About Us  |  About Cheetah®  |  Contact Us

BYOD could mean “liability on steroids”

November 22nd, 2013  |  David Stephanides

By David Stephanides, J.D.

BYOD? “It’s liability on steroids!,” remarked Adam Forman of the law firm Miller Canfield during an enlightening, or perhaps alarming, program entitled “eWorkplace: Privacy, Access & Security in the Era of ‘The Cloud,’ Social Media and BYOD” at the National Employment Law Institute’s 2013 Employment Law Conference held November 14-15 in Chicago. BYOD, or “Bring Your Own Device,” policies are rapidly being adopted across the United States, with over 50 percent of employers permitting employees to access work-related material via their own mobile devices. With the adoption of these policies, however, comes a variety of risks generally overlooked in an employer’s drive to remain competitive among its peers. You may have even asked yourself what happens to the device and information when employment ends? Does an employer have the ability to remotely “wipe” the device? And does an employee have a duty to notify the employer if the device is lost or stolen?

Forman advised that these risks can generally be divided into two categories: control of employer data; and compliance with employment and labor laws.

Control of employer data. Though the risks associated with permitting employees to access employer information via a mobile device is not a new concern, BYOD brings those risks to new heights. For instance, BYOD can facilitate the theft of employer information by employees themselves, seamlessly allowing employees access to employer information and personal information on the same device. In addition to raising information security concerns for an employer or civil/criminal liability for an employee, it also raises misappropriation concerns for employers who hire s competitor’s employees.

BYOD can also expose an employer’s information to more people, even if the device is not lost or stolen. Consider, said Forman, the ease with which an employee may provide access to his or her mobile device to a friend, often after having satisfied security measures intended to keep nonemployees out.

Because personal mobile devices cannot be totally controlled by the employer, BYOD increases the risk that the mobile device will be “hacked” or exposed to viruses or malware. A 2011 study from the Ponemon Institute illustrates this risk, finding that 23 percent of all information losses resulted from hacking, 21 percent from web-based application or file sharing sites, and 13 percent from unsecured mobile devices. By accessing websites, file sharing programs, or downloading applications for their own personal use, employees may unknowingly and unintentionally expose the employer’s information to third-parties.

Information security breaches can result in significant legal liability. Forman noted that several state and federal laws require companies to take affirmative steps to protect an individual’s personal information — like health information and social security and credit card numbers — and impose penalties upon companies for failing to maintain of the security of information regarding its customers, clients, and/or employees. Other laws mandate that companies notify individuals when their personal information has been compromised.

The litigation hold problem. BYOD also implicates an employer’s recordkeeping and discovery obligations under numerous federal and state court rules. To the former, several state and federal laws require employers to either preserve or destroy certain electronic records. As to the latter, employers are obligated to both preserve and produce electronic documents, and failing to do so can lead to court imposed sanctions. Forman noted that though no court has addressed either of these two issues head on, it is likely that one will do so in light of the explosion of BYOD.

Compliance with labor employment laws. Though no court has expressly addressed the issue of the relationship between BYOD and an employer’s obligations to prevent hostile work environments, it is possible that allowing employees to use their personal devices at work could facilitate such claims, advised Forman. In short, employees may see the use of personal devices as separate from work, and thus use the device to send or post messages that constitute sexual or racial harassment. Whether or not an employer is ultimately liable under a hostile work environment theory depends upon several factors — including the identity of the alleged harasser and the steps the employer took to remedy the harassment — but it is likely that as technology blurs the line between personal and professional lives, employers will see an uptick in such claims.

For unionized employers, BYOD can expose an employer to significant obligations or liability under state and federal labor laws. First, depending upon an employer’s collective bargaining agreement, it is likely that implementing a BYOD policy is a mandatory subject of bargaining. An employer may also need to bargain over the effects of using mobile devices as it relates to how employees perform their job duties. It is also possible that BYOD implicates surveillance/monitoring issues.

Perhaps the gravest area of concern centers on compliance with wage and hour laws. The primary risk is that BYOD fosters an environment in which nonexempt employees might work during nonworking time. Unfortunately, Forman noted, there is scant guidance from the courts or the Department of Labor as to whether the time spent by nonexempt employees accessing work information on their personal device, such as reading or responding to email sent to their company email address on a mobile device, constitutes hours worked for the purposes of the FLSA. Forman emphasized that there are, however, three compelling reasons why an employer should treat such time as compensable work time.

First, time spent doing work not requested by the employer, but still allowed, is generally hours worked, where the employer knows or has reason to believe that the employees are continuing to work and the employer is benefiting from the work being done. Second, it is likely that by accessing an employer’s network, nonexempt employees could engage in activity that is “integral and indispensable” to their everyday on-the-clock “principal activities” which would thus be compensable as “preliminary” or “postliminary” activities. Lastly, though a minute here or there checking email might be considered de minimus and not compensable, spending a substantial amount of time on after-hours emails, in excess of a few minutes, may be considered compensable.

Though risky, Forman advised that if employers do allow nonexempt employees to BYOD, they should develop a policy with some of the following considerations:

  • Limit the nonexempt classifications that are provided access, thus limiting potential exposure to liability.
  • Prohibit nonexempt employees from accessing the employer’s network during non-work hours without prior permission (e.g., they are just allowed to check email during work hours but away from their computer).
  • Require employees to record all time spent accessing the employer’s network during non-work hours.
  • If possible, turn off access to the employer’s network during non-work hours. For example, Volkswagen recently implemented a system that kept its servers from routing messages to Blackberries starting 30 minutes after each shift and ending 30 minutes before the start of the next shift.
  • Train supervisors to not expect or demand that nonexempt employees access the network or check email during non-work hours.
  • Enforce the policy by monitoring usage or employing technological solutions to rule out such usage.
  • Impose consequences for violations of the policy, while compensating the employee for actual time worked (paying overtime where required).

In sum, BYOD raises a variety of concerns for employers, most of which have not yet been directly addressed by the courts. Accordingly, Forman emphasized that employers should tread cautiously as they institute such policies.