The Impact of Employees Left to Their Own Devices: Top Ten BYOD Considerations

By Nicky Jatana, Shareholder, Co-Leader Privacy, e-Communication and Data Security Practice Group, Marlo Johnson Roebuck, Shareholder, Jackson Lewis P.C.

While heralded for their convenience and functionality, mobile phones, tablets, iPads, laptops and other emerging technological devices continue to raise challenges for employers and employees alike. In a recent survey by International Data Group, 41% surveyed stated they use their private smartphones for business, 37% use their tablets for business, and 47% of the respondents of the survey who did not currently have a tablet said that they plan to purchase one in the next year. Indeed, a global survey of Chief Information Officers (CIOs) conducted by Gartner Inc. predicts that 38% of companies will stop providing devices to workers by 2016. And, by 2017, half of employers will require employees to provide their own devices. These trends alone require employers to keep up with technology, privacy and data security issues, to name a few. Employers grappling with "Bring Your Own Device" (BYOD) issues should consider the following:

1. Benefit to employees.

A key driver of BYOD use in the workplace is the notable benefits to the employee. Allowing employees to select and use their own personal devices for work provides employees with flexibility not only with using familiar devices of their own choosing but also allows them to complete work tasks outside of the traditional office. Because employees prefer using their own devices when and where they want to, this offers employees mobility, higher productivity, and possibly more work/life balance. All of the foregoing result in happier employees.

2. Cost savings and other benefits to employers.

Employers who embrace BYOD also experience benefits. For one, employers may realize hardware and software costs savings from employees purchasing and using their own personal devices for work. Most states do not require employers to reimburse employees for purchase and use of personal devices for business use.Employers also have greater access to employees who use personal devices for business which can increase productivity and efficiency. Employers also benefit by staying up-to-date with technological advances as most users remain current with new technologies and devices for personal use whereas company-wide changes to technology and devices tend to be slower.

3. Employer support of devices.

In contrast to the benefits BYOD provides to employees and employers, it also comes with costs (actual and potential). Indeed, employers must consider if they can support appropriate upgrades or other maintenance to employees' personal devices. IT support is critical to maintain not only productivity, but security of data. Employers must consider the various devices and support its IT department can maintain as needed. Notably, any initial cost savings in the employee's purchase of hardware and software can be diminished by the need to support these various devices and software.

4. Malware attacks.

It is common for users to connect via unsecured wireless networks which can facilitate such attacks. Also, employees are more likely to download apps or access unknown websites when surfing the web for their personal use, which can also facilitate malware attacks. The mixing of personal and corporate data necessitates employers having a plan for how employers will address malicious software attacks that can corrupt company information and systems.

5. Protection of confidential information.

Employers must also consider data stored on mobile/personal devices with respect to protection of corporate information, trade secrets and personal information of employees and/or its customers.A stolen or loss tablet can lead to the inadvertent disclosure of confidential information. Any confidential/trade secret agreement or policy should be implemented in conjunction with any BYOD policy or plan, particularly with respect to protection and enforcement.

6. Compliance.

Notwithstanding personal device use, employers must also consider BYOD impact on their compliance obligations. Employers must continue to comply with encryption mandates, client demands, e-Discovery obligations, and litigation hold issues, among others. Depending on the industry and nature of personal information maintained, legal obligations under Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) as well as state laws on data security, for example, remain.

7. Breach/Data Loss.

Data loss can be devastating to any employer between the loss of the data itself, negative publicity and associated financial loss to name a few. Employers should have a breach plan or protocol in place which also includes how to manage or address breach of company or personal information on mobile personal devices used by employees.

8. Employee Privacy.

Due to the mixing of both personal and company information, employers should manage their employees' expectations of privacy. Rather than an overbroad statement that employees have no expectation of privacy in use of their personal devices for business use, an employer may want to consider a measured approach which lowers the expectation of privacy similar to that of use of company systems. This is likely to be more palatable to employees and still serves to provide the company access, as necessary, for legitimate business purposes.

9. Potential wage and hour issues.

While BYOD provides employees with flexibility to work outside of the traditional workplace, this practice also raises significant issues regarding compensating non-exempt employees for all hours worked. Employees may not capture all time worked when using their personal devices during non-shift or regularly scheduled work time. Employers should address how these issues will be handled to ensure employees are fully and appropriately compensated for time worked.

10. BYOD Program/Policy.

If you are an employer who permits use or is considering use of personal devices for business, implementing a BYOD program or policies critical and you should be mindful of the various stakeholders in the company. Implementation should include input from Human Resources, Finance, Employee Relations/Communications, Information Technology and Legal. Some key areas to address in any BYOD policy or program include: a) putting employees on notice about what to expect regarding privacy in their personal information, including company monitoring; b) a clear statement regarding company ownership of business information; c) company access to control company owned information; d) what devices, platforms and networks may be used, including any limitations to access on personal devices; e) company's ability to remove information from device upon employee's departure; f) a mobile device management system, e.g., remote wipe technology; g) device support limitations; h) reimbursement guidelines and limitations; i) process to address loss or theft of personal device to protect company information; and j) clear consequences for policy violations.

Conclusion

The foregoing considerations are not an exhaustive list, but are intended to highlight the multitude of issues raised by BYOD. Successful implementation depends upon an analysis of many factors as well as the inclusion of the key players within the organization. Employers should prudently consider the benefits and costs of BYOD as technology changes and employee use of devices changes along with it.