Bring your own device to work: Defining the line between protecting employer information and managing employee privacy expectations

By Steven Schwarzberg and Lisa Kohring
Special to the News

May 1, 2014

Reports show that 50 percent of employees access work-related information on personal devices — a number that researchers say will continue to grow at a rapid pace over, at least, the next five years.

Who owns the substance of what is created on the technology used by employees? Does it matter if they use a company-owned device or their own personal device?

Whether your company expressly encourages employees to integrate personal devices into the workplace or not, employees are doing it. Everyone is doing it. Why? Because it’s just plain easier; no need to carry multiple phones, juggle multiple tablets, or lug the company-owned laptop from the office to home. Employees often work more efficiently with a device they’re comfortable with, which means increased productivity for the employer. But, providing employees with unfettered control to comingle firm and client information with personal information, and vice versa, can be costly for employers, making it all the more necessary to implement a “bring your own device” policy in the workplace.

First, it’s imperative to understand the importance of striking the proper balance between protecting law firm and client information and preventing the uprise of employee privacy predicaments; make sure firm management understands the laws related to privacy, electronic information, and liability. Second, decide whether you want to allow employees to opt-in and opt-out of the BYOD program. Third, educate employees and staff about the BYOD policy, including reasonable expectations of privacy in the devices and procedures upon separation. Make sure your BYOD policy appropriately addresses the following questions: What procedures are in place when an employee separates, loses their phone, or is suspected of misappropriating confidential information? What policies are in place to ensure nonexempt employees are not working overtime when using the device after hours? What training and education have been provided to employees handling recycled devices that contain personal information?

At a minimum, your BYOD policy should:

* Clarify who owns business communications, regardless of what device is used;

* Define the employees’ limited “zone of privacy” in the devices they use;

* Comply with the laws related to privacy and electronic information, including the Stored Communications Act (SCA);

* Have employees acknowledge that they must turn over and give their employer the right to access business information of the company;

* Outline the procedures to be followed to program the device to keep personal and work information separate;

* Inform employees about the company’s ability to access information on the device, track the device, and/or wipe the device clean if it is lost or stolen;

* Disclaim liability associated with the potential loss of personal information;

* Require that employees follow regularly scheduled back-up procedures;

* Explain that it may be necessary for the law firm to access employees’ devices in response to litigation e-discovery in which the firm is a party, or to forensic investigations;

* Implement security measures with passwords, data-encryption, prohibition against using unknown Wi-Fi, locking the device after a period of inactivity, etc.;

* Instruct nonexempt employees not to use firm technology and to refrain from accessing work apps and software after hours, absent prior written approval and to record all time spent doing so;

* Protect proprietary and/or trade secret information both during and after employment ends and follow methods to prevent data theft and to prove that safeguards were implemented so that the law firm can prosecute instances of misappropriation;

* Prohibit employees to text and drive (or engage in any other dangerous activity);

* Obtain written acknowledgement of your BYOD policy; and

* Outline procedures to clean a device properly when an employee separation occurs.

For more Information: The Florida Bar News