Article:  How to Draft BYOD Policies: A “Bring Your Own Device” Legal Primer

This is excerpted from a March 13, 2014 presentation made by nationally-ranked trial lawyer Scott L. Vernick at the Business Insurance Risk Summit in New York City.  The second in a two-part series, it was preceded by: How to Create Effective Social Media Policies: A Legal Primer.

Generally, what are the considerations to keep in mind when drafting a “bring your own device” (BYOD) policy for the work environment?

–      What is a BYOD?  BYOD programs allow employees to use personally owned devices to connect and interact with their employers’ business networks for work-related matters.

–      What are the benefits?  Increased workforce productivity and lower costs of administration.

–      Why does BYOD matter?  The BYOD movement is here to stay.  A recent survey revealed that 71 million BYOD devices are currently in use in the United States, and this number is expected to grow to 108 million by 2016.

Sources: CIO.com, Cisco Internet Business Solutions Group

BYOD programs create potential legal issues for employers:

–      Protecting Confidential Information:  BYOD programs may lead to misappropriation of proprietary company information, disclosure of trade secrets, and other security risks.

–      Employee Privacy Issues:  An employer may inadvertently access an employee’s private data in violation of federal and state laws.

–      e-Discovery and Litigation Issues:  An employer has an obligation to retain documents in the event of litigation – this includes documents that are stored in an employee’s personal device.

–      Off-The-Clock Work:  Because a BYOD program allows an employee to work after hours, it may trigger overtime and other wage and hour liability under the Fair Labor Standards Act and similar state laws.

Recommendations:  Have a BYOD strategy in place.

•      Some workplaces are more conducive to BYOD programs than others.

•      Assess the risks and determine whether a BYOD program is right for you.

•      For example, if preserving the security/confidentiality of internal communications is a material priority, then a BYOD program may not be appropriate.

–     Not having a BYOD strategy may prove costly.

•      In Brooks v. AM Resorts, LLC, 954 F. Supp.2d 331 (E.D. Pa. 2013), an employee allowed his employer to “remotely access and control” his personal computer through a computer program.

•      After the employee’s termination, the employee planned on suing the employer, and the employee accused the employer of using the remote access program to access his attorney-client privileged emails.

•      The Court denied the employer’s motion for summary judgment and held that there was a “genuine dispute of material fact” as to whether the employer improperly accessed the employee’s personal emails in violation of the Stored Communications Act.

•      Recommendations: Considerations in creating a BYOD policy.

–     Communicate expectations on how the device will be used/maintained (e.g., procedures on the use of passwords, encryption, and reporting lost/stolen devices).

–     Provide specific procedures on security, retention, and protection of company data.

–     The employer should have reasonable access to the device for legitimate business purposes whenever needed (e.g., to retrieve work-related emails or documents for e-discovery).

–     Include reasonable protections for employees’ private data (e.g., the employer will make reasonable efforts to protect personal information) but disclaim the risk of data loss in the event of a security issue.

–     Consider having “routine” security and maintenance inspections.

–     Have a “security or remote wipe” provision that allows the employer to delete company data from the employee’s device at any time (e.g., upon termination).

–     Secure the employee’s consent to the policy and maintain a record of this consent.

–     The policy should be clear, complete, and readily available to employees.

–     Apply and enforce the policy consistently.

–     Recommendations: Supplement the policy with BYOD training.

•      Promote cooperation between the employee and the employer regarding the use, maintenance, and security of the employee’s device.

•      Identify potential problems and educate employees on workable solutions to these problems during training (e.g., procedures for lost/stolen devices and document retention in the event of litigation).

•      Have a framework in place to monitor employees’ adherence to the BYOD policy, and respond to questions or concerns as they occur.

•        Recommendation: A well-crafted policy and training program can prevent BYOD issues.

•      See, e.g., Sitton v. Print Direction, Inc., 718 S.E.2d 532, (Ga. App. 2011), (holding that employer was not liable to discharged employee for viewing and printing employee’s personal emails from employee’s personally owned laptop computer where at the time of the access, the computer was linked to employer’s network and company had a published and well-crafted computer usage policy that authorized the employer’s access under the circumstances presented).

Scott L. Vernick is a partner at Fox Rothschild LLP and a nationally ranked trial lawyer. He represents Fortune 500 companies in commercial litigation matters that focus on technology, intellectual property, health care, privacy and data security.