Increasingly, employees are using personal cellphones, tablets, laptop computers and other electronic devices for work, including remote access to employer networks and databases. In the not-too-distant past, employers’ electronic communication policies focused primarily on regulating employee use of electronic equipment owned by the employer and dispelling employee expectations of privacy in communications exchanged and stored on employer-owned devices.
Now, with employees’ increased use of personal electronic devices for work, employers should consider introducing policies on such use. In connection with such policies, there are a number of issues to consider:
- Should only certain categories of employees be permitted to use personal devices for work and to access networks and databases?
- What kind of anti-virus software should employees be required to use (or not use), and what kind of procedures should be followed to ensure employees install the required software and update their devices?
- What kind of data storage should be used, and how should work data and personal data be segregated?
- What kinds of security measures are appropriate (for example, requiring password protection, restricting use solely to the employee)?
- Does the industry require heightened security for any categories of data?
- Is any existing electronic communications policy sufficient to cover employee expectations of privacy for employer and work-related data stored or exchanged on personal devices?
Employers that permit nonexempt employees to use personal electronics for work also need to determine how to avoid unexpected claims for overtime based on employee use of devices for work after hours. Also, for employees who drive as part of their job responsibilities, employers should adopt a policy that prohibits the use of electronic devices while driving, except as permitted by law (for example, with a hands-free device).
From a financial standpoint, employers need to decide whether they will pay for employees’ personal devices and/or cellphone/data plans (and in what amount), and if so then also the procedure for payment/reimbursement. In this context, the employer also has to consider if it will limit the brand or operating system of devices that employees may be permitted to use (which is sometimes dictated by the employer’s software and hardware).
Employers also need to address what employees should do in the case of loss or theft of a personal electronic device that is used for work. Employers may require employees to report such losses to their supervisors and install mobile kill-switch or remote-wipe software that allows stored data to be erased.
Further, in the same way that employers require employees to return employer property upon termination of employment, employers need to put procedures in place to block employee access via personal devices to employer networks and databases post-termination, and remove and/or obtain any work-related communications and/or data stored on an employee’s personal devices.
Finally, from a practical standpoint, employers need to consider whether they have sufficient information technology resources to implement and manage a bring-your-own-device policy, especially since IT will have to provide technical support and oversight to multiple employee devices.
Elizabeth Semler is chairwoman of Sussman Shank’s employment law group and a member of its business litigation group. Contact her at 503-243-1661 (extension 264) or at firstname.lastname@example.org.