The rise in popularity of smart phones, tablets and laptops has blurred the increasingly thin line between professional and personal life, between work time and personal time. But it’s is also creating security concerns for business owners who let their employees use those tech toys for work.
“Employers need to address the question of how to react to the inevitable or current use of personal or shared devices by their employees,” said Cheri Vandergrift, a staff attorney for Mountain States Employers Council, a leader in human resource and employment law services for the business community. “From IT issues to privacy and litigation concerns, companies that ignore the rising ‘Bring Your Own Device’ tide may find that BYOD brought nothing but disaster.”
While an AccelOps Cloud Security Survey of IT security personnel ranked BYOD as the top source for fear of incurring data loss, there are also concerns regarding employee privacy should litigation ensue and the question of using personal devices goes into the courtroom. The use of personal devices in the workplace stirs questions within the IT, legal and human resources departments of companies.
“Data access and ownership are significant legal issues that surround the BYOD trend,” said John Balitis, director at Fennemore Craig. “Employees accessing employer systems with personal devices can create major network security risks and employer IT staff accessing the devices to support them can infringe on employee privacy. Further, how to define who owns what information on the devices is challenging.”
Laurent Badoux, a shareholder in Greenberg Traurig’s Phoenix office, said there are a number of legal issues that could arise from the BYOD trend. Among them:
* Breach of confidentiality — especially with medical or financial data.
* Commercial espionage or unfair competition.
* Fair Labor Standards Act (FLSA) claims of unreported or unpaid time.
* Dispute as to ownership of data stored on personal devices.
* Claims of harassment, defamation, invasion of privacy, etc. from improper social media posting of workplace conduct.
* Negligence torts if an exployee tries to answer a work text or email while driving and causes an accident.
“The most glaring risk (an employer takes) is that sensitive confidential corporate data becomes compromised, either because an outsider is able to access that data through an employee’s device or to copy data stored on that device,” Badoux said. “When their sensitive data becomes compromised, companies face damage to the bottom lines and public image.”
According to Travis Williams, senior counsel at the Frutkin Law Firm, if a company believes information is jeopardized, or upon termination of an employee’s employment, the employer may have the right to seize the device for a short time to ensure proper protection or removal of company’s sensitive information.
“Employees need to understand that business information on their device is the property of the employer,” Williams said. “The employer has the right to protect the information. The protection may allow the employer to seize or force ‘wipe’ the device to ensure proper removal of the information.”
While there is no doubt that the BYOD trend has given tech-savvy employees the opportunity to create a more flexible schedule and therefore increase their productivity, experts said it’s imperative that companies find a balance between protecting sensitive work data, while still providing employees flexibility and independence.
“Have a policy that specifically addresses what employees can and cannot do with PEDs (personal electronic devices) used for work-related purposes and enforce that policy,” said Tibor Nagy, Jr., a shareholder at the Tucson office of Ogletree, Deakins, Nash, Smoak & Stewart. “Be sure the policy addresses what happens to employer data when the employee leaves employment.”
Experts said companies who worry about issues related to the BYOD trend should look to impose tighter security constraints, develop technology guidelines and policies or employ mobile-device management tools, services and systems.
“An employer absolutely should implement a BYOD policy if the employer allows or encourages employees to use personal devices for work,” Balitis said.
Badoux said an effective BYOD program should include:
1. Mandatory Mobile Device Management software
2. Clarification of expectations on ownership of data, privacy and access to dual-use devices.
3. “Acceptable Use” procedures harmonized with the employee handbook or agreement).
4. A well-crafted social media policy.
“Do not allow highly sensitive employer, personnel, health information, or customer data to be stored on an employee’s PED, unless you are certain that device will be used and protected to the same degree as an employer-owned device,” Nagy said. “Only allow PEDs that are ‘enterprise; enabled. Enterprise requirements include encryption of storage media; the ability to remotely wipe or clean a device; the ability to enforce password changes and password complexity; the ability to apply upgrades and patches; and the ability to revoke rights to data or corporate network access.”