Human Resource

 

Respond to the following in a minimum of 250 words: 

• Review the article, “Personal Electronic Devices in the Workplace” Balancing Interests in a BYOD World.” Discuss the reasons why companies should or should not consider a BYOD program. Consider issues of security and privacy in your discussion. How does Covid 19 and the reality of working at home impact BYOD especially if you are using your home computer as your work computer? Should your employer place blockers on you home computers to make sure that you are working and not zooming with friends or helping your children with their on-line classes?

https://web.b.ebscohost.com/ehost/detail/detail?vid=0&sid=0f3fbe48-12d3-4e11-8183-a6a52f624586%40pdc-v-sessmgr06&bdata=JkF1dGhUeXBlPXNoaWImc2l0ZT1laG9zdC1saXZlJnNjb3BlPXNpdGU%3d#AN=102486280&db=bth

Loading…

Accessibility

Information and Tips

Revised Date: 0

7

/

2

0

1

5

Back

1 article(s) will be saved.

The link information below provides a persistent link to the article you’ve requested.

Persistent link to this record: Following the link below will bring you to the start of the article or citation.
Cut and Paste: To place article links in an external web document, simply copy and paste the HTML below, starting with “

To continue, in Internet Explorer, select
FILE
then
SAVE AS
from your browser’s toolbar above.
Be sure to save as a plain text file (.txt) or a ‘Web Page, HTML only’ file (.html).
In FireFox, select
FILE
then
SAVE FILE AS
from your browser’s toolbar above.
In Chrome, select right click (with your mouse) on this page and select
SAVE AS

Record: 1 Title:
Personal Electronic Devices in the Workplace: Balancing Interests in a BYOD World.
Authors:
Totten, Julie A.1
Hammock, Melissa C.2
Source:
ABA Journal of Labor & Employment Law. Fall

20

14

, Vol.

3

0 Issue 1, p

27

–

45

. 1

9

p.
Document Type:
Article
Subject Terms:
*Bring your own device policies
*Information technology security
*Inevitable disclosure (Trade secrets)
*Confidential business information laws
*Intellectual property
*Security systems
Leaks (Disclosure of information)
NAICS/Industry Codes:
5

6

16

21

Security Systems Services (except Locksmiths)
Abstract:
The article offers information on the significance of adoption and implementation of the bring your own device (BYOD) policy by employers in the U.S. It examines the impact of the use of employee-owned devices such as smartphones, tablets, and laptops upon information security issues. It informs that the most common risks associated with a BYOD program to enterprises and consumers includes data breach, loss of intellectual property and trade secrets and loss of personal information.
Author Affiliations:
1Northern California offices of Orrick, Herrington & Sutcliffe, LLP
2Employment law career associate in Orrick’s D.C. office
Full Text Word Count:

76

8

7
ISSN:
2

15

6-

48

09
Accession Number:

10

24

86

28

0
Persistent link to this record (Permalink):

https://search.ebscohost.com/login.aspx?direct=true&AuthType=shib&db=bth&AN=10248

62

80

&site=ehost-live&scope=site&custid=uphoenix
Cut and Paste:
Personal Electronic Devices in the Workplace: Balancing Interests in a BYOD World.
Database:

Business Source Complete

Personal Electronic Devices in the Workplace: Balancing Interests in a BYOD World 

I. Introduction

The use of employee-owned devices — such as smartphones, tablets, and laptops, for both personal and professional use — has become increasingly common. While there may be some advantages for employers in having a “bring your own device” (BYOD) policy, such a policy will also raise a host of potentially thorny problems, such as issues related to data security, ownership, and preservation; e-discovery; privacy; safety; and wage and hour compliance. While employers want to protect their proprietary information, employees may view a BYOD policy as invasive of their privacy if the employer monitors their personal data or tracks their location via their own personal mobile devices. This Article addresses the tension created by the BYOD concept and discusses practical tips for implementing a BYOD policy. It includes, in Part II, a discussion of the reasons for adopting a BYOD program; in Part III, a description of some of the information security issues surrounding BYOD programs; in Part IV, a discussion of the legal issues that may arise with BYOD programs; and, in Part V, a summary of provisions that should be addressed in any BYOD policy.

II. Why Adopt a BYOD Program?

In recent years, employers are more frequently allowing, often encouraging and subsidizing, employee use of their own digital communication devices for work purposes. Employers are adopting BYOD programs for several reasons. First, some employees want the flexibility and freedom to choose devices and means of access to those devices.[
1] This employee benefit can also serve to help recruit new employees, particularly those in the millennial generation who are typically more willing to spend their own funds on the newest technology. In addition, as smartphones become ubiquitous, employees are less willing to carry two devices (e.g., carrying a work BlackBerry and a personal iPhone). Employees who want to avoid the “two pocket” syndrome prefer BYOD programs. Indeed, a recent survey found that eighty-four percent of employees use the same smartphone for work and pleasure.[
2]

Finally, BYOD programs are touted as a way for employers to reduce expenses, on both hardware and operations of systems and services, because employees largely bear the expense. However, the cost savings are not as great as would first appear. Employers that provide employees with employer-owned devices are typically able to negotiate group discounts on devices and cellular services. Depending on how the employer structures its expense reimbursement for the BYOD program, it could end up paying more because the potential employer savings from a bulk purchase are lost when employees purchase devices and services on their own. In addition, employers can experience an increase in IT-related support costs if employees are using different platforms on different devices.[
3]

For these reasons, before adopting a BYOD program, an employer must determine the driving force behind its decision. If it is making the decision because it believes it will reduce costs, the employer should research and evaluate the hidden costs associated with a BYOD program. In addition to evaluating the benefits of a BYOD program, employers must also consider the challenges and risks that arise when employees use personal devices for work-related purposes. The risks of BYOD policies fall into two broad categories: information security and legal.

III. Information Security Issues

The increased prevalence of BYOD programs raises several security challenges.

A. Loss of Device

The most obvious risk associated with a BYOD program is the loss or theft of the employee’s device. The Juniper Networks’ Third Annual Mobile Threats Report outlines several areas of risk:

A lost or stolen device, especially those without security settings like passwords, can present a significant risk to enterprises and consumers, including:

• Data breach: Like a laptop, a lost or stolen mobile device with customer or employee information can result in a data breach that may carry significant legal and reputational costs.

• Loss of intellectual property and trade secrets: Mobile devices often hold sensitive information about projects, as well as intellectual property, that when in the wrong hands, could have devastating effects on business.

• Loss of personal information: Mobile devices hold significant amounts of personal information, which if stolen could be used for a variety of malicious purposes, including fraud and identity theft.[
  4]

While employers can adopt procedures that enable them to remotely wipe employer-owned devices in the event of a loss or theft, employers may not have the ability to remotely wipe an employee-owned device for several reasons. First, the remote wiping of a device will delete all information on that device, which would necessarily include the employee’s own personal data. Accordingly, as discussed below, an employer’s wiping of data without an employee’s consent could lead to a claim under the Computer Fraud and Abuse Act,[
5] the Stored Communication Act,[
6] or relevant state statutes.[
7] Moreover, even if an employer has included protocols in its BYOD program regarding the remote wiping of data, the employer’s actual ability to implement those procedures will hinge on several factors outside of the employer’s control, such as the employee’s knowledge and understanding of the BYOD policy, prompt notification to the employer of the loss, and cooperation in allowing the remote wiping of data from the device. These problems were highlighted in a recent survey, which found that:

More than half of the respondents said their company did not have the ability to wipe data from a phone if it is lost, while 28 percent said they were unsure if the company was able to remotely wipe data. … A majority of workers said they were not sure who to contact if they lost their phone, while 15 percent said they would call their service provider. Twenty-nine percent of workers said they would call their company in the event of losing their device.[
8]

These statistics highlight the need for employers to have well-defined policies regarding what is expected of employees in the event a device is lost or stolen, including gaining written permission to track, locate, lock, and wipe devices remotely under clearly defined circumstances.

B. Malware/Virus Protections

Even if a device is not lost or stolen, malicious software (malware) that is downloaded to a device by the employee can compromise the employer’s data. The download is typically unintentional; employees think they are downloading harmless applications (apps) when in reality they have downloaded malware. Mobile malware is growing at a staggering pace. From March 20

12

through March 20

13

, mobile malware grew

61

4%, compared with a 1

55

% increase reported in 20

11

.[
9] The risk is greatest for employee-owned devices: “[t]hrough 2014, employee-owned devices will be compromised by malware at more than double the rate of employer-owned devices.”[
10]

C. Mobility and Accessibility

The mobility and accessibility of devices raise additional security concerns because data are stored and transmitted on devices and networks over which the employer has no control. In the past, employees could only access the employer’s data over employer-controlled networks. When using their personal devices, employees can access networks that may not be secure, thus increasing the risk of compromising the employer’s data. Unintended circumstances can cause compromised or lost data, compounding the risk. Indeed, “[s]ensitive information on the device may be stored alongside personal videos of junior league soccer and Angry Birds, which the employee’s four-year-old daughter plays daily. One mis-swipe, or wrong button hit, and the work data could be corrupted, lost or accidentally transmitted to the entire junior league.”[
11] In addition, programs such as Dropbox and Google Drive allow employees to move data from secure employer networks to the cloud.[
12] This can raise serious concerns for employers as employees may move information that contains sensitive information, such as personal customer data or employer trade secrets. Once in the cloud, an employer will have little control over what happens to the data.

D. Social Media

Social networking heightens the information security risks posed by a BYOD policy. Recent studies show that seventy-two percent of workers access social media on the job at least once per day,[
13] a majority access it multiple times,[
14] and twenty-eight percent spend an hour or more of each workday social networking.[
15] The prevalence of social media is one of the main reasons that the risk for a data breach on mobile devices is so great. Whether intentionally or unintentionally, employees can now distribute data to an untold number of people with a few swipes. In addition to the ease with which an employee can disclose the employer’s data to an employee’s entire social network, “active social networkers” (those who spend thirty percent or more of their workday on social networking sites) seem to be “more vulnerable” to problems such as being pressured to compromise employer standards and experiencing retaliation for reporting misconduct.[
16] A recent business ethics survey found that fifty-three percent of active social networkers “share information about work projects once a week or more, and more than one third of them share information about managers, coworkers and clients/customers.”[

17

] Most troubling is that the survey revealed, “by almost every measure, active social networkers face greater ethics risks than their less active or non-networking peers.”[

18

] Of active social networkers, fifty percent said they would keep a copy of confidential work documents and forty-six percent would take work software to use on their personal machine.[

19

] However, training can diminish the risks from social networking. Specifically, the study found that “workers who receive training about social networking policies have a better understanding of the risks of social networking and are more likely to respect employer policies.”[
20]

IV. Legal Issues

The legal contours of BYOD programs are anything but well-defined. There is very little guidance on these issues from courts or legislators. The law is attempting to keep up with a technology world that is moving at warp speed. Even so, there are potential areas of legal concern of which any employer adopting a BYOD program should be aware.

A. Privacy

The main legal issue underlying any BYOD program is privacy. Employees use their devices for both work and personal matters, which causes difficulty in determining privacy expectations. Generally, employees do not have a reasonable expectation of privacy in the communications and content on their employer-owned devices. The same may not be said when employees use their own devices. When employees own their devices, there are limits on an employer’s ability lawfully to access — or delete, if necessary — the employer’s data stored on the device. As often happens, technology is outpacing the law and the existing framework of privacy laws does not exactly fit the BYOD context because there are no laws drafted specifically for BYOD programs (nor were BYOD issues anticipated at the time these laws were enacted). Nevertheless, many laws are potentially implicated by BYOD privacy issues.

1.

Computer Fraud and Abuse Act and the Stored Communications Act

One statute that is particularly troubling for an employer that wants to monitor, access, or wipe an employee-owned device is the Computer Fraud and Abuse Act (CFAA).[
21] The CFAA makes it a crime to gain unauthorized access to a computer and permits the recovery of civil damages when the unauthorized access results in damages exceeding $5,000.[

22

] The CFAA (and its state counterparts) can be troublesome if the employer is taking action, such as wiping the device, without employee consent. Furthermore, the CFAA’s prohibition on unauthorized access includes accessing a device in a manner that exceeds authorization.[

23

] For example, employees may authorize their employer to track the location of a device in the event of a loss or theft, but a CFAA violation occurs if the employer instead uses that information to track an employee’s location on a periodic basis. All fifty states have adopted comparable computer trespass laws.[
24]

Similarly, the Stored Communications Act (SCA)[

25

] prohibits unauthorized access to email stored at an email service provider.[

26

] Like the CFAA, the SCA is a criminal statute with civil remedies. The CFAA and SCA may also come into play when an employer attempts to access, without authorization, information that an employee has saved to a cloud-based storage app, such as Dropbox or Google Drive.[
27]

2.

The Health Insurance Portability and Accountability Act and the Genetic Information Nondiscrimination Act

The Health Insurance Portability and Accountability Act (HIPAA)[
28] requires employers to develop and follow procedures that ensure the confidentiality and security of protected health information.[

29

] In that regard, HIPAA requires that employers at least consider encrypting personal health information.[

30

] In the BYOD context, employers have a much more difficult time complying with HIPAA when employees have access to personal health information on their devices. Some employers have had to learn the hard way. For example, one healthcare contractor spent $288,000 managing the fallout of a stolen laptop containing unencrypted patient information.[

31

] In an effort to avert future issues, the contractor destroyed all patient data on mobile devices and mandated the encryption of patient data.[

32

]

The Genetic Information Nondiscrimination Act (GINA)[

33

] prohibits employers from requesting, requiring, purchasing, or disclosing “genetic information” of the employee or the employee’s family members.[

34

] The following example illustrates the potential legal issues that could arise under GINA: Jane has diabetes and downloads an app that allows her to track her blood glucose levels. While placing some updates on Jane’s phone, her employer sees the data contained in the diabetes app. In this situation, the employer has potentially violated GINA. These types of situations will increase as web developers create more health and fitness apps.

3.

Fair Credit Reporting Act

The Fair Credit Reporting Act (FCRA)[

35

] requires secure disposal of certain consumer credit report information.[

36

] Many states have similar laws requiring the secure disposal of certain sensitive information.[

37

] When this type of confidential information is on an employee’s personal device, FCRA issues could arise for the employer in ensuring secure disposal. This problem is exacerbated if employees have moved data to the cloud or elsewhere.

4.

State Laws

In addition to federal law, employers must be mindful of the patchwork of state privacy laws. California, in particular, has been quite progressive in the development of privacy laws. For example, Californians have a constitutional right to privacy from both public and private entities,[

38

] and a state statute requires businesses to notify affected parties when a security breach occurs.[

39

] In addition to laws aimed at protecting traditional privacy concerns, seventeen states have recently enacted laws that prohibit employers from requiring employees or applicants to turn over passwords needed to access private websites, including those used for social media.[

40

] Employers should consult the specific laws of the states in which they have operations to ensure they are in compliance with any state-specific privacy laws.

5.

International Laws

Employers with cross-border operations and employees who travel internationally face unique challenges. For example, under the European Union Data Privacy Protection Directive, individuals must give explicit and fully informed consent for any organization to access and process their personal data.[

41

] If the employee does not give consent, or if the employee is not made fully aware of the implications (e.g., that the employer may wipe the employee’s personal data if the employee loses the device or enters the PIN incorrectly too many times), the employer is likely to be in breach of data privacy regulations and risks a lawsuit. Further, international travelers may be subject to search, and confidential information is not necessarily exempted from review.[

42

] Employers with cross-border operations should consult with counsel to ensure that they are complying with all international privacy regulations.

B. Confidentiality and Trade Secret Protection

While privacy is likely the number one concern for employees using their own devices for work purposes, protection of trade secrets and confidential information is the number one concern for employers. Over the years, it has become easier for departing employees to take employers’ confidential information (e.g., by downloading information to a flash drive). The trend toward use of BYOD programs has only increased the risk to employers that employees will misappropriate confidential information.

According to a fall 2012 survey, half of employees who left or lost their jobs in the preceding twelve months retained confidential corporate data, and forty percent planned to use it in their new jobs.[

43

] Furthermore, “[m]ost employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud file-sharing apps is wrong.”[

44

] Indeed, over half of those surveyed did not believe that it was a crime to use competitive data taken from a prior employer.[
45] The survey underscores the belief held by many workers that ownership belongs to the person who created the intellectual property. The following example is illustrative:

When given the scenario of a software developer who re-uses source code that he or she created for another company, 42 percent do not believe it is wrong and that the a [sic] person should have [an] ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have permission from the company.[

46

]

The study’s findings are more troublesome when layered on a BYOD program because, in that scenario, the confidential information is stored on the employee’s own device.

Employers can bring statutory and common law claims to address employee misappropriation; however, it will be increasingly difficult and expensive for employers to pursue such actions in a BYOD environment. For example, the Uniform Trade Secrets Act (UTSA)[

47

] imposes liability for “misappropriation” of trade secrets.[
48] Under the UTSA, a trade secret includes any “information, including a formula, pattern, compilation, program, device, method, [or] technique,” the secrecy of which the employer has taken reasonable measures to protect.[

49

] A misappropriation requires the use or disclosure of the trade secret information or the acquisition by improper means of the trade secret.[

50

] It is significantly more challenging for an employer to prove misappropriation in a BYOD environment if it allowed the employee to store the employer’s trade secrets on the employee’s own device. Accordingly, in these situations, employers will focus more on the improper use or disclosure of the alleged trade secret.

In addition to the misappropriation of traditional data (e.g., customer lists, designs, etc.), employers must also consider how they will determine ownership of data such as social networking profiles and content created by employees but used for professional, as well as personal, purposes. For example, while employed by ABC Corp., a salesman creates a social networking account. He uses his ABC Corp. customer list to grow his list of followers. What happens to that profile when the employee moves to a different employer? Does the employer have an ownership interest in the account because it was created during the employee’s tenure and used for work purposes? Does the employee violate his non-solicitation agreement when he updates his profile and thereby notifies all of his followers that he has moved to a different employer? The answers to most of these questions remain uncertain. Indeed the ownership of these types of social networking profiles will likely turn on whether the employee and employer had a prior agreement about account ownership, whether the account was initially created for business or personal use, or the provider’s terms of service.

C. Wage and Hour

Attorneys’ BYOD advice to employers must also address a host of wage and hour issues, such as off-the-clock allegations and claims for expense reimbursements. In addition, employers must consider issues related to joint employers, independent contractors, contingent workers, and third-party vendors.

Pursuant to the Fair Labor Standards Act (FLSA)[

51

] and applicable state laws, employers must pay nonexempt employees for all time worked, including overtime.[

52

] The BYOD trend is particularly problematic when it comes to nonexempt employees who are now able to access work-related content during nonworking hours. In the past, employers did not issue devices, such as smartphones, to nonexempt employees. But with BYOD programs, nonexempt employees are using their own devices. This may lead to employees performing work on personal time (e.g., reviewing and responding to work emails or making telephone calls). These types of acts create a potential claim for off-the-clock work and may be asserted as a proposed collective action.[

53

] The U.S. Department of Labor has even developed a timesheet app that helps employees track hours worked and determine wages owed.[

54

]

In addition to off-the-clock claims, some states have day-of-rest rules and others require uninterrupted meal and rest periods.[
55] Employees can bring claims for violations of these laws (e.g., an employee who reads or responds to emails while eating lunch may have a claim). Employers can attempt to combat the connectivity problem by ensuring BYOD policies clearly state that employees should not be accessing work email outside of working hours. A blanket prohibition, however, can be problematic and difficult to enforce. As a result, employers should include in their BYOD policies a requirement that employees record and promptly report all after-hours work so that the employee can be properly compensated.

Reimbursement for expenses related to the use of an employee’s own device is another issue that employers must consider when adopting a BYOD program. In California, for example, employers are obligated to reimburse necessary business expenses.[

56

] The question becomes, if an employer has implemented a BYOD program, does it then have to pay for the employee’s personal device? The answer likely depends on how the employer implements the BYOD plan. For voluntary programs, in which employees may choose to use their own devices or an employer-provided device, the employer may have an argument that reimbursement is not necessary. On the other hand, employers who require employees to use their own devices will likely need to reimburse employees. Accordingly, the manner in which the employer adopts the plan is important. When reimbursement is required, the employer must then determine the amount of the reimbursement. While it would be easy for an employer to pay the full cost of the employee’s device and monthly bill, this would likely result in an overpayment to the employee. Because the device is used for work and pleasure, the employer is not obligated to reimburse 100% of the costs. There may also be tax implications for the employee (i.e., to be an excludable fringe benefit, the employer must provide the device primarily for noncompensatory business purposes).[

57

]

The actual expense method is the most accurate option, although it is usually not an option for reimbursement for smartphone or tablet usage. Under this method, an employer reimburses only the actual expense of using the employee’s device for work-related purposes. In the past, this method was easy to use because a cellular telephone bill showed every call made and it was easy to apportion the bill between work and personal usage. This method is increasingly less viable because employees have flat fee or unlimited data plans, making it impossible to calculate with any accuracy the amount of usage devoted to work.

Finally, the employer can use the existence of a BYOD program to establish that certain workers are not employees. Because the independent contractor test considers who supplies work equipment, worker-provided equipment makes it more likely for an individual to be deemed a contractor rather than an employee. However, an employer that allows contactors and temporary workers to use their own devices must be cognizant of issues such as security of data and ability to access the contractor’s devices when negotiating contractor and contingent worker agreements.

D. E-Discovery

During litigation, employers must produce all nonprivileged, relevant information responsive to discovery requests.[

58

] Generally, courts will hold employers responsible for recovering discoverable information, even if the material resides on employee-controlled devices.[

59

] This is problematic because it is not just the information on the device that is discoverable, but also the data that were accessed. For employers with BYOD programs, litigation holds become much more challenging. Indeed, it may even be impossible for the employer to gain access to the device even to assess whether there is discoverable information present (e.g., an employee refuses to give consent to the employer to access the device). Even where employers obtain consent, they may have to overcome technical hurdles to effectuate a hold. Often, the most significant challenge is that the work-related data on employee-owned devices may completely avoid synchronization or backup on employer-controlled servers, thereby limiting the employer’s independent ability to preserve and access this information. At a minimum, litigation hold notices should clearly list that the hold covers employee-owned devices and emphasize the importance of preserving relevant material on personal devices and in mixed-use cloud environments.

These discovery issues raise the question of whether an employer can argue that it does not have possession, custody, or control of information stored on an employee’s personal device.[

60

] The circuits are split on this issue, with some holding that a party must produce information that it has the legal right to obtain on demand,[
61] while others have held that a party must produce information that it has the legal right to demand, as well as the “right, authority or practical ability” to obtain from a nonparty.[
62] Based on these standards, discovery from employee devices may depend on the nature of the employer’s policy regarding access to work information on the personal device.

The issue of preserving information held by third parties or former employees is even trickier. Courts can find that employers have control of information even when the employer lacks actual possession of, or direct access to, the information. With third parties, a court’s finding of a direct relationship between the employer and the third-party provider (as established by the terms of the service agreement or payment arrangements, for example) often influences the determination that the employer controlled the information.[

63

] Likewise, courts vary on whether an employer must obtain its work-product from a former employee.[

64

] For example, if the employer issued a severance package to a former employee, and therefore is still paying the employee, that may be evidence sufficient for post-termination control over the employee to subject the former employee to the production demands of Rule

34.

[

65

] Even where an employer lacks the requisite control over a former employee, a court may still require the employer to ask the former employee to search for and produce relevant information before the employer can state that it does not control the information under Rule 34.[

66

]

E. Workplace Safety

Today’s technological age means people can work anywhere and anytime, but this convenience comes at a price for employers, including increased risk of workers’ compensation and Occupational Safety and Health Act[

67

] claims for work-related injuries, as well as tort and negligence claims for accidents caused by employees who are driving while texting or otherwise distracted by mobile devices.

Before the advent of cell phones, courts applying the common law typically held that an employee driving to and from work was not acting in the course and scope of employment.[

68

] As such, courts could not hold the employer liable for injuries to the employee under state workers’ compensation regimes, or liable to third parties under the doctrine of respondeat superior for accidents caused by the employee.[

69

] But the law is changing and the lines between work and nonwork time are becoming so blurred that courts, in some instances, may now hold employers liable for injuries that occur during nonworking hours.[

70

] For example, an employee is engaged in a conference call while driving to work and is involved in a car accident. The employee may file a workers’ compensation claim arguing the accident occurred in the course and scope of employment and the other driver may sue the employer under the doctrine of respondeat superior. The other driver may also sue the employer under a negligence theory, arguing the employer knew or should have known that the employee was using the device for work-related purposes while driving.

In addition to workers’ compensation and tort liability claims, employers may face an investigation from the Occupational Safety and Health Administration (OSHA).[

71

] For example, in response to the problems related to distracted driving, OSHA and the Department of Transportation partnered to combat distracted driving on the job.[

72

] As part of the initiative, OSHA will investigate and issue citations and penalties in cases in which it receives a credible complaint that an employer requires texting while driving or organizes work so that texting is a practical necessity.[

73

]

F. Antidiscrimination Policies

Under federal and state antidiscrimination laws, employees are protected from harassment, discrimination, and retaliation based on protected characteristics such as race, sex, or disability.[

74

] An employer’s equal employment opportunity and BYOD policies will typically intersect in two areas: hostile work environment and failure to accommodate claims. In the harassment context, an employee may not understand that policies relating to what is permissible conduct at work apply even if it occurs on a personal device. For example, employees who use their own devices to view sexually explicit photos or videos with others while at work can be creating a hostile work environment. Additionally, an employer might be held liable for harassing comments made on Internet message boards or blogs, even though the employer did not control the message boards. Employees with disabilities can also raise reasonable accommodation claims arguing that the employer is required to provide additional technology to enable them to perform the essential functions of their positions (e.g., a hearing-impaired employee may request special assistive software to use with a mobile device).

Finally, it is notable that active social network users (those who spend thirty percent or more of their workday on social networking sites)[

75

] are significantly more likely to witness misconduct at work than their less active counterparts: fifty-six percent of active social networkers reported experiencing retaliation (compared with eighteen percent of other workers); seventy-one percent reported harassment online (compared with twenty-two percent of other workers); and seventy-one percent reported a supervisor or someone else in management verbally abused them (compared with fifty-eight percent of other workers).[
76] It will be interesting to see how these statistics change as technology evolves in the coming years and more workers become connected more often.

G. National Labor Relations Act

Neither the National Labor Relations Board (NLRB) nor the courts have issued any ruling interpreting the National Labor Relations Act’s (NLRA)[

77

] application to BYOD programs. Nevertheless, regardless of whether the employer’s workforce is unionized, there is potential liability for all employers under the NLRA.[

78

] All employers — whether unionized or not — should take care when drafting their BYOD policy and be mindful of the fact that a dual-use device may be used as an organizing tool; any policy must be narrowly tailored. The NLRB’s recent crackdown on overly broad social media policies serves as a sobering lesson on how strictly the agency is construing employer policies.[

79

] For that reason, employers must carefully and thoughtfully word all BYOD policies so as not to run afoul of an employee’s section 7 rights.[
80]

Any employer that seeks to monitor employees’ usage must make sure that the monitoring does not infringe on employees’ rights under section 7 to engage in organizing activity or other protected concerted activity.[

81

] In addition, when there is a grievance or investigation, employers must remember that the union will typically have the right to view or obtain a copy of any data the employer has gathered. If the workforce is unionized, an employer should review the applicable collective bargaining agreement prior to adopting any policy to determine whether such a policy is a mandatory subject of bargaining.

V. BYOD Policies

Any employer that adopts a BYOD program should consider having a comprehensive, written BYOD policy. The specific terms of any BYOD policy will vary depending on the employer’s goals. At a minimum, any effective policy must define the scope of covered devices, appropriate use, cost, and support issues; implement security protocols; outline the consequences for violations; contain a mechanism for monitoring employee access and appropriate use; and require employee training. In that regard, when drafting a BYOD policy, an employer should consider the following:

Scope:

• Will the policy apply to the entire workforce or just a segment (e.g., only exempt employees or only on-call employees)?

• What devices does the policy cover (e.g., smartphones and tablets, or all electronic devices)?

• Are there restrictions on the brand or age of devices that employees may use?

• Define who owns what information (e.g., the employer owns the information that the employee is accessing from the employer’s servers).

Appropriate Use:

• What servers and applications will the employer make accessible?

• What restrictions does the policy place on access?

Cost and Support Issues

• Identify what expenses are reimbursable.

• Will the employer provide IT support to fix personal devices?

Implement Security Protocols

• Consider whether to implement a mobile device management platform to help with:

• encrypting all data stored on the device;

• remotely wiping data;

• requiring complex passwords, and forcing a wipe after a set number of unsuccessful password attempts;

• locating lost or stolen devices; and

• prohibiting apps with malware.

• Outline what an employee should do if there is a security breach (e.g., the device is lost or infected with malware). This should include information on whom the employee should contact in the event of a loss or theft.

• Outline the procedures an employee should follow upon separation from employment (e.g., allowing the employer to wipe data from the device).

• Outline the process for employer inspection of the device if necessary for an investigation or litigation.

Monitoring and Consequences for Violations

• Will the employer monitor to ensure appropriate access and use (e.g., are employees using approved software and passwords)?

• What are the consequences for violations of the policy?

Training

• Any policy must not only be distributed to employees, but it is advisable to include training on the policy so employees are fully aware of their obligations under the policy.

VI. Conclusion

Given the many technical and legal issues that BYOD programs implicate, any employer considering adopting a BYOD policy should take its time and proceed in a methodical fashion to address the numerous complexities that can arise. Employers must give careful consideration to confidentiality and security issues and the manner in which they intersect with privacy concerns. In addition to the legal and security issues, employers must also be cognizant of ensuring that their BYOD policy is consistent with other corporate policies. This can be a difficult task that ultimately requires the editing of a myriad of other policies, including acceptable use of computer resources, compliance and ethics, security policies, document retention policies, social media, harassment and discrimination, policies related to litigation holds, and employee privacy policies. Finally, once an employer is operating in a BYOD world, it will want to be sure it applies its policy consistently because failure to do so could give rise to claims of discrimination.

Footnotes

1. Symantec Co., BYOD or Bust: Are Your Mobile Policies Keeping Up with Your Mobile Employees? 1, 1 (2013),

http://www.symantec.com/content/en/us/enterprise/white%5Fpapers/b-byod-or-bust%5F2129120

8.

pdf

.

2. David Mielach, Smartphone Security Lacking for Employees, Research Finds, BUS. NEWS DAILY (Aug. 14, 2012, 3:54 AM),

http://www.businessnewsdaily.com/2998-byod-security-lapse.html?

.

3. Andrew Brown, TCO & Security of Enterprise Grade Mobility: Compliance, Control, Cost and Consumerisation: What Businesses Can Learn from the Public Sector About Best-Practice Mobile Enterprise Management, STRATEGY ANALYTICS 1, 38-39 (2012),

http://uk.blackberry.com/business/StrategyAnalyticsReport

.

4. Juniper Networks, Inc., Third, Annual Mobile Threats Report, JUNIPER NETWORK 1, 19 (2013),

http://www.juniper.net/us/en/local/pdf/additional-resources/jnpr-2012-mobile-threats-report

.

5. Pub. L. No. 99-474, 100 Stat. 1213 (1986) (codified as amended at 18 U.S.C. § 1030 (2012)).

6.

Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended at 18 U.S.C. §§ 2701-2712 (2012)).

7.

See, e.g., CAL. CIV. CODE § 1798.82 (West 2010) (notice is required for all individuals affected by data breaches).

8. Mielach, supra note 2.

9.

Juniper Networks, Inc., supra note 4, at 3.

10.

Gartner Reveals Top Predictions for IT Organizations and Users for 2013 and Beyond, GARTNER, INC. (Oct. 24, 2012),

http://www.gartner.com/newsroom/id/2211115

.

11.

Cynthia Larose & Narges Kakalia, Technology in the Workplace: Integrating Employees’ Smart Devices into the Workplace, 248 N.Y. L.J., no. 114, Dec. 13, 2012, at 5.

12.

Id.

13.

National Business Ethics Survey of Social Networkers: New Risks and Opportunities at Work, ETHICS RES. CTR. 1, 8 (2013),

http://www.ethics.org/downloads/SocialNetworkingFinal

.

14.

Id. at

20.

15.

Id. at 8.

16.

Id. at 27, 42-

43.

17.

Id. at

23.

18.

Id. at 27 (emphasis omitted).

19.

Id. at

28.

20. Id. at 35 (emphasis omitted).

21.

18 U.S.C. § 1030(c) (2012).

22.

Id.

23. Id.

24.

See Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1596 (2003).

25.

Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified at 18 U.S.C. §§ 2701-2712 (2012)).

26.

18 U.S.C. § 2701(a) (2012).

27.

See, e.g., 18 U.S.C. §§ 1030(a)(1), 2701(a) (2012).

28. Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified in scattered sections of 29 & 42 U.S.C.).

29.

See 45 C.F.R. § 1

64.

502 (2012) for general rules regarding uses and disclosure of protected health information.

30.

Id.

31.

Nicole Perlroth, Digital Data on Patients Raises Risk of Breaches, N.Y. TIMES (Dec. 18, 2011),

.

32.

Id.

33.

Pub. L. No. 110-233, 122 Stat. 881 (2008) (codified in scattered sections of 29 & 42 U.S.C.).

34. 42 U.S.C. § 2000ff-1 (2012).

35.

Pub. L. No. 91-508, 84 Stat. 1127 (1970) (codified at 15 U.S.C. § 1681-1681x (2012)).

36.

15 U.S.C. § 1681w (2012).

37.

See, e.g., CAL. CIV. CODE § 1798.81 (West 2009) (“A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business.”).

38.

CAL. CONST., art. 1, § 1.

39.

CAL. CIV. CODE § 1798.82 (West 2010).

40.

As of August 5, 2014, seventeen states — Arkansas, California, Colorado, Illinois, Louisiana, Maryland, Michigan, New Jersey, New Mexico, Nevada, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Washington, and Wisconsin — have enacted some type of password protection law. See H.R. 1901, 89th Gen. Assemb., Reg. Sess. (Ark. 2013); Cal. Leg. 25, 2013-24 Leg., Reg. Sess. (Cal. 2012); H.R. 13-1046, 2013 Gen. Assemb., Reg. Sess. (Colo. 2013); H.R. 1047, 98th Gen. Assemb., Reg. Sess. (Ill. 2013); H.R. 314, 2014 Leg., Reg. Sess. (La. 2014); H.R. 1332, 2013 Gen. Assemb., Reg. Sess. (Md. 2013); H.R. 5523, 96th Leg., Reg. Sess. (Mich. 2012); H.R. 2878, 215th Leg., Reg. Sess. (N.J. 2013); N.M. Leg. 371, 51st Leg., 1st Sess. (N.M. 2013); Nev. Leg. 181, 2013 Leg., Reg. Sess. (Nev. 2013); H.R. 2372, 2014 Leg., Reg. Sess. (Okla. 2014); H.R. 2654, 77th Legis. Assemb., Reg. Sess. (Or. 2013); H.R. 5255, 2013 Gen. Assemb., Jan. Sess. (R.I. 2013); H.R. 1852, 2014 Gen. Assemb., Reg. Sess. (Tenn. 2014); H.R. 100, 2013 Leg., 2013 Gen. Sess. (Utah 2013); Wash. Leg. 5211, 63d Leg., Reg. Sess. (Wash. 2013); H.R. 218, 2013 Gen. Assemb., Reg. Sess. (Wis. 2013).

41.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31.

42.

See generally U.S. CUSTOMS & BORDER PROT., DIRECTIVE NO. 3340-049 (2009) BORDER SEARCH OF ELECTRONIC DEVICES CONTAINING INFORMATION, available at

http://www.dhs.gov/xlibrary/assets/cbp%5Fdirective%5F3340-0

49.

pdf

.

43. What’s Yours Is Mine: How Employees Are Putting Your Intellectual Property at Risk, SYMANTEC CORP. & PONEMON INST. 1, 1 (2013), available at https://www4.symantec.com/mktginfo/whitepaper/WP%5FWhatsYoursisMine-HowEmployeesarePuttingYourintellectualPropertyatRisk%5Fdai211501%5Fcta691

67.

pdf.

44.

Id.

45.

Id. at 2.

46.

Id.

47.

UNIF. TRADE SECRETS ACT, 14 U.L.A. 539-40 (1985). Forty-eight states, the District of Columbia, and Puerto Rico have adopted a version of the Uniform Trade Secrets Act. See Legislative Fact Sheet — Trade Secrets Act, UNIFORM LAW COMM’N,

http://www.uniformlaws.org/LegislativeFactSheet.aspx?title=Trade%20Secrets%20Act

(last visited Oct. 3, 2014).

48.

See UNIF. TRADE SECRETS ACT §§ 1-2.

49. Id. § 1(4).

50.

Id. § 1(2). “Improper means” includes “theft, bribery, misrepresentation, breach or inducement of a breach of duty to maintain secrecy, or espionage through electronic or other means.” Id. § 1(1).

51.

Pub. L. No. 75-718, 52 Stat. 1060 (1938) (codified at 29 U.S.C. §§ 201-219 (2012)).

52.

Fair Labor Standards Act §§ 6 & 7, respectively (8 U.S.C. §§ 206 & 207); see also Compliance Assistance: Wage and Hour Division, U.S. DEP’T OF LABOR (Sept. 28, 2014, 10:01 PM),

http://www.dol.gov/whd/flsa/

.

53.

See 29 U.S.C. § 256 (2012) (FLSA collective actions).

54.

Press Release, U.S. Dep’t of Lab., Keeping Track of Wages: The US Labor Department Has an App for That! (May 9, 2011),

http://www.dol.gov/opa/media/press/whd/WHD20110686.htm

.

55.

See, e.g., CAL. LAB. CODE §§ 500-558 (West 2014) (mandating meal and rest breaks); Illinois One Day Rest in Seven Act, 820 ILL. COMP. STAT. 140/1 (2014); New York One Day Rest in Seven Act, N.Y. LAB. LAW § 161 (2007).

56.

CAL. LAB. CODE § 2802 (West 2014).

57.

IRS Issues Guidance on Tax Treatment of Cell Phones; Provides Small Business Recordkeeping Relief, INTERNAL REVENUE SERV. (Sept. 14, 2011),

http://www.irs.gov/uac/IRS-Issues-Guidance-on-Tax-Treatment-of-Cell-Phones;-Provides-Small-Business-Recordkeeping-Relief

.

58.

See, e.g., FED. R. CIV. P. 26(b); Exco Operating Co., LP v. Arnold, No. 10-1838, 2011 U.S. Dist. LEXIS 138974, at *9 (W.D. La. Dec. 2, 2011) (discussing Rule 26(b)).

59.

See Kiser v. Pride Commc’ns, Inc., No. 2:11-cv-00165-JCM-VCF, 2011 U.S. Dist. LEXIS 124124, at *10 (D. Nev. Oct. 26, 2011) (“a party may be ordered to produce a document in the possession of a non-party entity if that party has the legal right to obtain the document or has control over the entity who is in possession”); Flagg v. City of Detroit, 252 F.R.D. 346, 353 (E.D. Mich. 2008) (“a corporate party may be deemed to have control over documents in the possession of one of its officers or employees”).

60.

FED. R. CIV. P. 34(a)(1) (Rule 34 only requires production of documents and information in the possession, custody, or control of the responding party).

61.

The First, Third, Sixth, Seventh, Eighth, Ninth, Tenth, and D.C. Circuits have all ruled that a party must produce information that it has the legal right to obtain on demand. See Mercy Catholic Med. Ctr. v. Thompson, 380 F.3d 142, 160 (3d Cir. 2004); In re Citric Acid Litig., 191 F.3d 1090, 1107 (9th Cir. 1999); In re Bankers Trust Co., 61 F.3d 465, 469 (6th Cir. 1995); Chaveriat v. Williams Pipe Line Co., 11 F.3d 1420, 1426 (7th Cir. 1993); Washam v. Evans, 2011 U.S. Dist. LEXIS 70704, at *2 (E.D. Ark. 2011); D.L. v. Dist. of Columbia, 251 F.R.D. 38, 46 (D.D.C. 2008); Ice Corp. v. Hamilton Sunstrand Corp., 245 F.R.D. 513, 521 (D. Kan. 2007); Haseotes v. Abacab Int’l Computers, Inc., 120 F.R.D. 12, 15 (D. Mass. 1988).

62.

The Second, Fourth, Fifth, and Eleventh Circuits have ruled on the opposite side of the circuit split. See Shcherbakovskiy v. Da Capo Al Fine, Ltd., 490 F.3d 130, 138 (2d Cir. 2007); Wiwa v. Royal Dutch Petroleum Co., 392 F.3d 812, 821 (5th Cir. 2004); Morris v. Lowe’s Home Ctrs., Inc., No. 1:10CV388, 2012 U.S. Dist. LEXIS 44422, at *20 (M.D.N.C. Mar. 29, 2012); Exco Operating Co., 2011 U.S. Dist. LEXIS 138974, at *10 (“Rule 34’s definition of ‘possession, custody, or control,’ includes more than actual possession or control of the materials; it also contemplates a party’s ‘legal right or practical ability to obtain the materials from a nonparty to the action.'”).

63.

See Kiser, 2011 U.S. Dist. LEXIS 124124, at *11 (an employer’s business with a third party payroll processor obligated it to obtain records from that processor); Flagg, 252 F.R.D. at 354 (the employer had sufficient control over employee text messages, given the direct contractual relationship between the employer and service provider).

64. Compare Folding Carton Antitrust Litig., 75 F.R.D. 420, 423 (N.D. Ill. 1977) (employer had sufficient control over documents in possession of a former employee), with Miniace v. Pac. Mar. Ass’n, 2006 WL 335389, at *2 (N.D. Cal. Feb. 13, 2006) (denying motion to compel that sought production of documents in possession of a former company director). See generally 8B CHARLES ALLEN WRIGHT & ARTHUR R. MILLER ET AL., FEDERAL PRACTICE AND PROCEDURE § 2210 (3d ed. 1998) (“the application of [the control] concept is often highly fact-specific.”).

65.

Folding Carton, 75 F.R.D. at 423 (an employer may have sufficient control of a former employee if the individual is still receiving economic benefits from the employer).

66.

Export-Import Bank of the U.S. v. Asia Pulp & Paper Co., Ltd., 233 F.R.D. 338, 341-42 (S.D.N.Y. 2005) (a corporation must exhaust the practice means at its disposal to obtain documents in the possession of former employees).

67. Pub. L. No. 91-596, 84 Stat. 1590 (codified at 29 U.S.C. §§ 651-678 (2012)).

68.

Rhett B. Franklin, Pouring New Wine into an Old Bottle: A Recommendation for Determining Liability of an Employer Under Respondeat Superior, 39 S.D. L. REV. 570, 571, 587 (1994).

69.

Id. at 571, 588.

70.

See, e.g., Seabright Ins. Co. v. Lopez, 427 S.W.3d 442, 448 (Ct. App. Tex. 2014) (“[T]here is no bright line rule for determining if employee travel originates in the employer’s business as each situation is dependent on the facts.”).

71.

See Occupational Safety and Health Act § 8 (codified at 29 U.S.C. § 657 (2012)).

72.

See OSHA’s Distracted Driving Initiative, OCC. SAFETY & HEALTH ADMIN., https://

www.osha.gov/distracted-driving/initiative.html

(last visited Sept. 4, 2014).

73.

Id.

74.

See, e.g., Title VII of the Civil Rights Act of 1964, 42 U.S.C. §§ 2000e-2000e-17 (2012).

75.

ETHICS RES. CTR., supra note 13, at 8.

76.

Id. at 27-28.

77.

29 U.S.C. §§ 151-169 (2012).

78.

See Raphael Rajendra, Employee-Owned Devices, Social Media, and the NLRA, 30 A.B.A. J. LAB. & EMP. L. 47 (2014) (a comprehensive discussion of the application of the NLRA to BYOD policies).

79.

The NLRB and Social Media, NAT’L LAB. REL. BD.,

http://www.nlrb.gov/news-outreach/fact-sheets/nlrb-and-social-media

(last visited Oct. 8, 2014).

80.

NLRA § 7 (codified at 29 U.S.C. § 157 (2012)).

81.

Id.

~~~~~~~~

By Julie A. Totten, Ms. Totten is a partner in the Northern California offices of Orrick, Herrington & Sutcliffe, LLP. She has a national practice with extensive experience defending and advising employers in complex discrimination, harassment, wrongful discharge, privacy, and wage and hour matters. Ms. Totten is an active member of the Labor and Employment Law Section of the American Bar Association, where she currently serves as a council member. and Melissa C. Hammock, Ms. Hammock is an employment law career associate in Orrick’s D.C. office. She is an experienced litigator who has defended management in a broad range ofclaims, including discrimination, harassment, wrongful discharge, wage and hour violations, and other employment-related matters both in court and before federal and state administrative agencies.

Copyright of ABA Journal of Labor & Employment Law is the property of American Bar Association and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder’s express written permission. However, users may print, download, or email articles for individual use.

Back