Employers Navigate Challenges Posed by the BYOD Culture
Left to Their Own Devices
Whether or not a company explicitly allows it, employees in all fields are increasingly using their own laptops, tablets, and smartphones as part of their jobs. This practice, known as ‘bring your own device,’ or BYOD, certainly has its benefits, from flexibility to employee satisfaction to decreased IT costs. But it also brings risks — data security is a major one — and potentially thorny legal questions concerning company information being stored on private equipment. There may be no one right answer for all businesses, but well-written, clearly communicated policies are a good start.
Jeffrey Trapani understands the appeal of personal devices like laptops, tablets, and smartphones.
“Everyone’s grown accustomed to having these devices; it’s sort of an expectation,” said the partner with the the Springfield-based law firm Robinson Donovan, while pointing to his own phone. “I find myself sometimes looking at that instead of the giant screen next to me.”
In fact, in an ever-more mobile society, the lines defining the workspace are blurring, and more Americans find themselves using their personal devices, rather than — or in addition to — company-owned equipment, so they can access their work no matter where they are.
All good, right? Well, yes and no.
Certainly, the bring-your-own-device (BYOD) movement offers real benefits, from increased employee satisfaction — they can work more flexibly and tend to be more comfortable and productive on their own devices — to cost savings for employers, who don’t have to spend as much money on hardware, software, and maintenance.
“There are two competing schools of thought whether this would be a good practice,” said Amy Royal, founding partner of employment-law firm Royal, P.C. “Proponents point to the ease and comfort of using your own personal device. And I understand the convenience. If I have employees who are comfortable with their own device, smartphone, laptop, or tablet, they’re more productive, it’s easier for them to navigate their device, and it creates more employee satisfaction.
“Plus, it’s kind of annoying if I have duplicative devices — a work phone and a personal phone — and there’s cost savings to the company if they’re not responsible for furnishing those devices. Those are good things,” she went on.
However, the concerns the BYOD trend raises for employers are serious ones, she told BusinessWest. “You want to delve into the different considerations. Opponents would say it creates potential legal and security risks, and confidentiality and security issues.”
The key issue is not necessarily employees using their personal devices at work, said John Gannon, an associate attorney with employment-law firm Skoler, Abbott and Presser — it’s allowing employees to access the company’s secure network and sensitive data with those devices.
“It’s a broad area of concern,” he noted. “If employees want to do it, an employer will want to have specific policies geared toward people’s personal devices and accessing the employer’s network from those personal device, whether it’s a mobile phone, tablet, or laptop.”
The reason the BYOD question is so pervasive, said those who spoke with BusinessWest, is that even companies that forbid the use of personal devices for work purposes often find employees are doing it anyway. By establishing and clearly communicating policies surrounding personal devices, employers have a better chance of avoiding disputes, legal trouble, and security issues down the line.
Safe and Secure
It wasn’t difficult for Royal to quickly tick off a number of pitfalls made possible by transferring workplace data to a laptop or tablet.
“It poses significant risks to confidentiality when we have somebody using a personal device to access work on the company network and store information — proprietary information — on that personal device,” she said. “What if there’s a data breach? Or the employee could lose it, and the device could end up in someone else’s hands. Or, they could share their device with family members, and that could be a problem.”
Furthermore, she suggested, what happens when an employee leaves the company, which doesn’t always happen on the happiest of terms? They’re obligated to leave company-owned equipment at work, but what is the terminated employee’s responsibility when it comes to client or customer data left on their own device?
Go HERE for a list of Law Firms in Western Mass.
One solution is crafting policies — agreed to as a term of employment — that either forbid the storage of proprietary information on a personal device, or allow the company access to the device to wipe it clean, Trapani said, courses of action that touch on sensitive issues of balancing data security and employee privacy.
“The concern with these personal devices is what kind of data winds up on these things, and are you enabling the employee, if they’re leaving, to take it with them,” Gannon added. “Another big concern is if they lose the device. So, if you’re going to allow employees access to the network through their personal devices, you should have some way to log into those devices and wipe them clean if they’re lost or not returned after employment.”
With all the concern around what employees can take off the company network, perhaps equally important is what they can put on it.
“If you have a personal device you’re connecting to the company network, there’s a risk with that. It might not be supported with updated malware protection,” Royal said, noting that businesses backed by a strong IT department typically don’t have to worry about that on company-owned equipment.
“It’s important to iron out these considerations before allowing people to use their devices in the course of the job,” she added. “You want to develop a clear policy. Maybe personal devices need to go to IT periodically. You can set some kind of timetable in that regard, as well as who can access the device.”
Gannon agreed. “The primary concern is data security, and personal computers that are in the office, that don’t go anywhere, typically have antivirus software that’s regularly updated by either internal IT people or IT management companies that come in and remotely monitor what’s going on the computers.
“If someone has their own device, they could be using it at home, where they may not have the same level of antivirus protection that networked computers have, and they may install something unknowingly, some virus or malware,” he went on. “Malware is a big one — something inadvertently downloaded to your computer that stays dormant, then, say, when you access a banking website, tries to steal your login credentials. It’s pretty dangerous stuff, and if you install that on your laptop, bring that to work, and connect to the network, there’s a chance of infecting the systems on the network.”
Where Does the Time Go?
Security issues are only one piece of the BYOD puzzle, however. Another piece involves wage-and-hour issues, particularly for non-exempt employees getting paid by the hour. Say an employer e-mails workers after hours, Trapani suggested, and an hourly employee responds to that e-mail at home, rather than opening it the following morning.
“Is there an expectation that’s something you have to compensate them for? You can lock yourself into a claim if you don’t.”
Gannon agreed, recalling a study claiming the average American checks their phone 150 times a day, and many of those checks come after work hours, but could involve work issues.
“If you do have non-exempt employees, you have to pay them for all their working time. And if they’re going home and accessing the network to check e-mails or take phone calls, technically that is working time,” he explained. “If that’s a couple e-mails a day over the course of a week, we’re talking about potentially a half-hour, 45 minutes of work. Over a year, that could cause problems. Employers find it difficult to track that time, so it’s a significant challenge for employers who want to give employees freedom to do things from home.”
Gannon said companies can address this challenge in one of several ways: Not allowing non-exempt employees to connect to the network remotely, or allowing only exempt employees to use their personal devices for work purposes, or allowing employees to work from home, but clearly delineating in the company handbook how to accurately report that time, or allowing overtime only with prior approval from a supervisor.
“It gives the employer some protection if the employee leaves, then claims to have worked all these hours, and you didn’t know about it. If you have a policy that requires them to seek approval beforehand, you may not have to pay for that time.”
Then there’s the question of reimbursing employees who use their own device — and, if companies choose to go this route, what legal ramifications it raises, Trapani said. For instance, is the business liable if an employee gets into a motor-vehicle accident while texting? Or, if a company is involved in a lawsuit, what is the employee’s obligation to surrender data on their phone or laptop in the discovery phase?
“Sometimes employers can get dragged into a lawsuit and want to see information on various devices,” Gannon noted. “You’ll want to have some kind of language in your bring-your-own-device policy that the information on that device could belong to the employer.”
In that circumstance, it would actually benefit an employer to reimburse the employee, or pay for a device that can be used for work and personal time, he went on. “If the employer pays for and provides these devices to the employee, it’s less of a privacy issue. If employees are using their own device, mostly for personal use, but for some work use, getting that information can be more challenging.”
Finally, Trapani said, there’s the age-old concern — updated for this high-tech era — of employees killing time while on the clock, and whether using their personal devices at work makes it easier. “There are performance issues. If you have a handheld device in front of you instead of a giant screen, are you looking at Facebook, or doing what you should be doing?”
In the end, Royal told BusinessWest, the BYOD trend has been a net positive at many companies, but there’s risk in allowing it — risk that nonetheless can be managed with well-constructed, clearly communicated guidelines.
“It’s a collaborative effort involving a number of people, like IT, HR, your legal team, and also accountants — are you reimbursing your employees a certain amount for using personal devices, and what are the tax implications of that? You want to have a team looking at this practice before you roll it out.”
Trapani agreed. “Communication is important, not only so employees know what’s expected of them, but also so the people in charge understand the implications of new technology.
That said, Gannon noted, it’s difficult to craft a general BYOD policy, as a lot of it depends on the industry. For example, medical businesses bound by HIPAA from disseminating health information need to be more vigilant than some other industries about which employees can access sensitive data, and on what devices. But there are some universal recommendations.
“Certainly, you want to have a policy that sets out authorized and unauthorized use. And sometimes, the policy lets employees use their own device only if the IT people install software updates and an antivirus program, and gives them remote access if they need to clean out the device.”
A strong BYOD policy, at the very least, puts all employees on the same page, knowing exactly how their devices can be used and what happens when they leave the firm.
“Even if you don’t want to replace company devices by allowing the use of personal devices, you still want to tackle these kinds of issues,” she said. “Employees are probably using their personal laptop or smartphone for some business. That’s the reality.”
Joseph Bednar can be reached at [email protected]