By Justin T. Curley and Laura J. Maechtlen
Earlier this week, we blogged about certain risks for employers created by “Bring Your Own Device” programs. We continue our blog series here by discussing some additional topics to consider when adopting a BYOD policy.
Employee Privacy Concerns
Any BYOD policy should clearly define employee privacy expectations. While employees have a reasonable expectation of privacy in their own information on their mobile device, employees must be notified that employer information on their device is the property of the employer, and that the employer must retain access to and control of the employer’s information. Employees should also be notified that, due to some functionality in certain personal devices, their privacy could be diminished. For employees who choose to maintain a “dual device” that is used for both personal and work use, employers should:
• Notify employees that, where allowed by law, the employer may need to retain their device to access and collect employer information on their device for discovery requests in litigation, internal or regulatory investigations, and record retention obligations.
• Notify employees than in such instances, personal employee data may be accessed because it may not be feasible to separate personal information from employer data. Employees should also be warned that, when an employer accesses certain information on a personal device, an employer could be privy to additional information beyond what might be expected (e.g., some phones have GPS features, while others have apps that save certain types of data).
• Require employees to acknowledge and agree in writing that they have no rights in their employer’s data, that their employer has the right to access data on their mobile device for legitimate business needs, and that the employer may temporarily retain possession of their device to access and collect employer information from the device. Employees should be warned that their refusal to comply with employer requests to access the device to obtain employment related information could subject the employee to discipline up to and including termination.
• Obtain a written signed authorization form from each employee covered by the BYOD policy regarding the foregoing. Such an authorization is critical in proving consent that will allow the employer the necessary access to the device and its contents, without running afoul of the federal Computer Fraud and Abuse Act, the Stored Communications Act, and other federal, state, or local privacy laws.
• To the extent an employee refuses to comply with these mandates, employers should consider requiring the employee to opt out of the BYOD program, and carry two separate devices, to maintain privacy.
Employers should also stay aware of additional concerns that might arise when implementing a BYOD program. For example:
• A policy requiring use of a mobile device can create a risk of work-related injuries and illnesses that are governed by the OSHA and state workers’ compensation laws.
• Use of a mobile device can interfere with other job functions, such as driving. Employers should consider policies preventing employee use of a mobile device while operating other company issued equipment or any automobile while on company business, as we discussed here and here.
• All employers, irrespective of whether they are unionized, should be aware of potential liability under the National Labor Relations Act when implementing a BYOD policy. Employers should consult all applicable collective bargaining agreements, and ensure they do not implement a policy that covers a mandatory subject of bargaining. In addition, employers should remember that – whether they have unionized employees or not – employees are protected by Section 7 of the NLRA and have a right to engage in concerted activity.
By keeping these important considerations in mind when implementing a BYOD policy, an employer can realize the advantages of a successful BYOD program while minimizing the risks. For more on this or other employment law issues, please contact the authors, a member of Seyfarth’s Social Media & Privacy team, or your Seyfarth attorney.