can create in electronic discovery.
Where employees have electronically stored information that is relevant to litigation on their own devices, employers have been required to preserve such information. Plus, where employers also have policies that require employees to return company property, documents, records and files, employers may have the legal obligation to preserve, recover and produce such documents in litigation, even when they reside on an employee's personal device.
Recent cases have found employers responsible for preserving and producing in litigation information on employee-owned devices. Moreover, failure to preserve such information may result in adverse inferences against the employer and monetary sanctions.
6. Risk of additional monetary costs
BYOD practices appear to save employers money by avoiding costs to the employer of purchasing devices for employees and shifting these costs to the workers. Employers may also save on the cost of cell or data plans by having employees use their personal data plans for work.
However, in a recent class action in California, one court held that employers must reimburse employees who used their personal cellphones for work. While this case is limited to employers in California, it may be the beginning of a trend that would shift the costs of BYOD practices to employers.
Conclusion
Employers should understand all of the risks and proceed with caution when allowing employees to use their own devices for work.
