Thursday, August 7, 2014

BYOD: Thoughts from a General Counsel

By KT Lindberger-Schmidt, General Counsel, International Decision Systems*
For today’s tech-savvy workforce, one of the most popular and demanded policies is BYOD (a/k/a “bring your own device”).  Employees want to work when they need to, on their preferred device. Employers want their employees to work on projects and respond to emails without regard to time of day, location, or the equipment they have with them.  But like every business decision, the decision to allow employees access to company data on personally owned devices is one that involves a risk-benefit analysis.
Flexibility, reduced cost, and employee satisfaction are some of the major benefits of BYOD policies.  The single biggest risk of embracing a BYOD policy is to a company’s data security – a complicated subject for another day.  There are other important risks to consider, however, including those relating to employee privacy.  When company data and personal data live side-by-side on a single device owned by an employee, privacy issues are hard to avoid.
Does employer access to corporate data on an employee’s device create access to personal data? Could it? Should an employer ever make access to personal data a condition of allowing employees to use personal devices for work? And if an employer has or gains access to personal data because of a BYOD policy, should that access ever be used? All questions to consider carefully before your BYOD policy is put in place.
As you consider what you can and should do with BYOD, remember that the fact that something is technologically possible does not necessarily make it a good idea.  However tempting it might be to access and use an employee’s personal data for business purposes, it strikes me as a legally risky idea.  If access to personal data can or will happen in your organization, it’s critical that your BYOD policy says so explicitly. Even more critical is that you can demonstrate that your employees understand and acknowledge, in writing, that they are giving up the privacy of the personal data on their device in exchange for the flexibility that BYOD offers them. 
Employees, especially younger workers, may be willing to forego some privacy in exchange for the flexibility of using their own device for work.  Given that, and all the sharing of social media, some employers may wonder if they still need to be concerned about employee privacy. In fact, the courts are currently giving increasing scrutiny to privacy issues. There have been recent U.S. Supreme Court decisions protecting cellular phones from warrantless searches and cars from GPS tracking, and increasing protections afforded employees and applicants on their private use of social media. In addition, companies doing business in other countries are realizing that privacy laws, including laws protecting employees, differ significantly from those in th U.S. and may in fact be far stronger in other jurisdictions.
Navigating the privacy concerns, among others, associated with BYOD is a balancing act.  What an employer needs to recruit, retain, and engage employees may include the flexibility and ability of employees to work when and where they want to, on the device they prefer supported by BYOD. On the other hand, security of corporate data and intrusion on employee privacy should be serious considerations when implementing a BYOD policy.  If employers wanted to avoid all risk, they would never hire a soul.  Instead, we take risks every day, doing our best to be thoughtful and balanced in our approach.  Developing and implementing a BYOD policy that incorporates the concerns laid out here is no different.
*The Employment Law Navigator welcomes its first guest blogger, KT Lindberger-Schmidt, and thanks him for his contribution.  KT can be contacted at klindberger-schmidt@idsgrp.com.