Cell phones are a quintessential tool in modern society, including within the realm of employment. Many employers use various data networks that allow employees to access and store the employer’s data on their own personal cell phones or other personal devices under “bring your own device” (BYOD) practices. Allowing employees access to employer data from their personal devices can help businesses achieve objectives of increasing employees’ productivity and retaining employees who value remote-work options. But beware: BYOD practices can subject employers to compliance issues and litigation—and land them in court. What types of compliance issues can BYOD practices create, and how can employers mitigate these risks?
Wage and Hour Issues
BYOD practices can raise wage and hour issues where nonexempt, hourly employees access work data from their personal devices while off the clock. For example, a nonexempt, hourly employee may receive an email notification associated with a work email account while taking an unpaid lunch break. The employee checks the email, realizes it’s an urgent communication, and proceeds to respond from their personal device.
To respond to the urgent email, the employee seeks out a coworker to have a discussion and obtain necessary information. In total, the employee spends 10 minutes of a 30-minute lunch break reading and responding to the email. Under Wisconsin law, if an employee’s meal break is less than 30 minutes, it is considered an on-duty meal, and they must be paid for the entire break. Consider the ramifications if this practice becomes common for nonexempt, hourly employees, who could later seek to file a class action against the employer for these uncompensated meal breaks.
You can mitigate this risk by instituting written policies that prohibit off-the-clock work.
Electronic Discovery Issues
In litigation, discovery is the pretrial exchange of evidence. Electronic discovery is nearly ubiquitous in most types of modern-day litigation, including employment discrimination litigation and commercial litigation. If a business is a party to a lawsuit, it will likely be served with discovery requests that require it to perform searches for certain terms within its electronic data systems. The scope of discovery is generally broad and requires a party to review all data in its possession, custody, and control, which can include its data stored on employees’ personal devices in certain circumstances.
Failing to preserve relevant data stored on employees’ personal devices can lead to costly discovery and spoliation sanctions. For example, in a 2018 decision, the U.S. 2nd Circuit Court of Appeals (which hears appeals from New York, Vermont, and Connecticut) affirmed a lower court’s decision imposing a $2.7 million monetary sanction against a company that failed to preserve emails and faxes that were in the custody of its employees.
You can mitigate this risk by instituting policies stating that the company has a right to place a cell phone under a document preservation order and collect and produce data relevant to a legal proceeding.
Trade Secret Protection Issues
One of the most significant employer concerns related to employees’ access to company data on their personal devices is the protection of the employer’s trade secrets. Under the Wisconsin Uniform Trade Secrets Act (WUTSA), an employer must demonstrate reasonable efforts to maintain the secrecy of its trade secrets to support a claim for disclosure of its trade secrets. If employees are able to access and download company data on their own personal devices, this could call into question whether the employer is undertaking such reasonable efforts and can lead to disclosure of trade secrets. Recent instances of Customs and Border Protection searches of digital data at ports of entry underscore that employer’s data can be subject to disclosure when the data is stored within employee devices.
You can mitigate this risk by using confidentiality agreements and installing mobile device management technology (MDM) onto the employee’s personal device that allows you to remotely stop an employee’s access to company data on their personal device.
Employee Claims for Destruction of Personal Data or Access of Personal Data
Unfortunately, use of MDMs can sometimes lead to destruction of personal data stored on the employee’s device. In Wisconsin, an employee could also file common law claims against their employer for destruction of personal data on their personal cell phone, including theft, conversion, destruction of personal property, and negligence. You can mitigate this risk by instituting written policies that provide reasonable notice to employees that employer data can be wiped from personal devices through use of MDM technology.
Employees can also pursue claims based on employer’s accessing personal data stored on their personal devices. For example, the 5th Circuit (which hears appeals from Louisiana, Mississippi, and Texas) held in a 2012 decision that an employee’s text messages were not protected by the Stored Communications Act.
You can mitigate these risks by instituting policies that delineate personal data from company data.
Bottom Line
Keeping up with technological advances to improve efficiency and retain top talent will continue to be at the forefront of many employers’ strategic plans. If your business already uses a BYOD practice or is planning to institute a BYOD practice, be mindful that this convenient practice can come with liability exposure. Carefully drafting a written BYOD policy and ensuring that it is followed in practice can minimize exposure to costly lawsuits.
Cecilia Heberling is an attorney with Axley LLP in Madison, Wisconsin. She can be reached at 608-283-6743 or cheberling@axley.com.