Employers face risk if rules on work use of personal devices aren’t clear

WASHINGTON — Employers are increasingly allowing their employees to use their own laptops, tablets, smart phones and other mobile devices for work purposes — and that is creating a plethora of potential legal issues.

Employment defense lawyers say that every business should have a clear, written policy covering all aspects of the use of personal electronic devices, regardless of whether the company allows such use. Failing to do so could have serious consequences, from loss of sensitive proprietary information to discovery-related litigation nightmares to potential liability for privacy or wage-and-hour violations.

“In my experience everyone handles it differently,” said Charles R. Bacharach, with Gordon Feinblatt LLC’s employment, litigation and health care practice groups in Baltimore. “Some places have no policy and chaos is in effect; while others ban them outright or try to find a reasonable middle ground. But, my bet is that most places don’t have a policy of any kind and that can be a problem.”

“The issue is coming up regularly,” Bacharach said. “I have advised between a dozen and two dozen clients on ‘Bring Your Own Device’ issues in the last 18 months.”

The increasing use of employees’ personal gadgets for work-related purposes is driven in part by a desire on the part of businesses, particularly smaller companies, to save money on the computer and mobile equipment used by workers.

But what is also fueling the “Bring Your Own Device,” trend is the sharp decline in the use of BlackBerry devices — once a company-provided office staple — as employees increasingly acquire touch-screen phones and tablet computers.

“It’s really the rise of what I call the iPhone-ization of the American workforce,” said Jonathan T. Hyman, a partner in the Cleveland office of Kohrman Jackson & Krantz.

Employees, from executives down to part-time or freelance workers, want to get the benefit of their iPhones and other gadgets at the office, he said.

“In many cases the genie is already out the bottle and employees are already using their devices for work purposes,” said David Navetta, a partner in the Denver office of InfoLawGroup, a law firm concentrating on privacy, data security, consumer protection, information technology and intellectual property issues.

In a recent survey conducted by software company MokaFive, 88 percent of respondents reported that their companies had some form of Bring Your Own Device practice, whether sanctioned or not. But one-third of those surveyed said their companies had no formal policy, and 10 percent didn’t know if a policy existed.

Keeping data under company’s control

The most immediate problem created by the use of personal devices for work is the potential breach of the company’s data security system.

“In many cases people that have their personal devices probably don’t have the security in place that would be present in devices that were issued internally,” Navetta said.

Not only do disparate security protections open the company’s internal data services up to potential breach, but also they could fail to protect business data that is stored on individual devices.

Written BYOD agreements should specifically address these issues by explicitly requiring security software on all devices used for work purposes. Policies should also require that employees allow the company to have access to any company data saved on their devices, and even give the company’s IT department the ability to wipe the hard drives of lost or stolen devices.

These provisions may not go over well with workers, but they can save the company money and headaches later, particularly in the event of litigation and accompanying discovery requests.

“Companies must take steps to make sure that company data isn’t walking out the door when the employee does,” said Daniel A. Schwartz, a member of the firm Pullman & Comley in Hartford, Conn.

A good policy will provide that the company will use its best efforts to preserve personal data on devices while recovering company-owned information.

For example, “you can say the Words with Friends apps are going to be protected,” Schwartz said.

But regardless of the specific provisions of the agreement, it should “make clear to employees that the use of their personal device for work is a privilege and not a right,” said Philip L. Gordon, a shareholder in the Denver office of Littler Mendelson, where he chairs the firm’s Privacy and Data Protection Practice Group. “If they want to take advantage of the privilege … they need to give the employer access.”

Bacharach, the Gordon Feinblatt attorney, said another issue employers should keep in mind comes when the employee decides to get rid of the device and what access should be given to make sure no sensitive or potential e-discovery material finds its way into the hands of the wrong person.

“The tit-for-tat for allowing employees access to the servers or the network is that their employer can scrub the devices after employment ends or when they get rid of it,” he said. “If you think about the possibilities of confidentiality issues, like HIPAA, or potential issues of trade secrets being passed along, it makes sense to have a policy in place.”

Privacy, wage-and-hour claims

The mixing of company and personal data on a mobile device could lead to privacy claims from employees.

The law is unclear on this issue. The question of whether employees have an actionable privacy claim when employers seek information from mobile phones was left open by the U.S. Supreme Court in its 2010 decision in City of Ontario v. Quon.

Although that case involved mobile devices issued by an employer, the reasoning could be extended to employee-owned devices, Navetta said.

“In that case the court assumed that there was an expectation of privacy on the employee’s part, but it didn’t explicitly hold that there was,” he said. Instead, the Court focused on the reasonableness of the employer’s search.

Company BYOD policies should do the same.

“Just because [a policy] may say that employees have no expectation of privacy in the information on these devices, you should try to really narrow down the scope of any investigation and try to avoid sweeping in personal information,” Navetta said.

Personal use of private devices can also give rise to wage-and-hour claims. Workers who receive work-related emails, texts and other communications on their devices even when outside of the workplace may seek to be paid for the time spent on that correspondence.

The issue “has been a concern for a number of years now,” due to the previously widespread use of company-issued BlackBerry devices, Schwartz said.

BYOD policies should expressly address when employees are expected to respond to such correspondence, and specify that any additional wage or overtime claims must be preapproved.

The Daily Record’s Legal Affairs Writer Ben Mook contributed to this article.