Business or Pleasure: The Challenges of Bring Your Own Device Policies in the Workplace Presented by: Gavin Appleby, Littler, Atlanta Dionysia Johnson-Massie, Littler, Atlanta
What Is BYOD? In the past: Companypurchased devices are linked directly to employer s computer system, employees used separate personal and work phones Current trend: Dual-Use devices used for both business and personal activities
Why Does It Matter? Ownership of the device used to store the data affects the employer s ability to control the device and the data Bring your own disaster?
Who is Doing It? Some of the largest corporations, including IBM, Kraft, Cisco & Lockheed are implementing BYOD policies BYOD is appealing to small and mid-sized employers, as well Recent survey found that 75% of companies allow employees to use their own personal devices for business (Aberdeen)
Why? Reducing expenses for employers Improving employee engagement Aiding in the recruitment of new employees Solving the two pocket problem Innovation to reduce costs and promote collaboration
Also Creates Risks and Challenges for Employers Data-Related Risks Security of company data Privacy of employee data Records management Contractual obligations ediscovery Trade Secret Protection Contingent Workers
Also Creates Risks and Challenges for Employers Behavior-Related Risks Performance management EEO Wage & Hour Workplace Safety Labor International
Recent BYOD Developments Fatal flaws: Flaw in latest update to iphone operating system (version 6.1) software causes BYOD chaos, many employers recommending against the update for BYOD devices Root of the problem: Users can unlock administrative features on devices by rooting or jailbreaking, which causes a BYOD headache for employers who may lose security control
Your Experiences with BYOD
Your Experiences with BYOD What approach has your company taken to the BYOD issue? Restricts to company-owned devices? Allows some employees to connect personal devices but process is ad hoc? Has a BYOD policy? Has a Bring Your Own Computer (BYOC) policy?
HR and Employment Law Issues
HR and Employment Law Issues
The Data Issues
Data Is Heavily Regulated Security Laws and Regulations Encryption Breach notification Secure data destruction Record retention Employee privacy rights Contractual obligations Indirectly regulated Trade secret protection ediscovery obligations
Security for Company Data Loss or theft of devices Lost and stolen equipment accounted for 31% of breaches Malware Increased use of malware targeting the Android platform Friends and family Legal risks associated with third party access to confidential information through BYOD
Security for Company Data Gateway to the cloud Applications such as Dropbox and Google Drive provide free and convenient access to the cloud, with legal risk Employee ownership of the account with the service provider will limit company access to its data
Privacy of Employee Data Wiping employee device without consent Computer Fraud and Abuse Act State computer trespass laws Accessing data stored with online service providers Stored Communications Act Inability to access data without lawful consent of account holder Apps may store access credentials Data you may not want to see Employee s privileged communications
Record Retention and Destruction Automatic deletion procedures? Data hoarding issues
Trade Secret Protection 60 percent of American workers who left their employers [in 2008] took some data with them. (Economist) Misappropriation may be harder to prove Use or disclosure will be the focus Access to the devices will be a challenge
ediscovery Challenges Locating the data Access to the device Collection challenges
Obligations Follow the Data
A Few BYOD Scenarios
What Are the Legal Risks? Scenario #1 Employees at your company are excited to learn about the new BYOD policy. John, a non-exempt administrative assistant, asks to have his Android phone connected to receive work emails so he can stay connected outside of work hours. Any problems? a) Yes, this could create an off the clock problem under the Fair Labor Standards Act (FLSA) b) No, John should be encouraged to read and respond to emails promptly c) No, responding to emails does not qualify as work time under the FLSA
What Are the Legal Risks? Scenario #1 Employees at your company are excited to learn about the new BYOD policy. John, a non-exempt administrative assistant, asks to have his Android phone connected to receive work emails so he can stay connected outside of work hours. Any problems? a) Yes, this could create an off the clock problem under the Fair Labor Standards Act (FLSA) b) No, John should be encouraged to read and respond to emails promptly c) No, responding to emails does not qualify as work time under the FLSA
What Are the Legal Risks? Scenario #2 A company plans to terminate an employee for poor performance. This employee routinely accesses the company s confidential and proprietary documents. The IT department would like to remotely wipe (i.e., erase) the employee s BYOD iphone following the termination. Any problems with that approach? a) No problem, wipe away! b) Cannot wipe personal device under any circumstances c) Depends - what does the employer s policy say?
What Are the Legal Risks? Scenario #2 A company plans to terminate an employee for poor performance. This employee routinely accesses the company s confidential and proprietary documents. The IT department would like to remotely wipe (i.e., erase) the employee s BYOD iphone following the termination. Any problems with that approach? a) No problem, wipe away! b) Cannot wipe personal device under any circumstances c) Depends - what does the employer s policy say?
What Are the Legal Risks? Scenario #3 An employee asks whether she can install the mobile game Angry Birds, Star Wars Edition on her BYOD device. What is your response? a) Go for it the employee owns the device b) Stop! Angry Birds could make the employee less productive c) Depends on whether the employee s job duties involve launching birds as projectiles
What Are the Legal Risks? Scenario #3 An employee asks whether she can install the mobile game Angry Birds, Star Wars Edition on her BYOD device. What is your response? a) Go for it the employee owns the device b) Stop! Angry Birds could make the employee less productive c) Depends on whether the employee s job duties involve launching birds as projectiles
What Are the Legal Risks? Scenario #4 An employee, Jane, claims that she is receiving explicit and harassing text messages from her co-worker, Frank. Both employees have BYOD devices but do not typically use text messages for work communications. You are conducting an investigation of Jane s allegations should you ask the IT department to remotely download text messages from Jane and/or Frank s phones? a) Yes, employers have a right to download texts from BYOD devices b) No, the texts are private, non-work communications c) No, the better approach would be to ask Jane to show you the offending texts
What Are the Legal Risks? Scenario #4 An employee, Jane, claims that she is receiving explicit and harassing text messages from her co-worker, Frank. Both employees have BYOD devices but do not typically use text messages for work communications. You are conducting an investigation of Jane s allegations should you ask the IT department to remotely download text messages from Jane and/or Frank s phones? a) Yes, employers have a right to download texts from BYOD devices b) No, the texts are private, non-work communications c) No, the better approach would be to ask Jane to show you the offending texts
Recommendations
Recommendations Plan the program Technical controls Policies Operating procedures and capabilities Educate and train
Recommendation: Decide whether all employees should be permitted to participate in a BYOD program or whether certain groups should be excluded.
Recommendation: Limit use of the cloud if employee has access to confidential/proprietary information or documents.
Recommendation: Install Mobile Device Management software on dual use devices.
Recommendation: Require employees to consent to the company s access to their data on the device.
Recommendation: Modify or create Employee Agreements.
Recommendation: Restrict employees from using cloudbased apps, cloud-based backup, or synchronizing with home PCs for work-related data.
Recommendation: No use by friends and family members.
Recommendation: Revise exit interview processes.
Questions?
Thank You! Gavin Appleby Littler Mendelson, P.C. Atlanta Office 404.760.3935 gappleby@littler.com Dionysia Johnson-Massie Littler Mendelson, P.C. Atlanta Office 404.760.3901 djmassie@littler.com