Newsflash: employees today are increasingly tech-savvy. They typically own an assortment of laptops, smartphones, tablets and PCs that are often more advanced than what your information technology departments can offer. Most employers allow employees to bring these devises to work, and some permit the devices to be used for work. (here’s a list of the “10 coolest tech devices to bring to work”)
This trend, also referred to as “bring your own device” or BYOD, describes a practice where employees use personal technology to access corporate networks, applications and data. The advantages are obvious. The employer does not have to pay for these devices. Meanwhile, employees can work from virtually anywhere. Employee satisfaction and business productivity are increased at little-to-no (apparent) cost. But BYOD practices come with potential for serious problems if not managed properly.
Information Security Risks
Clearly, BYOD programs expose a company to greater risk of unauthorized access to sensitive business information. When company-owned devices are issued, security can be enhanced by installing software and encrypting the device. With personal devices, organizations can lose the ability to undertake appropriate security measures. Too often, these devices are lost or stolen. Worse yet, departing employees leave with this information stored on their laptops and smartphones. Without proper encryption the information the easily be breached, potentially exposing confidential information and trade secrets to the public.
In Massachusetts, security breaches can also lead to liability under state data security laws. Massachusetts Data Privacy Regulations (201 CMR 17) require that employers who receive, store, or otherwise access personal information about a Massachusetts resident have a data security plan in place. The law also has strict notification requirements in the event of a breach. These are triggered when the employer knows or has reason to know that a breach has occurred or that an unauthorized person has acquired or used the data for an unauthorized purpose. Unlike the security breach laws of many states, it does not matter under Massachusetts law whether or not there is a likelihood of harm as a result of the breach. The mere occurrence of a breach triggers the law’s notice requirements. In addition to those affected, notice must be provided to the state attorney general and the director of consumer affairs and business regulation.
A few years ago, the United States Supreme Court issued a decision which made it clear that employers have the right to access information on company-issued devices. This decision does not apply to personal devices. Depending on the circumstances, employers typically will not have the right to access employee personal devices, even if they are used for work.
Wage and Hour Issues
Non-exempt employees who are permitted to use mobile devices for work can cause additional challenges. Whether they are checking their work email or answering a work-related call, they are not “off-the-clock” and must be paid for this working time. With personal devices, employers typically cannot monitor this use the way they could with company-issued devices. This can lead to significant liability for unpaid wages and overtime. Remember, in Massachusetts unpaid wage and overtime liability results in mandatory triple damages.
Obviously, permitting employees to bring personal electronic devices to work can cause workplace distractions. These problems can be managed by effective oversight from managers and supervisors. However, when employees are also using the devices for work, the lines between working time and “play time” are blurred. Can you really determine whether an employee is checking his iPhone to review an important work-related email or update his Facebook status? This is an added challenge when employers institute BYOD programs.
Employers who are thinking about implementing a BYOD program should do so with caution. Carefully crafted polices and guidelines need to be in place to ensure information security and other risks are managed properly. Contact the attorneys at Skoler Abbott if you need assistance drafting an effective BYOD policy.