The world is different than it once was. It used to be that you needed a 30-foot phone cord to take the phone into another room just so you could have a little privacy, and that when you left work, you really left work, since there wasn’t any way to login remotely.
Nowadays, technological advances have made us truly mobile by enabling us to stay connected 24/7/365. While the workplace impact of 24/7 connectivity has meant that employee productivity has been on the rise, along with it comes challenges that couldn’t have been imagined even 15 years ago.
For instance, a 2011 survey by Plaxo revealed that roughly 20% of cell phone users have dropped their devices into the toilet. At the risk of editorializing — really?!? Has there ever been a text message or phone conversation so critical that it couldn’t wait for a few minutes while nature’s call was attended to? If the recipients of these all-important communications knew the location of their origination, wouldn’t the “ick” factor of that knowledge eclipse the content of the message?
Complaining aside, there is no doubt that we’ve become a wired culture. The workplace is no exception. With the speed that technology advances, it can be difficult for corporate IT budgets to keep up. It’s also true that employees become very attached to their particular mobile device platforms and can resent it when an employer forces them into a specific device.
For these and other reasons, there has been a huge upswing in the number of organizations employing bring-your-own-device (BYOD) policies.
BYOD policies generally grant employees permission to use their own personal electronic devices (PEDs), such as smart phones, tablets and laptops, for work purposes. While doing so can have numerous advantages, too many employers, unfortunately, don’t properly manage the usage and security risks that surround such devices.
As with any organizational practice, adopting an effective BYOD policy requires strategic planning, thorough risk analysis and comprehensive policy creation and implementation (including a strong employee educational component).
This process should always begin by asking what you want to accomplish by adopting such a policy:
Once you know where you want to go, it becomes much easier to identify potential risk exposures and to craft policy provisions that are more likely to help you achieve your goals.
On the risk side of the equation, there are a multitude of potential exposures that can be associated with BYOD practices, some of which may seem obvious (such as security and data breaches), while others may not (such as potential wage and hour issues).
Together, we’ll focus on four of the less obvious risk exposures.
For exempt (salaried) employees, BYOD practices won’t bring any increased wage and hour exposures. The same can’t be said for nonexempt (hourly) employees. Nonexempt employees must be paid for all hours worked, even if they are “off the clock.”
Consider a nonexempt employee who checks work-related e-mails, voicemails or texts during a half-hour unpaid lunch. The employer would have to count the entire meal period as hours worked and paid. Similarly, a nonexempt employee who does any of those things from home at night or over the weekend would have to be paid for the time spent doing so, all of which could very quickly lead to unanticipated overtime obligations.
As a result, serious thought should be given as to whether it makes sense to permit nonexempt employees to use PEDs to perform work remotely at all. If it does make sense, employers should decide how much they want to impose limits or restrictions on the ability of nonexempt employees to use their PEDs for work purposes during non-working times.
In many cases, the employees who are most likely to be using their PEDs for work purposes are in positions of relative prominence and responsibility within their organizations. As a result, much of the data they may be accessing, downloading and sending is likely to be confidential, proprietary or highly sensitive. When used properly, and with the appropriate security measures in place, this isn’t a problem.
However, what happens when employment ends? Not having a protocol in place for reclaiming this data and/or wiping it from the personal device can be devastating. Employees will already be very uncomfortable giving you access to any electronic devices that they also use for personal purposes (especially when they have purchased the devices themselves), and this level of discomfort only increases once they’ve been terminated.
To make matters worse, in many cases employees will have comingled your data with their personal data, such as in their contact lists, which may contain client contact information side-by-side with their friends and family members.
To manage these concerns, many employers are imposing a requirement that employees permit the installation of software on their PEDs that enables the employer to erase or “wipe” sensitive company information if the device is lost or employment is terminated. However, depending on the software, these wipes can also eliminate personal data.
Alternatively, employers may want to install mobile device management (MDM) software on the PED, in which organizational data, networks and systems can be stored separately from the employee’s personal information. Access to this segregated data area should be password protected for added security. Erasing or wiping of organizational data in a segregated area can be easily conducted without concerns of compromising the personal data.
Employers could also consider limiting access to their information, networks and systems to a Citrix-type remote access that gives employees access to a remote desktop, but doesn’t allow them to download actual documents or data onto their PEDs.
For many employees, their PEDs are constant companions that they use to supplement almost every aspect of their lives. When they are allowed to begin using them for work purposes as well, some boundary blurring may occur since habits can be hard to break.
Consider the following issues:
Employers should look to their existing policies regarding phone/cell phone use, safety, confidentiality and driving for work purposes to determine how many of the restrictions in those policies should also apply to employees who have been given permission to use their personal devices for work purposes.
Because of the many personal uses to which employees will use their PEDs and the many places in which they may physically use them (bars, vacation spots, high theft areas, etc.), employers need a comprehensive approach to ensuring the security and integrity of company data and the access points thereto. This becomes even more important if the employee will have access to data that is required to be kept confidential by state or federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).
Malware, spyware, viruses, and any number of other malignant programs are much more likely to afflict PEDs that are used across multiple social platforms, many of which (such as personal e-mail accounts) may have compromised security systems. Requiring the installation of anti-virus software may be critically important, and the same rigorous security measures taken with company-provided mobile devices (such as cell phones or laptops) should be considered for PEDs.
Employers should consider working with an IT professional to evaluate their security exposures and the best ways to minimize them.
Before incorporating a BYOD program, make sure you understand all of the risks that can accompany the benefits. Once the program has been established, it must be supported by a thorough policy, as well as specific protocols that must be followed for anyone who participates in the program. Participating employees must be educated as to the expectations and limitations that will be imposed upon their usage of PEDs for work purposes.
For more information, contact us.
James provides guidance to employers on a variety of topics with a focus on employment, risk management and liability issues. In addition to working directly with employers, he regularly conducts in-depth training through webinars, at client sites, and through the University of Minnesota’s Continuin
James provides guidance to employers on a variety of topics with a focus on employment, risk management and liability issues. In addition to working directly with employers, he regularly conducts in-depth training through webinars, at client sites, and through the University of Minnesota’s Continuing Ed program. He previously was a plaintiff’s attorney and brings that perspective into his advice to employers. James received his law degree from the University of Minnesota and his BA from Washington University in St. Louis.
During the White House’s Summit on Working Families on June 24, 2014, President Obama indicated he was signing a presidential memorandum requiring every federal agency to address flexible work schedules and give employees the right to request such schedules. Absent what could be a dramatic increase in workplace flexibility for federal employees, it is undeniable that the demand for flexibility and work-life balance is on the rise.
With massive data breaches at organizations such as Target, Dairy Queen, and JPMorgan, businesses are becoming more aware of the threat of hackers and external threats to their data. And while it’s important to protect yourself from such exposures, history has shown that the real enemy lies within our own companies. Don’t believe it?
Send a Message
Find a Location