As employees have widely adopted personal mobile devices such as smartphones and tablets, there has been a parallel trend of employers allowing (or requiring) their employees to use their own personal mobile devices at work. This “Bring Your Own Device,” or “BYOD” movement, can provide benefits to employees and employers such as convenience, greater flexibility and productivity, as well as cost savings. However, BYOD programs can also create risks for employers. In two separate blog posts, we hope to cover some topics to consider when adopting a BYOD policy. We also provide some recommendations to help mitigate these risks.
This post focuses on wage and hour issues and data security issues. In our next post, we will cover privacy concerns and other topics.
Wage and Hour Issues
Allowing non-exempt employees to have access to a mobile device for work purposes creates potential “off-the-clock” liability issues if the employees do not track their time spent before or after their normal work hours responding to e-mails or telephone calls. Employers should:
• Instruct all non-exempt employees to record all time worked, and prohibit all off-the-clock work.
• Develop a policy and procedure for non-exempt employees to easily capture and report such time so that these employees will be paid for all hours worked. Consider including a statement in the policy stating that time spent by non-exempt employees responding to e-mails and answering telephone calls while out of the office should be considered “hours worked.”
• Consider prohibiting non-exempt employees from responding to e-mails or telephone calls after work hours. Consider requiring prior written authorization to work remotely or via mobile device.
• Train managers to minimize sending e-mails to or calling non-exempt employees before or after regular work hours to mitigate the risk of off-the-clock work. Any before or after hours e-mails should also indicate whether an immediate response is required or whether it can wait until regular business hours.
• Ensure leave of absence policies state that employees should not perform work during a leave of absence, including responding to calls and e-mails received during a leave of absence.
Reimbursement of Employee Expenses
Employee expense reimbursement issues implicate both the cost of the device and the actual data usage of the device. With regard to the cost of the device, employers may:
• Require employees to use their own device—this is the simplest and most common type of BYOD policy, and this type of policy makes clear that the employee owns the device, and thus the employee may take it with them at the termination of their employment, or
• Provide employees with a stipend to purchase a mobile device as an employment benefit. However, if the stipend does not cover the full cost of the device, employers must beware that the employee will have at least a partial ownership claim to the device upon termination of employment.
The other expense reimbursement issue arises from the costs incurred in using the device for business purposes. Employers should keep in mind:
• For business usage within an employee’s plan, employers may provide a stipend to reimburse the employee for the time spent on the device for business use.
• If an employee incurs expenses due to business use outside their normal plan, the employer must reimburse the employee for the actual expenses incurred, as employers are required to comply with state laws requiring reimbursement for all reasonable and necessary business expenses.
• In all cases, an employer’s BYOD policy should clearly state which parties are responsible for which costs related to the use of personal mobile devices in the workplace.
• Employers should remember that an obligation to reimburse employees might differ based on job duties. For example, some employees may utilize social media as part of their job responsibilities; thus, an employer may be required to reimburse those employees for additional expenses related to use of various personal devices, when other employees may not incur similar expenses.
Data Security Issues
The loss, theft or hacking of an employee’s personal mobile device can lead to the loss of an employer’s trade secrets, other confidential and proprietary information, and/or private third-party information. This may compromise the employer’s competitive advantage and expose the employer to potential liability under state and federal privacy laws. Employers should:
• Require employees to (1) password-protect their device, (2) install encryption software provided by the employer, and agree to not modify the software, (3) install any security updates provided by the device-maker or the employer, (4) notify the employer immediately if their device is lost or stolen, and (5) permit a remote-wipe feature applicable to the employer-related data, so that sensitive employer data can be erased if the device is lost or stolen.
• Employers should also consider policies or other security features to block employer data or information from other users of a personal device. It is common that family or friends of employees might use an employee’s personal device. This could include password protection for the employer-related data, apps or programs. As a related matter, employers should consider the scope of any policy that prohibits third-party access to employer related information and data on a personal device. To the extent an employee’s small child or other family member accidentally attempts to access employer data while using a personal device, the employer may want to build in an exception to any policy that prohibits unauthorized access.
A Part II on this topic will be posted next week. For those who are interested in further information about BYOD policies, please register for our webinar taking place on June 19th.