Crafting Bring Your Own Device ("BYOD") Policies to Protect Your Company Data and Ensure Compliance with the Law
It’s hard to believe that just over a decade ago, the modern touchscreen smartphone was first introduced. Amidst the “oos” and “ahs” of the crowd, Steve Jobs unveiled the revolutionary Apple iPhone on June 29, 2007. The iPhone, shortly followed by other smartphones using Google’s Android operating system, revolutionized not only the way the public would interact with their mobile devices, but also the way employers and employees interact in the workplace. This new era opened the door to a range of applications and possibilities for employer-employee collaboration, allowing users to communicate more effectively, access the Internet, store documents, and manage work calendars; all within the palm of their hands.
Fast forward just one decade to today. 2018 data suggests that seventy-seven percent (77%) of United States adults own smartphones, up from just thirty-five percent (35%) in 2001.1 Additionally, some seventy-eight percent (73%) of American adults own a desktop/laptop at home, while some fifty-one percent (53%) own a tablet device such as the iPad (up from three percent (3%) in 2010).2 While text messaging is the most widely used smartphone feature (97%); e-mail is not far behind with some eighty-eight percent (88%) of smartphones users reporting using email on their mobile devices.3 Plain and simple, mobile devices and smartphones have become an indispensable part of our work as well as personal lives, and, as a result, drastically changed the way employees interact with their work environments. The advancements in mobile device technologies have made it easier than ever for employees to bring their work home.
The ease—and at times necessity—of allowing employees to be able to receive and send work-related emails, files, and communications poses challenges for employers and has led to the rise of “Bring Your Own Device” or “BYOD” policies, which are quickly becoming the norm. BYOD policies are internal policies that define the contours and rules by which employees may use their mobile devices (smartphones, laptops, tablets) as well as other home computers to access workplace email servers, files, and programs. Many employers embrace the benefits of allowing employees to access work from their devices, as this can create a work environment that is more efficient and relaxed in a way that benefits both the employer and employee. By 2015, seventy-four percent (74%) of employers reported allowing or planning to allow employees to bring their personal devices to work.4 By now, that number is certainly higher.
Of course, BYOD policies also carry inherent risks, not the first of which being that employee devices store a wealth of personal information. The United States Supreme Court has noted that mobile devices carry “a ‘wealth of detail about [a person's] familial, political, professional, religious, and sexual associations.’”5 Indeed, sixty-two percent (62%) of smartphone users report using their phones to lookup information about a health condition and fifty-seven percent (57%) use their mobile devices to do online banking.6Because mobile devices carry such a wealth of personal information, the courts have recently grappled with various legal issues that stem from BYOD policies, such as employee privacy rights, company liability in the event of a lost or stolen device, litigation discovery requirements, and employment law implications.
But—as with other technological advances—courts lag far behind. Because the interrelationship between employee privacy and the law is still developing,7 there is a significant dearth of case law and even federal/state legislation covering the issues. Being so, it is crucial that employers create a comprehensive BYOD policy that will specifically delineate what control or access the employer will have, and have employees expressly consent to those practices. These policies are important because, in many cases, the courts will look to the policies outlined in the BYOD policy to determine the bounds of permissible employer conduct.
A. Privacy and Data Loss
Legally, the most problematic issue with implementation of a BYOD policy may be determining to what extent an employer can monitor and have access to an employee’s personal device. As the American Bar Association has stated:
If your client monitors too much, it can be seen as invading employee privacy, and in some parts of the world, may even be breaking the law. If it does not monitor and control enough, it places the company’s data at a huge risk. Balancing these two seemingly opposing interests is the single greatest challenge to successfully implementing a BYOD program, and it is the role of legal counsel and in-house lawyers to make sure this implementation is done within the law, transparently, and without exposing the company to unnecessary legal risk.8
It should first be recognized that employees do enjoy a heightened right to privacy in information stored on their personal devices (as compared to employer-provided devices). At the federal level, there are some federal laws that provide employees a potential cause of action against employers for breach of privacy. These laws either prohibit the unauthorized access to another’s computer—the Computer Fraud and Abuse Act9—or protect the privacy of electronic communications in electronic storage—the Stored Communications Act.10 Importantly, the CFAA and SCA are not limited to criminal violations, as both statutes provide a private right of action to persons affected by violation of the either act.11 Recently, some states have also passed laws requiring employers to notify employees when they are monitoring their information or electronic information12 although Arizona is not (yet) one of those states.
Arizona law does provide common law remedies which an employee could conceivably utilize to sue an employer for excessive monitoring practices, including (a) intrusion upon seclusion13 (b) public disclosure of private facts (3) false light and (4) appropriation of one’s name or likeness. While these private causes of action require an element of intent or egregious conduct by the employer,14companies should not monitor personal information on employee devices outside of the narrow, permissible bounds outlined in the company’s BYOD policy.
1. Data Leakage Concerns
Of course, on the other side of the spectrum, data leakage becomes a primary concern for employers. According to reports, 5.2 million smartphones were either lost or stolen in 2014,15 making businesses understandably fearful about employees having access to internal networks. With the rise of thefts involving smartphones, employers need to have a way to ensure that any data is not lost in the event the unexpected occurs. Companies should—and upon proper consent legally can—monitor and control employee devices enough so as to be able to control any possible data breaches, whether it be through the company itself or through a third-party Mobile Device Management (“MDM”) service provider.
Recently, courts have dismissed employee complaints who have had their devices wiped clean of information. In Rajaee v. Design Tech Homes, Ltd., a company remotely deleted all of an employee’s files—including work and personal files—on his mobile device after he gave notice of his resignation.16 The mobile device was connected to the employer’s Microsoft Exchange server, allowing employee to remotely access email and calendar capabilities. The employee claimed damages under the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA), but the court rejected both claims, reasoning that the personal data lost was not “electronic storage” as defined under the ECPA and was not a qualified “loss” under the CFAA.
Similarly in Advanstar Commc'ns Inc. v. Pollard, a company remotely deleted an employee’s files the same day he gave the company his notice of his resignation.17 There the employee claimed had he had permanently lost business contacts, emails, photographs, and other effects that caused him damages under the Stored Communications Act (“SCA”). The court dismissed the employee’s motion, however, holding that the employee’s cellphone was not a “facility through which an electronic communication service is provided” under the SCA and denied relief. And neither were the text messages and photos stored on employee’s cellphone in “electronic storage” as defined under the SCA.
In the case where there is no BYOD policy in place, and the employer remotely accessed confidential emails after termination, at least one court has allowed an employee plaintiff to proceed past the summary judgment phase of litigation. In Brooks v. AM Resorts, an employer allegedly accessed confidential emails between an employee and his attorney after he was terminated.18 The employee alleged that the employer had accessed the privileged emails by using a mobile device management software to remotely access his personal email account, and subsequently sued under the Stored Communications Act (“SCA”) and the Computer Fraud and Abuse Act (“CFAA”). As to the employer’s motion for summary judgment under the Stored Communications Act, the court held that there was a “genuine dispute of material fact” as to whether the employer improperly accessed the employee’s personal emails and allowed that cause of action to proceed further.
2. Practical Tips
All in all, here are some practical tips that employers should abide by when crafting and implementing a BYOD policy:
Register all personal devices that will access workplace servers and ensure devices are kept updated with virus protection, authentication, and encryption software.
Create a comprehensive BYOD policy that is detailed enough so that the employees know exactly what is being tracked and how the information obtained is being used and stored.
Mandate a complex password protection for accessing the employer servers.
Security procedures must be spelled out in writing.
Employees must be told exactly what is being tracked and how the information is being used and stored.
It would be wise to ask for specific consent to each monitoring activity.
Mobile Device Management (MDM) could be considered as an option if your company needs to protect especially sensitive information (such as medical records).
Create a training program so that you educate employees about the capabilities of the MDM software.
Gain CONSENT from the employees before having the software installed on the device.
MDM software and IT departments should have the capability to wipe devices clean if the device is lost or stolen.
The BYOD policy should expressly delineate what will occur in the event the device is lost or misplaced. If the entiredevice is to be wiped when it is reported lost or stolen, the BYOD should clearly express so.
If wiping entire devices clean makes an employer uncomfortable, then there are applications and services which allow for partial-wiping of the device. But again, informed consent from the employee as to all monitoring activities is advisable.
The BYOD policy should institute procedures for how to report lost or stolen devices, ideally within 24 hours of the loss.
If the entire device is to be wiped, consider providing guidance to employees on how they can back up and secure any personal data that may be affected.
The BYOD policy should expressly outline whether any “passive” or “background” security checks will be maintained on the device.
Typically, MDM software will utilize location tracking to remotely access or wipe a device. If this is the case, the employee should be notified of the location tracking capabilities of the MDM software, but also be assured that it will only be used for that purpose.
Employees should consider whether to institute a reimbursement policy for data plans or costs associated with use of the mobile device.
The BYOD policy should include a notification of the employer’s policies against harassment, discrimination, and retaliation.
The BYOD policy should expressly outline if location data will be used, and if so, under what circumstances.
Again CONSENT is key.
B. Litigation Discovery
Invariably, companies will become involved in litigation at some point. When this occurs, it is important to note that mobile devices also present unique litigation challenges, namely that employee devices may be legally discoverable through discovery requests and subpoenas. Sure, some personal information of the employee will remain legally protected—HIPPA for example—but other personal data may be discoverable. A couple of recent cases highlight the necessity of having a clear plan in place before a litigation hold is in place.
In H.J. Heinz Co. v. Starr Surplus Lines Ins. Co., the plaintiff sued another company for issues dealing with contamination of food products.19 During discovery, the other company sought to compel the production of electronically stored information (“ESI”) from “key” company witnesses, including instant messages, text messages, and voicemails. Ultimately, the Special Master assigned to the case found that the key employees did not possess company-related communications on their devices and denied the motion to compel. However, this case highlights the planning that companies should do in preparing for a potential litigation hold is something that should be done at the outset. It is important to clearly identify the “key” owners of the information, create timely notifications, and follow-up with employees.
Recently the District Court of Nevada in Small v. Univ. Med. Ctr. of S. Nev. recommended “case dispositive sanctions” against an employer in a wage employment suit for not having proper data storage guidelines in place.20 The court found that the employer had failed to preserve data on the employee mobile devices, which resulted in “widespread failure to preserve, collect and produce [electronically stored information].” This case highlights the consequences employers can face if they do not have litigation hold procedures in place.
1. Practical Tips
Here are some practical tips employers should abide by when planning for a litigation hold:
Planning for a potential litigation hold is something that should be done at the outset, before a company becomes enthralled in litigation.
It is important to clearly identify the “key” owners of the discoverable information.
Create timely legal hold notices that are directed at all of the employees who possess potentially discoverable information.
The legal notice should be clear and straightforward, and written by the legal department or the company attorney. Require that the recipient acknowledge receipt of the notice and include with the notice a written commitment to comply with the notice. Carefully document all receipts of notice and written commitments.
Follow-up with employees to make sure they receive and understand the litigation hold notice.
C. Employment Law Issues
Employers should also be aware of some employment law implications and considerations when crafting BYOD policies. For one, BYOD policies cannot interfere with an employee’s right to unionize or discuss/complain about working conditions, as this violates the National Labor Relations Act (“NLRA”). Employers should state this expressly in their BYOD policies.
Second, employers should be weary of employee rights under the Fair Labor Standard Act (“FLSA”) and compensation measures that may stem from the law. For example, employees who access their BYOD devices outside of the office may accrue overtime if they are non-exempt employees. Courts have found employers liable for compensation owed to an employee who worked overtime using his personal device outside of the office.21
Third, companies should consider re-developing policies for any time worked while an employee uses his/her device or require that the employee receive permission from a supervisor before performing any work from their device. Courts have denied en employee overtime compensation when that employee has failed to follow the procedures for overtime work on their mobile device.22
1. Practical Tips
Here are some practical tips employers should consider when crafting and implementing their BYOD policies, to ensure compliance with employment law:
Include an express provision in your BYOD policy that states the policies will not interfere with the employee’s rights to unionize or discuss/complain about working conditions in violation of the National Labor Relations Act (“NLRA”).
Prohibit off-the clock access to work emails or work on employee mobile devices unless authorized by a supervisor in advance.
1 Mobile Fact Sheet, Pew Research Ctr. (January 10, 2019) http://www.pewinternet.org/fact-sheet/mobile/.
3 Aaron Smith, U.S. Smartphone Use in 2015, Pew Research Ctr. (Apr. 1, 2015), http://www.pewinternet.org/2015/04/01/us-smartphone-use-in-2015us-smartphone-use-in-2015.
5 United States v. Jones, 565 U.S. 400, 132 S. Ct. 945, 955, 181 L. Ed. 2d 911 (2012) (SOTOMAYOR, J., concurring).
7 Mendez v. Piper, Nos. H041122, H041681, 2017 Cal. App. Unpub. LEXIS 2497, at *33 (Ct. App. Apr. 12, 2017) (“the law defining an employee's rights of ownership of and privacy in personal information stored on an employer's computer system is evolving.”)
8 Pavon, Pedro. Risky Business: “Bring-Your-Own-Device”and Your Company. American Bar Association, Business Law Today. September 2013.
9 18 U.S.C. § 1030.
10 18 U.S.C. § 2701 et seq.
11 18 U.S.C. § 1030(g); 18 U.S.C. § 2707 (a).
12 Del. Code., Tit. 19, § 705; Conn. Gen. Stat. § 31-48d.
13 Hart v. Seven Resorts, 190 Ariz. 272, 279, 947 P.2d 846, 853 (App. 1997).
14 Godbehere v. Phx. Newspapers, 162 Ariz. 335, 340, 783 P.2d 781, 786 (1989).
15 Deitrick, Calia. Smartphone Thefts Drop as Kill Switch Usage Grows: But Android Users are Still Waiting for the Technology (June 11, 2015). https://www.consumerreports.org/cro/news/2015/06/smartphone-thefts-on-the-decline/index.htm.
16 Rajaee v. Design Tech Homes, Ltd., No. H-13-2517, 2014 U.S. Dist. LEXIS 159180, at *1 (S.D. Tex. Nov. 11, 2014).
17 Advanstar Commc'ns Inc. v. Pollard, 2014 NY Slip Op 32398(U) (Sup. Ct.).
18 Brooks v. AM Resorts, LLC, 954 F. Supp. 2d 331, 337 (E.D. Pa. 2013).
19 H.J. Heinz Co. v. Starr Surplus Lines Ins. Co., Civil Action No. 2:15-cv-00631-AJS, 2015 U.S. Dist. LEXIS 184222, at *13 (W.D. Pa. July 28, 2015).
20 Small v. Univ. Med. Ctr. of S. Nev., No. 2:13-cv-00298-APG-PAL, 2014 U.S. Dist. LEXIS 114406, at *11 (D. Nev. Aug. 18, 2014).
21 See Rajaee v. Design Tech Homes, Ltd., No. H-13-2517, 2014 U.S. Dist. LEXIS 159180, at *4 (S.D. Tex. Nov. 11, 2014).
22 See Gaines v. K-Five Construction Corp., 2014 WL 28601, at *13 (7th Cir. 2014).