About Us  |  About Cheetah®  |  Contact Us

Littler Mendelson attorney warns of pitfalls of “BYOD”

July 29th, 2012  |  Lisa Milam-Perez

We’ve come a long way from the humble cell phone of yore. It wasn’t all that long ago when the mere addition of cameras to our mobile devices evoked fears of trade secret theft, privacy breaches, and virulent new strains of employee tomfoolery. The latest generation of smart phones and other personal devices that employees bring to the office, however, carry an astonishing array of potential liability and other risks, particularly when the same device is used for both business and personal matters. Michael J. McGuire, a member of the eDiscovery Practice Group at management firm Littler Mendelson, outlined a host of concerns of which employers must be wary when employees “BYOD” (bring your own device) — be it an I-phone, Blackberry, Android, or tablet — to work.

Cost savings overstated. Many organizations encourage employees to adopt dual-use devices, convinced that the practice offers significant cost benefits to the company. But recent research suggests that the “total cost of ownership” tells a different story, McGuire said. He noted that IBM has 80,000 employees using personal devices for work-related activity, and its CIO recently acknowledged that the practice hasn’t saved the company any money. “BYOD programs have hidden costs that actually cause companies to spend more money than they realize and make the programs more expensive to operate than the traditional model.”

Employment law risks. Without even considering the substantial data security issues at stake, a cost-benefit analysis of BYOD looks less favorable when factoring in possible employment-related liability alone. McGuire offered just a sampling of the potential ramifications of BYOD in the employment context:

Performance management: With BYOD, the lines between work and personal time are increasingly blurred, creating performance management challenges when trying to regulate on-the-job conduct without infringing on employees’ freedoms outside the office. When employees are off the clock, “they’ll be doing a whole bunch of things you don’t want them to be doing,” McGuire noted. “And when they have a problem with the device and they turn it over to the IT person, IT is going to encounter some things you may not want to see.”

Discrimination: It’s “not just porn” that will make employers want to avert their eyes, McGuire added. “It’s a diabetes management app, or information that implicates Genetic Information Nondiscrimination Act (GINA)-related concerns.” To avoid potential liability for disability discrimination, this is information employers don’t want to have.

Harassment: Employers that pay for and own such devices can more readily exert control over how employees use them. But with BYOD, employers face a greater danger that employees’ prejudices will make their way unabated into the workplace, where employers have an obligation to maintain an environment free from discrimination and harassment.

Overtime liability: The use of dual-purpose devices inevitably results in off-the-clock work and potential overtime liability for nonexempt workers. “When you have a work phone and a personal phone, you put the work device away once you leave work,” McGuire said. “But if you’ve blended phones into one device, you’re going to check your email and get wrapped up into work.” Unrecorded overtime work.

Minimum wage problems: Under the FLSA’s minimum wage provisions, employers may be required to reimburse employees for the personal costs of their own devices, such as their monthly phone bill, if they can be construed as employer business expenses and the cost, factored into their wage rate, brings their pay below the statutory minimum wage.

Privacy concerns: When employees own their devices, there are limits to the employer’s ability to lawfully access (or delete, if need be) company data when stored there. Federal laws, including the Computer Fraud and Abuse Act and Stored Communications Act, restrict unauthorized access to computers and email.

Workplace safety: Employers who would not have been liable for injuries suffered or caused by employees texting while driving on their own personal devices may find themselves paying workers’ comp costs or defending against significant third-party claims when the device is also used for business purposes.

Best practices. McGuire offered the following pointers for managing the myriad risks, both employment and data-security related:

• Plan out your BYOD program. Which devices will you allow? What technical controls and policies will you put in place?

• Modify or create employee agreements on BYOD use. “Spell out clearly what the consequences are of having the convenience of carrying one device and that, if they want it, employees must agree to balance some of the interests,” McGuire urged. Make clear your expectations on proper use and operating procedures.

• Require employees to consent, in writing, to allow the company’s access to its data on their devices.

• If you have a unionized workforce, consult with the terms of the bargaining agreement for potential restrictions. Any new BYOD policy would be subject to collective bargaining.

• Restrict BYOD usage by company executives, legal, HR, and other members of your organization who are privy to highly confidential company information. “Think of those pockets of very sensitive or regulated information,” McGuire advised. “Preserve those pockets of control.”

• Evaluate which other employees you will permit to BYOD. As noted above, BYOD by nonexempt workers creates its own set of problems. Consider also that when your sales reps use dual devices, their phone number is the number your customers have when they leave the company, McGuire cautioned.

• Install MDM (mobile device management) software. The server-based software “is a way of giving you very granular control over the use of these devices,” McGuire explained. The technology allows employers, for example, to issue remote-wipe commands or to prevent employees from using certain apps on these devices.

• Restrict employees from using cloud-based apps, cloud-based backup, or synchronizing with home PCs for work-related data. “This is one of the most difficult policies to enforce,” McGuire noted.

• No use by friends and family members! “I got the most guff for this one,” McGuire told attendees, “and I imagine you probably will too. I know your kid likes to play Angry Birds, and I know you bought it with your own money,” but it’s an essential control, he insisted.

• Rethink your exit interview process. “How will you preserve data on devices that you aren’t paying for? When text messages become an issue in litigation and an employee balks, you’ll have another aggravation to contend with. Once you’ve told someone they’re leaving, they’ll be far less likely to work with you to resolve the issues. With BYOD, you’ve just made the exit process a lot messier.”

McGuire made his comments during his presentation, “The Data Security, Privacy, and eDiscovery Challenges Posed by Bring Your Own Device (BYOD) Policies,” at the Minnesota CLE’s 2012 Upper Midwest Employment Law Institute, held May 21-22 in St. Paul, Minnesota.