Welcome back to Law Tips as we continue to draw on the expertise of Tony Rose and Jessica Ballard-Barnett in the rapidly changing area of Internet Law. If you haven’t read parts one and two of this series, you may gather their important insights into net neutrality and cloud services below. This week’s topic delves into another issue that requires vigilance: Bring Your Own Device (BYOD) policies:
It has become commonplace for employees to use their personal mobile devices to access employer-related apps and email. There are steps employers can take to minimize the legal risks:1
- Mobile Device Management
- Secure connection for employees to access work networks using app installed on employee’s mobile device;
- Keeps work apps separate from personal information.
- Document the permissible uses of personal devices for work purposes, including procedure for transferring confidential or sensitive information (be cautious of NLRA Section 7 rights).
- Document required security controls for personal devices used to access employer-related apps and sites, such of screen passwords, device time out, or encryption.
- Frequently train employees regarding policies and permitted uses of personal devices. Make the consequences of unauthorized use or access clear. Consider training or policies for vendors and contractors.
- Review HR policies regarding employee privacy rights, social media policies, and policies for removing applicable data from the personal devices of terminated or exiting employees.
Things to Consider When Creating a BYOD Policy2
- Build an interdisciplinary team to create the policy. Include employees from IT, HR, legal, compliance, and affected employees with BYOD. Different perspectives will help “lead to a policy that fits your organization’s needs and is capable of being followed.”
- Develop goals for the policy. Security is a goal, but productivity should also be a goal. Cost savings might also be a consideration. The goals may be in tension at times. Consider a BYOD policy that “ensures the only way enterprise data flows into or out from a device is through enterprise systems.”
- Determine which employees are covered by the policy and how they are covered. There could be different policies based on job function or exempt versus non-exempt employees.
- Decide which devices/uses are permitted and how the policy applies to each. The policy team should conduct “app reviews” to determine if certain apps are permissible for business use. Remember the policy for laptops should be different than that for handheld devices, as they are different forms of technology.
- Train employees on the policy.
Recent Case Law Regarding BYOD Workplaces3
– Rajaee v. Design Tech Homes4
Employer wiped employee’s iPhone after he resigned, deleting business and personal information. The ex-employee brought suit under the ECPA (Electronic Communications Privacy Act of 1986) and the CFAA (Computer Fraud and Abuse Act). The court rejected both claims, finding the electronic information stored on a cell phone is not “electronic storage” under the ECPA and the ex-employee’s loss of personal photos, videos, contacts, and passwords did not qualify as a “loss” under the CFAA.
Takeaway: employers should review their BYOD policies to make sure employees know the circumstances under which a device may be wiped and consider implementing ways to partition work from personal content on devices.
– Mohammadi v. Nwabuisi5
Allowing non-exempt employees to use their devices to conduct work business after hours could result in the requirement that the company pay overtime to those employees.
Takeaway: consider limiting BYOD use to exempt employees or limit employee use of work-related content on BYOD devices to work hours only.
– Cochran v. Schwan’s Home Services, Inc.6
California labor law requires employers to reimburse employees who are required to use their personal cell phones for work-related purposes for a reasonable percentage of their cell phone bill, even if the employees do not incur any additional expense by using their device at work.
Takeaway: while this is not law in all states, it can be argued the absence of reimbursement is an impermissible wage deduction.
– Small v. Univ. Med. Center of S. Nevada7
Because the company did not have a policy addressing the proprietary nature of the information stored on BYOD devices, two years of information relevant to litigation was lost.
Takeaway: Make it clear in your BYOD policy the ownership of work-related material, and what work-related material is as it pertains to BYOD.
- “‘Bring Your Own Device’ To Work Programs: Regulatory and Legal Risks and How to Minimize Them.”
- “BYOD: Five Things to Consider When Creating Your Policy.”
- “What Recent Case Law Can Teach About BYOD Workplaces.”
- Order: Rajaee v. Design Tech Homes
- Order: Mohammadi v. Nwabuisi
- Order: Cochran v. Schwan’s Home Services, Inc
- Small v. Univ. Med. Ctr. of S. Nev., No. 2:13-cv-00298-APG-PAL, 2014 U.S. Dist. LEXIS 114406 (D. Nev. Aug. 18, 2014).
This concludes this Internet Law series featuring timely advice from Jessica Ballard-Barnett and Tony Rose. I appreciate them sharing their knowledge here at Law Tips. If you’re looking for the opportunity to attend our 37th Annual Indiana Law Update, which includes the comprehensive presentation from these faculty members, we’re bringing it to your locale. Choose your site for a video replay, from Bloomington to Nappanee to Salem…and more! Click Here to find a location near you.
About our Law Tips faculty participants:
Jessica L. Ballard-Barnett, Judicial Law Clerk, Hon Melissa S. May, Judge, Indiana Court of Appeals, Indianapolis, IN. Ms. Ballard-Barnett earned her JD in 2010 from McKinney School of Law – Indianapolis. In addition to her position with the Court of Appeals, she is an adjunct instructor at Harrison College, Columbus Campus and Online. She is also a deputy on the operations team for GenCon and a columnist for HistoricIndianapolis.com.
Anthony J. Rose, Meitus Gelbert Rose LLP, Indianapolis, IN. Tony Rose has over twenty five years experience practicing law in both the private and public sectors. He joined Geitus Gelbert Rose in 2005, where he advises clients on copyright, trademark, technology, entertainment, and Internet issues. He has taught Internet Law at IU School of Law since 2006. Tony served as Vice President and General Counsel to an Indianapolis-based technology services firm, helping to grow the company from 60 to over 400 employees and to nearly $100 million in annual revenue.
About our Law Tips blogger:
Nancy Hurley has long-standing connections with Indiana lawyers. She was formerly a member of the ISBA and IBF staffs for over 30 years. Nancy’s latest lifestyle venture is with ICLEF. We are utilizing her exceptional writing and interviewing skills while exploring how her Indiana-lawyer background fits with ICLEF’s needs. When she isn’t ferreting out new topics for Law Tips, her work can be found in our Speaker Spotlight blogs, postings on the ICLEF Facebook and Twitter pages, and other places her legal experience lends itself.
Thank you for reading Law Tips. You may subscribe to this weekly blog through the RSS link at the top of this page. Also, you are encouraged to comment below or email Nancy. She welcomes your input as she continues to sift through the treasure trove of knowledge of our CLE faculty to share with you.