B.Y.O.D. (Bring Your Own Device Policies)
Article byPosted Featured AuthorNovember 2013
Companies, big and small, spend a large amount of resources on IT infrastructure, IT logistics, and IT support. A quality workforce could become disorganized and swiftly crumble if employees cannot communicate quickly and effectively. This IT burden is a significant and often costly one, to which many companies dedicate a vast amount of human and financial resources. In an effort to alleviate some of this burden and stay competitive in the marketplace, companies, especially many small businesses, have started to develop and implement bring-your-own-device (“BYOD”) policies.
What Are We Talking About?
A BYOD policy is fairly straight forward. Rather than providing company owned electronic devices (e.g., a smart phone, tablet, and laptop) to employees, an employee is simply allowed to use (i.e., brings to work) his or her personal electronic devices. A BYOD policy eliminates the proverbial company-provided device. In a BYOD workplace, the company provides the hardware and storage for the information, and the employees provide the devices through which that information is accessed.
Why Would a Company Have a BYOD Policy?
It gives employees freedom to choose. A BYOD policy allows employees to choose the type of device they want. It is difficult for companies to be flexible in their technology offerings. Most hardware only becomes affordable when bought in relatively large quantities. And no matter what the option is, no single option will ever please everyone. Just ask the next person you see with an iPhone if he or she would mind switching to Android, or Nokia, or anything besides the iPhone. With a BYOD policy, employees are free to choose their own device—relieving the company of that decision.
It is also less expensive for the employer. A BYOD policy can significantly reduce day-to-day IT costs, as well as upfront costs for smaller or emerging companies. For example, think of all that comes with just one smart phone: the phone, a charger, multiple cables, an equal number of adapters, replacement parts, stands/cases/covers, and the nearly constant managing of firmware and software updates. A BYOD policy can significantly, if not entirely, reduce these hassles and costs.
What Concerns/Issues are There with BYOD Policies?
BYOD policies are a recent invention, so unfortunately there isn’t yet a well-established body of law. In fact there aren’t any publicized disputes or litigation in which a BYOD policy took center stage. But the scenarios that could trigger such disputes are not difficult to imagine:
Who owns the phone number? On their personal devices, sales employees make hundreds of calls a day to current and prospective clients. An employee leaves the company, but clients continue to call the former employee on what they believe is a company phone number. Can the company obtain the rights to the former employee’s phone number? Did the former employee relinquish the rights to his personal phone number by using it at work?
Does checking e-mail count as overtime? This is already a hot topic in employment law. Over 200 police officers recently filed a lawsuit in Chicago claiming that they are owed millions of dollars in unpaid overtime for checking e-mails and taking calls on city-issued BlackBerrys, outside of normal working hours. BYOD policies grant hourly employees tremendous freedom to check e-mails outside of normal working hours. But both employees and their employers must remain vigilant to ensure company policies and wage and hour laws are followed. As with any workplace issue, employees should be encouraged to ask, and employers should be prepared to answer, questions about how to handle work e-mails and telephone calls outside of normal working hours.
E-discovery. The ever-expanding realm of e-discovery would certainly include most personal devices used as part of a BYOD policy, for example, parties may be responsible for the preservation and collection of the information stored on the personal devices. That preservation and collection of information on a personal device comes with its own questions, concerns, and analysis that must be carefully considered.
What to Look for in a BYOD Policy?
There are many ‘standard’ workplace policies: policies forbidding harassment and discrimination, vacation and sick leave policies, and discipline policies. BYOD policies, however, are typically company and situation specific. That said, a good BYOD policy should have some form of the following:
- A brief explanation of what the policy is and how/when it will be implemented by the employer.
- A financial disclaimer and/or explanation. The BYOD policy will usually make clear that the employer will not purchase for the employee devices or replacement devices. Some employers, however, may choose to reimburse employees for certain items, e.g., $30/month for a data plan or a one-time, $100 reimbursement for the purchase of a smartphone with the ability to perform certain functions.
- A reference to the employer’s electronic use policy, and an explanation that the electronic use policy applies equally to electronic device(s) used as part of the BYOD policy.
- A password requirement. A BYOD policy will often require all devices used as part of the BYOD policy to be password protected, as well as settings such that a password prompt appears after 1 minute of inactivity, when the device is powered on, or when the device is ‘woken up’.
- A privacy disclaimer. A BYOD policy will usually make clear that employees have no right to privacy in the device(s) used as part of the BYOD policy. Under any BYOD policy, employees will likely relinquish some privacy rights in the device(s) used as part of the BYOD policy.
- A liability disclaimer. A well-drafted BYOD policy will disclaim any liability or responsibility on behalf of the employer for damage to, or the loss/corruption of data stored on, a device used as part of the BYOD policy.
- A search/access agreement. Depending on the circumstances, a BYOD policy may grant the employer the right to physically and remotely access any device(s) used as part of the BYOD policy.
- A limitation on access/use. A BYOD policy may prohibit third-parties from using and/or accessing any device used as part of the BYOD policy. (In general, I am a fan of this type of provision in a BYOD policy. After all, we don’t want a young child accidently e-mailing all contacts with something like: “aad;flkjafja;ls_sdfjads.”)
- A reporting requirement. A BYOD policy will often require employees to immediately report to a specifically identified individual a lost or stolen device.
- A written acknowledgment/verification. As with all workplace policies, employees using the BYOD policy will need to verify in writing that they received the policy, understand the policy, and agree to be bound by it. The written acknowledgement/verification will usually also include a description (make, model, color) of the employee’s personal device that he or she will use as part of the BYOD policy.
Lastly, there are applications/software available that create internal ‘firewalls’ on personal devices. These firewalls prevent the combining of company and personal data. The applications/software can also provide other security benefits, such as the remote locking or remote wiping of devices. Whether an employer makes use of these types of applications/software will depend on an employer’s specific needs and technological capabilities.
The body of law surrounding these issues will develop as litigation surrounding BYOD policies becomes more and more common. No doubt garden-variety tort claims will focus on the privacy interests of the employee, with other tort claims based on theories of trespass, conversion, and emotional distress (just imagine the emotional distress stemming from the mysterious deletion of vacation photos or a Facebook account from a device used as part of a BYOD policy). A number of federal laws could also be implicated, likely including: the Wiretap Act (18 U.S.C. §§ 2510–2522); the Stored Communications Act (18 U.S.C. §§ 2701–2712); and Section 1030 of the Computer Fraud and Abuse Act (18 U.S.C. § 1030). Notably, Section 1030 is a two-way street; employers have successfully brought counterclaims against employees for alleged violations of Section 1030. The extent to which attorneys will have success using Section 1030, or any cause of action, as it relates to a BYOD policy remains to be seen. But one thing is clear, technology in the workplace is here to stay. So we should not have to wait long to get our answers.
Zachary Busey is a member of the Labor & Employment Department at Baker Donelson Bearman Caldwell & Berkowitz PC in Jackson. Zachary can be reached at firstname.lastname@example.org.