BYOD Policies and Employee Rights
The use of personal devices to conduct nonpersonal business has become increasingly common. In addition, corporations are issuing mobile devices that employees may use for personal activities. Therefore, organizations should understand their needs, rights, and obligations, and the rights and expectations of employees, when evaluating and implementing “bring your own device” policies and programs or issuing devices that can be used for both business and personal matters.
“An effective BYOD policy enables mobile workforce productivity while securing company conﬁdential and proprietary information,” said Randy Diamond, director of library and technology resources and legal research professor at the University of Missouri School of Law.
“The policy should support the client’s business objectives and comply with the regulatory environment in which the company operates. Trouble arises when policies do not establish clear rules and boundaries governing employee use of their own or company-enabled devices for business use.”
Understanding Privacy Rights
A company’s ability to access data on an employee’s device will be affected not only by the technologies adopted but also by employee and third-party privacy rights in data and ﬁles stored on the device. Federal and state laws, such as the Health Insurance Portability and Accountability Act, as well as common law privacy principles, require the protection of health, ﬁnancial, and other personal, conﬁdential information. In addition, international privacy and discovery and litigation laws may come into play, depending on the country in which a company is operating or the location of the device.
“Crabtree v. Angie’s List is a civil litigation example of cellphone privacy concerns the U.S. Supreme Court articulated in Riley v. California,” Diamond said. “In Crabtree, the court denied defendant’s request for a forensic examination of employee personal cellphones to obtain GPS and location services data, finding the request was disproportionate to the needs of the case and outweighed by the employees’ significant privacy and confidentiality interests.”
In addition to U.S. and international common and statutory law, employers in the public sector may also be limited in their access to mobile devices because of the application of federal and state constitutional provisions. Further, statutory and constitutional protections may apply not only to the employee in possession of the mobile device but also to third parties whose information may be stored on it. Employers should keep these limitations on access in mind when crafting BYOD programs and policies.
Balancing Corporate Needs with Privacy
When considering the implementation of BYOD programs and policies, employers should first understand relevant security issues for their company and business sector. Risks to consider include data leaks or breaches leading to the release of sensitive company information or third-party personal information and the introduction of malware or spyware to the mobile device or the company network.6 They should also be familiar with the implications of being unable to access business information on employee-owned devices with respect to litigation (discovery) and regulatory compliance, and should prepare program requirements and policies taking these concerns into account. Requirements and policies should be clearly communicated, and employees trained on program requirements.
Employers should also consider the types of litigation and discovery challenges that may arise in the context of BYOD programs. Most courts weighing in on the issue have found that data on BYOD is subject to the same preservation obligations as other electronically stored information.
“Major discovery challenges can [arise] from lapses in sound BYOD practices,” Diamond said.
“Litigation holds must account for employee mobile devices. In re Pradaxa9 is a classic illustration of the loss of relevant text messages resulting from the company’s failure to properly implement its litigation hold to prevent automatic deletion of employee text messages. Clear communication with employees about company discovery obligations, including timely preservation of ESI on mobile devices, is critical when a duty to preserve arises.”
Several factors influence whether information on an employee-owned device is discoverable and subject to a litigation hold. These factors include, but are not limited to, whether the information is within the employer’s possession, custody, or control; whether company information is segregated from private information and the way information is stored; whether the information is unique; and whether the discovery of the information is proportional to the needs of the case.
Finally, employers should address situations in which the company is not a party to the litigation but must protect company information on the employee’s device from discovery in litigation not involving the employer.
Using Device Management Systems
Employers should use available technology to proactively manage employee-owned devices. Mobile device management, also known as MDM, and enterprise mobility management, or EMM, are two ways to manage and secure employee mobile devices. While the terms are still used somewhat interchangeably, MDM generally refers to the ability of companies to manage an employee’s device at a global level. For example, if an employee reported losing a cellphone containing sensitive corporate information, an MDM solution would often consist of wiping the device of all data, while an EMM solution would remove only company-specific information.
Specific solutions include separating business information from personal information. “By ‘containerizing’ business and personal data, the company will reduce or head off common discovery headaches involving company possession, custody, and control issues of current and former employee business data,” Diamond said.
Policy Provisions to Consider
When considering or implementing a BYOD program or policy, initial consideration should be given to the types of data, and associated risks, that will be made accessible to mobile devices. Other aspects of a successful BYOD program include, among other things:
- Documenting the process for granting BYOD access
- Detailing acceptable use provisions
- Detailing requirements for software updates
- Requiring reporting device loss or theft
- Proactively informing employees of the possibility of data wiping (and requiring acknowledgment in writing)
- Requiring passcodes for access to company data (4-digit pins are insufficient)
- Detailing encryption and other security issues, such as whether it is permissible to use public Wi-Fi
- Putting in place controls to properly backup ﬁrm data
In addition to crafting careful policies and employing appropriate technologies for active employees, employers must plan for situations in which employees leave a position, whether voluntarily or involuntarily. If a company has not implemented processes for containerizing company data away from employee data, this may include wiping the leaving employee’s entire device.
“Careful observance of employee exit procedures and protocols should include termination of BYOD privileges and the company’s right to extract or recover business data and business devices when employment terminates,” Diamond said. “Employee education and ongoing training and policy reminders are essential for successful policy implementation and observance.”
Policies Should Evolve with Technology
While employers should consider all the above when crafting BYOD programs and policies, they should also remember that technology changes almost daily.
Asked about future developments in the area of BYOD and other “bring your own” areas, Pete Haskel, of counsel at Bojorquez Law Firm and a member of The Sedona Conference Working Group on Electronic Document Retention & Production, said, “I sense a growing consensus that any current BYOD policy likely soon will be overtaken by two accelerating trends: the weakening of distinctions between personal and business communications, and technology advances that multiply the types of available communications and storage devices."
“For example,” he said, “how will any BYOD policy address employees using embedded chips that they wear instead of carrying a smartphone? Barring some startling technology advances in security measures, I think employee training and discipline will become ever more effective compared to technology measures as the most important component of BYOD policies.”
Careful thought regarding legal requirements, in addition to collaboration between legal and IT departments, is necessary for any successful BYOD policy. Thoughtful planning will ensure that employees understand the do’s and don’ts of company BYOD policies, will ensure that the company has processes and people in place for monitoring technological and personnel changes, and will ensure that best efforts have been made to protect sensitive and conﬁdential information through security protocols. Lastly, companies should understand that creating and implementing a BYOD policy or program is not a static process but rather is an ongoing endeavor that changes as technologies change.
This whitepaper is not intended to provide any legal advice.