The familiar refrain is that smartphones and other devices that allow us to “stay connected” are both a blessing and curse.
Yes, the technology allows for flexibility, but it also has the effect of making us almost never completely separated from work. While many employers provide phones and tablets to employees and prohibit the personal use of those devices, it has become common for employees to use their personal devices for work purposes. This saves the employer the cost of providing the device (or at least some of the cost, if the employee is permitted to expense a portion of the bill), and many employees prefer it over needing to have two devices that perform essentially the same functions.
Eighty-one percent of Americans use their own personal devices for work, and the numbers are growing; companies are reporting that twice as many personal devices connect to their corporate networks as compared with two years ago. What is often overlooked, however, are the dangers these devices pose for employers.
An employee using his or her personal smart devices for work and having the ability to connect to the corporate network raises many issues, such as data and information security issues, employee privacy issues, wage and hour ramifications and litigation implications.
Despite all of these risks, many employers have not yet implemented policies and training to deal with the “Bring Your Own Device” (BYOD) world. Sixty-six percent of employees said their employer or organization does not have a BYOD policy in place. While many newer model phones come with the auto-lock feature required or at least the default setting, 37 percent of employees still do not have the auto-lock activated on their phones or tablets.
Some of the possible repercussions of a lack of a policy (including mandatory auto-lock) are obvious, some less so.
One obvious problem is a data breach. When someone is carrying around his or her own personal device, as opposed to an employer-owned device, the employee is naturally less inclined to be as careful. A recent story detailed a physician who lost a phone that was neither password protected nor encrypted.
Therefore, an untold number of patients’ names and medical records were at risk. This could result in liability for both identity theft as well as possible HIPAA violations. In that situation, the employer was able to “wipe” the data from the phone remotely, but that did not occur until five days after the incident.
A less obvious problem involves privacy rights of the employee. If the employee is using the device for work-related purposes, the employer may have legitimate reasons to access it.
The employer may need to ensure that proper virus protection exists, or it may need to save the contents due to a litigation hold, or the data may have to be wiped if a security breach occurs. The list goes on.
Yet if the employer is able to access the phone, it may become privy to private information, such as access to the employee’s medical information. If the employer later terminates that employee, the employee may contend that the termination was actually because of the employer’s knowledge of the medical issue rather than the employee’s performance. Other less serious issues could simply involve embarrassment on the part of the employee from pictures that may be stored on the device or frustration after having the data (music, pictures) deleted.
In order to protect against some of these issues, a solid BYOD policy is recommended. The policy should address the issues raised in this article, such as data security protection, privacy expectations, and procedures for lost and stolen devices. Employees that cannot conform to this type of policy should have limited or no access to the corporate network.
Aside from just the written policy, employers should ensure that employees are trained on data security and should consider apps that offer additional protections. Contact an attorney for more information concerning your specific situation and any legal questions you may have.
• Ryan Farrell is an attorney with Zukowski, Rogers, Flood & McArdle.