Long gone are the days when the only technology concerns with employees involved flip phones and hand held dictation tape recorders. Today, not only are employees more mobile by using their own personal computers, but smart phone sales exceed 500 million per year and the advent and sale of tablets is exceeding 70 million per year. More and more, employees are using their own iPhone and iPad / Android-type devices for work. In fact, Apple has created a feature on its website: “iPhone at Work.” This application helps individuals organize their day, view business appointments, manage projects, and help in structuring work calendars.
As such, employers are finding that employees are now using their own personal mobile devices for work. Some companies still provide company cell phones and laptop computers to their employees; however, those ranks are shrinking on a daily basis. Given the ease with which the public may now purchase easy to use smart phones and mobile tablets, it is little wonder that there is becoming a blurring of lines between personal use and work use of these personal devices by employees. Likewise, employers are enjoying the responsiveness and efficiencies of the employees who use these mobile devices.
As with any new technology, the challenges facing employers with regard to the use of employees’ BYOD are growing faster than employers are able to keep up with these challenges. Some of the more obvious challenges are: developing written policies regarding the use of personal mobile devices and the training and limitation of these policies; dealing with wage and hour work issues “off the clock” when employees are using their mobile devices outside of the workplace; employers being able to access information of the company that is located on an employee’s personal mobile device; and an employer’s concerns regarding privacy and data security of company information that is contained within and/or transmitted through an employee’s personal mobile device. The Ponemon Institute, a leading security company, estimated that the number one cause of security breaches that occurred in 2011-2012 was lost and stolen mobile devices. [1] Furthermore, the targeting of mobile devices and mobile applications (“apps”) with malicious software hacking has nearly tripled in the past three (3) years.
With regard to an employee’s right of privacy and the rights of an employer to control and protect its proprietary information, there exists an inherent conflict between those two concepts. For example, there are statutory requirements regarding the information security regulations relating to protected health information (PHI) contained in the Health Insurance Portability and Accountability Act of 1966 (HIPAA) that are
contained with the “Security Rule.” [2]
Similarly, the Gramm-Leach-Bliley Act (GLBA) creates similar security protections for information regarding “financial information,” which broadly includes all financial institutions such as banks, credit unions, and any other business that extends credit to its customers. [3]
Moreover, certain states, with Massachusetts leading the forefront, have very specific statutory information security regulations that specifically address portable devices and require encryption of personal information stored on them. [4] While many of these statutory requirements address specific industry sectors or states, their impact resonates far beyond the boundaries of the company’s parking lot, in that the company is equally responsible for compliance with these laws as to any third party administrators, billing services, IT consultants, auditors, attorneys and accountants, and any other vendor that may handle a company’s protected personal information. In fact, it has recently been reported that the massive Target retail store breach, where hackers lifted some 70 million debit and credit card numbers from Target’s data during the holiday season, may have been the result of an initial compromise of Target’s computer system through an outside vendor. [5]
With regard to maintaining the privacy of an employee’s own personal information on their mobile device, employers must be aware that employees do have a reasonable right of expectation of privacy regarding their own personal information stored on a portable device that the employee owns. In fact, that expectation of privacy right is protected by federal law, under the Computer Fraud and Abuse Act (CFAA), which makes it a criminal offense to gain unauthorized access to any computer data and allows for both recovery of criminal and civil damages. [6] Another federal law that protects certain stored personal information is the Stored Communications Act (SCA), which prohibits unauthorized access to e-mails stored by an e-mail service provider. [7] Like the CFAA, the federal law provides for remedies that are criminal in nature, and it also provides civil remedies. Lastly, employees are also protected with regard to their “genetic information” under the Genetic Information Non-Discrimination Act of 2008 (GINA), which include test results of not only the employee, but also an employee’s family members. This information can reach as far as testing done to determine a family history of a disease or disorder, whether it is hereditary or not. [8] Therefore, any employer’s policies that address an employee’s use of their private mobile devices must address these protected areas as well.
When litigation ensues, oftentimes there is a request for electronically stored information in the form of e-Discovery. Most often found under the Federal Rules of Civil Procedure Rule 34, once served with a request for e-Discovery, an employer must canvas its own system, as well as the mobile devices of its employees to preserve relevant sources of data set forth in the request. Under the Federal Civil Rules, an employer must produce all responsive documents and electronically stored information (ESI) in its “possession, custody, or control.” There is also a duty for the employer to “preserve” all such information. While the Rules themselves do not specifically define “control,” one must look to various federal court decisions that have determined who has “legal ownership or actual physical possession of the ESI.” For example, some Circuits require “a party served with a Rule 34 e-Discovery request must produce information that it has the legal right to obtain on demand.” (See District of Columbia, 1st, 3rd, 6th, 7th, 8th, 9th, and 10th Circuit Courts of Appeals); whereas a party must produce information “that it has the legal right to demand as well as the right, authority or practical ability to obtain from a non-party” (in the 2nd, 4th, 5th, and 11th Circuit Courts of Appeal). Notwithstanding the above, other Circuits also “require a party to notify its adversary about evidence in the hands of third parties.” (See 1st, 2nd, 6th, and 10th Circuit Courts of Appeals).
Similar concerns for employers regard the protection of proprietary and trade secret information. Nearly all of the states in the U.S. have adopted some form of the Uniform Trade Secrets Act (UTSA). Whereas some states, such as Massachusetts, who have not adopted the UTSA, have their own civil statute that imposes tort liability for the misappropriation of trade secrets. [9] Massachusetts also has a criminal statute that defines the term “trade secret” and imposes criminal sanctions for the misappropriation or theft of trade secrets. [10] In order to provide a layer of protection under the statutes, it is advisable for employers to enter into confidentiality agreements with their employees, which has been commonplace even before the advent of mobile devices.
With regard to specific employment concerns, employers must be mindful that non-exempt hourly workers must be cautioned against working “off the clock” under the Fair Labor Standards Act (FLSA), which requires that all non-exempt employees be paid for all time worked, including overtime. [11] In short, if an employee performs work that benefits the employer, whether requested or not, the employee must be paid for the work that has been “suffered or permitted” by the employer. Therefore, an employer may have a policy that is a blanket prohibition against working “off the clock” without preapproval by a supervisor; however, trying to regulate that policy now with the mobile device environment may be difficult to enforce. In addition to the blanket policy, an employer may consider a requirement that non-exempt employees keep track of all of their work “off the clock” that may involve the use of the Smart Phone, tablet, or laptop computer. This is another layer of protection for the employer who is required to keep accurate records of all time worked by non-exempt employees. [12]
Because of the liability issues that may be associated with using mobile devices, employers should have specific policies prohibiting the use of any personal mobile device for work-related purposes while engaged in dangerous activities, including driving. Most states now have prohibitions against texting and driving and most states now have “distracted driving” statutes which may impose liability on an employer who has knowledge of or is permitting the use of mobile devices by employees while driving their own personal vehicle.
So, what is an employer to do in this new environment of BYOD? Contained within this article are some brief suggestions that are not intended to be exhaustive on this issue; however, employers would be wise to seek advice and direction on how to address these issues from employment counsel. Nonetheless, here are some general ideas employers may consider with regard to BYOD issues.
First, there must be implementation, training, and enforcement of BYOD policies. These policies must incorporate concepts such as anti-harassment discrimination, equal employment opportunities, workplace safety, time record keeping, data privacy and security, records management, and litigation holds. There should be written employee consents with regard to the use, monitoring, and the ability to remotely wipe personal devices in the event a personal device is lost or stolen that may contain either company information or the ability to access company information through the mobile device. In that regard there must be stated in the policies that employees must immediately report all lost or stolen devices and that they are responsible for providing complete device safety, including the use of locking techniques and passwords for their Smart phones, tablets, and personal computers. Of course, there have to be consequences for failing to comply with these policies imposed upon the employee that must be equally enforced in a non-discriminatory manner for all employees.
Lastly, employers are strongly recommended to contact their insurance carrier to include “cyber risk” policies and verify that there is coverage for mobile devices, even those that are owned and controlled by individual employees. One, single security breach event or one hacker incident can cause millions of dollars of damages to an employer, which could simply be the result of an employee losing their Smart Phone or iPad that has access to company information.
As one can see, along with the ease, convenience, and efficiency of a company’s advances in technology, such as mobile digital devices, there are also growing and accompanying risks for employers. With more and more employees becoming data consumers who use their personal devices for work-related issues, employers must be cognizant that such use of personal devices for work-related matters inextricably tethers the employee’s device to an employer’s liability.
The labor and employment attorneys at Libby O’Brien Kingsley & Champion, LLC work with employers to help identify and prioritize business objectives regarding the use of technology and to identify the digital threats that are associated with these objectives. Our attorneys will assist employers in performing a risk assessment and develop an action plan specifically tailored to the employer’s business and its use of digital information.
The old but pertinent cliché that “an ounce of protection is worth a pound of cure” can be modified to our technology era to be, “an ounce of prevention may prevent millions of dollars of losses.”
Brian L. Champion is a partner at Libby O’Brien Kingsley & Champion, LLC, with offices in Kennebunk, Maine; Portsmouth, NH; and Burlington, Mass. He has practiced as a civil litigator, business and employment attorney for more than 25 years and is admitted to practice in Maine, New Hampshire, Massachusetts, the District of Columbia, the US First Circuit Court of Appeals, and the U.S. Supreme Court. .
Brian Champion
[1] Ponemon Institute Understanding Security Complexity in 21st Century IT Environments (February 2011).
[2] 45 C.F.R. PTS. 160, 162, and 164.
[3] 15 U.S.C. § 6801-6809.
[4] Mass. Regs. Code Title 201, §§ 17.03-17.04.
[5] See KrebsOnSecurity.com.
[6] 18 U.S.C. § 1030.
[7] 18 U.S.C. § 2701.
[8] 42 U.S.C. § 2000ff(3), (4).
[9] Mass. Gen. Laws ch. 93 § 42.
[10] Mass. Gen. Laws ch. 266 § 30.
[11] 29 U.S.C. § 203(g), 207(a); 29 C.F.R. § 785.11 (“Work not requested but suffered or permitted is work time.”).
[12] 29 C.F.R. § 516.2 (See Department of Labor in New Hampshire which has taken a position that an employer need not reimburse an employee for personal mobile device use so long as there is a written agreement stating the employee will not be reimbursed for such expenses. N.H. Rev. Stat. § 275:57.)
