More and more business owners are creating Bring Your Own Device (BYOD) policies for their employees as more people use their own devices for work related purposes. In fact, Gartner predicts that by 2017, half of all companies will actually require employees to provide their own device for work. But as the trend continues, business owners need to be aware of their legal obligations when writing a BYOD policy. And while state and federal laws vary depending on your jurisdiction and industry, there are five legal obligations that you are likely to face.
1. Breach Notification Rules
If you collect personal information from clients and store it electronically, you can face stiff fines and penalties — and in some cases, civil actions — if the data is breached. For example, If you run a local medical office, you are regulated under the HIPAA Breach Notification Rule, which requires you to notify affected parties if their protected health records are compromised. But a relatively new addition to that law, the HIPAA Omnibus Rule (PDF), creates additional requirements for any business associates of the medical office who come into contact with patient’s health records. In addition, all but three states have data security breach notification laws for businesses that collect personal information. For instance, if you own a business that requires your employees to visit customers in their homes while carrying unencrypted customer information on their personal device, a breach would occur if they lose that device.
2. Wage and Hour Issues
When creating your BYOD policy, you may want to exclude employees who are not exempt from the Fair Labor Standards Act (FLSA), or at the minimum, create an overtime policy that ensures all employee hours are documented and paid, even those they spend on their own devices performing work duties after hours. In one case, an employer was found liable for not compensating an employee for overtime hours, including those worked on a personal phone.
3. Liability Issues
If your company has a BYOD policy and your employees use their personal devices in a neglectful or inappropriate way, you could be held liable. For instance, a Texas jury awarded a woman $21 million after a driver, employed by Coca-Cola, struck her car while talking on a hands-free device. In addition, if your employees post illegal or slanderous material on social media using their personal devices while on your BYOD policy, you can be held responsible. As long as a jury or prosecutor can prove the device is used some of the time for your business purposes, you can be held liable for those employee actions.
4. Contractual Obligations
If you engage in confidential negotiations with clients or business partners, you will need to address this area in your BYOD policy in order to manage your employees’ access to their data. To do so, your policy should state you have the right to access employee’s personal devices in order to retrieve that data. In addition, they should sign a consent form that allows you to wipe clean all sensitive work data from their phone should they leave your employment.
5. Americans with Disabilities Acts Issues
If you have employees that fall under the Americans with Disabilities Act, you will need to ensure that your BYOD policies are in compliance. For example, you can’t expect an employee with disabilities to use a device that isn’t equipped with accessibility technology, no matter how much it slows down their progress. And not all disabled employees will be able to use mobile devices, as some assistive technologies will only work on desktop computers.
It looks like the BYOD trend is here to stay, but in order to protect your company, you will need to construct your policy keeping your legal liabilities in mind.