Bring your own device has become the norm in the workplace. While many employers now allow BYOD in one form or another, comparatively few have implemented measures to mitigate against the real security, productivity and liability-related concerns inherent in employees’ use of a personal devices for work purposes. Such measures are essential for a successful BYOD program, and effective risk management.
Security risks are front and center when it comes to BYOD. Without proper protections in place, employees’ mobile devices can provide easy access to employers’ confidential and sensitive information, including client files and/or trade secrets. Found in the wrong hands, such information may be compromised — and with it, so can the company’s entire business — within a matter of seconds.
Fortunately, effective BYOD programs are able to protect against major security concerns by requiring employees who wish to use their own device to present their phones at the front-end for the installation of mobile device management, or MDM, software. This kind of software typically ensures that the employer’s sensitive business information and files are stored in a secured location, and allows for the device to be remotely monitored and immediately wiped if it is lost or stolen. Installation of such software and express authorization for remote monitoring and wiping of the phone should be made a prerequisite of a BYOD program.
With work and personal functions merged on a single device, it can be difficult to know if an employee tapping away on a phone is working or texting with friends. Thus it is no surprise that BYOD may pose a productivity challenge, particularly for certain kinds of employers.
While likely to be present at least to some extent for all employers that allow BYOD, the productivity concern is going to vary in intensity depending on the nature of workplace. For example, a production employee in a manufacturing plant probably should not bring their own device; at a minimum, a legitimate business reason for BYOD in such a context is not readily apparent. A marketing or professional services employee on the go, however, may be able to add substantial value to the employer through a BYOD capability. The first step in deciding whether to BYOD or not to BYOD should be to weigh the potential productivity concerns against the potential productivity benefits and determine which one comes out on top.
Assuming the benefits outweigh the risks, a good BYOD policy should clearly define parameters for appropriate use. Consider stating that employees should keep use of personal devices to a minimum while they are at work and have access to the employers’ systems through desktops and work phones.
You should also make sure your business’ mandatory time tracking procedures are clarified to extend to BYOD. This is particularly applicable to employees who are not exempt from overtime under the Fair Labor Standards Act, as BYOD can lead to some thorny questions about compensable time in the case of log-ins or emails sent outside of normal scheduled working hours. As use of BYOD continues to become more widespread, the exposure in this area can be substantial and create an attractive target for plaintiffs’ lawyers. Employers should think twice before allowing non-exempt employees to bring their own device and clearly define the parameters and requirements for time-management in cases of such use.
Legal exposure is another top concern that can lead many employers to pause implementation of a BYOD program or to say no altogether. In addition to time tracking and management issues that can raise exposure under the FLSA, BYOD can exacerbate other legal risks, including claims alleging harassment, discrimination and various other employment torts.
And here, the culprit is the technology itself. Combine the capacity for our communications to become increasingly easier and, at the same time, more impersonal through technological advancements, with the ongoing advancement of forensic specialists, and it is not difficult to see how BYOD may give cause for concern to an employer.
All that said, it is important to recognize that technological advancements bring with them, at least initially, some increased exposure. And to some extent, both are inevitable. Given this, employers should accept the reality of BYOD and be sure to implement smart, working strategies to mitigate its risks.
A good BYOD policy will not only allot for monitoring capabilities in cases of concern, but will also expressly remind employees that the company’s other policies — including policies prohibiting discrimination, harassment, and confidentiality obligations — apply with full force to BYOD use. In addition, a good BYOD policy will expressly remind employees about the safe use of personal devices, to minimize exposure for any driving or other safety violations or accidents involving the use of an employee’s personal phone.
BYOD comes with real risks that require proactive, smart planning on the part of employers. Fortunately, there are proven ways to mitigate the negative aspects, while capitalizing on the attractive aspects, including increased flexibility and productivity for many kinds of employees. Consider whether BYOD makes sense for the nature and unique needs of your workplace. If yes, think through and implement smart strategies to make your program a successful one.
Sonya Rosenberg is a partner at Chicago-based law firm Neal, Gerber & Eisenberg. Comment below or email firstname.lastname@example.org