BYOD Privacy: Do Employees Have Rights?

Using personal devices to conduct business has become commonplace, whether employers require it or employees voluntarily do so. The use of personal devices creates a privacy challenge. Employers want access to the devices, and employees want to protect the personal data contained on them.

The term “devices” itself is deceiving. Many consider employee-owned devices to be smartphones and tablets, as the term “BYOD” (Bring Your Own Device) implies. However, BYOD also includes laptops and desktop computers at home.

Research companies in the BYOD space have proposed a solution to these privacy issues. Also, a California court recently addressed the issue of whether employers should reimburse employees who use their own devices for business.

BYOD Bill of Rights

Webroot in July issued its BYOD security report, “Fixing the Disconnect Between Employer and Employee for BYOD (Bring Your Own Device).” Some of the issues addressed include privacy concerns such as “employer access to personal data, personal data being wiped by an employer, and employers tracking the location of the device.”

Webroot offers guidelines to help resolve differences between companies and their employees relating to use of personal devices. Dubbed the “BYOD Bill of Rights,” these guidelines state that employees have the right to

1. privacy over their personal information;
2. be included in decisions that impact their personal device and data;
3. choose whether or not to use their personal device for work;
4. stop using their personal device for work at any time;
5. back up their personal data in the case of a remote wipe;
6. operate a device that is unencumbered by security that significantly degrades speed and battery life;
7. be informed about any device infections, remediation, or other activity that might affect their device’s performance or privacy; and
8. download safe apps on their personal device.

There is no current legal regulation of BYOD policies, so while these guidelines are laudable, at least for now, it is difficult to see why companies would accept them as a “BYOD Bill of Rights.”

California Court Requires Reimbursement

In Colin Cochran v. Schwan’s Home Service, Inc., the California Court of Appeals in August reversed a Superior Court in Los Angeles County and ruled that “when employees must use their personal cell phones for work-related calls, Labor Code section 2802 requires the employer to reimburse them.”

The Order points out that the purpose of the California Statute is “to prevent employers from passing their operating expenses on to their employees.” Specifically, it notes the following: Pursuant to section 2802, subdivision (a), “an employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer.”The threshold question in the case was this: Does an employer always have to reimburse an employee for the reasonable expense of the mandatory use of a personal cell phone, or is the reimbursement obligation limited to the situation in which the employee incurred an extra expense that he or she would not have otherwise incurred absent the job? The Court’s answer was “that reimbursement is always required. Otherwise, the employer would receive a windfall because it would be passing its operating expenses onto the employee.” The Court ruled as follows: Thus, to be in compliance with section 2802, the employer must pay some reasonable percentage of the employee’s cell phone bill. Because of the differences in cell phone plans and [work]-related scenarios, the calculation of reimbursement must be left to the trial court and parties in each particular case. Time will tell how the expenses of purchase, maintenance, and usage of employee-owned tablets, laptops, and home computers used for business are impacted by courts that follow the ruling in this case.

The court’s opinion is limited to reimbursement under California law. It does not address BYOD privacy. However, given that the employer now must pay for certain usage of devices under a BYOD policy, another BYOD issue that may be considered in the courts is whether the employer has access rights to a device or can mandate limits on its use.

Privacy Basic to the 10 Commandments of BYOD

Fiberlink published an e-book that addresses the business needs for controlling devices used by employees, entitled The Ten Commandments of BYOD. These are the commandments:

1. Create Thy Policy Before Procuring Technology
2. Seek The Flocks’ Devices
3. Enrollment Shall Be Simple
4. Thou Shalt Configure Devices Over the Air
5. Thy Users Demand Self-Service
6. Hold Sacred Personal Information
7. Part the Seas of Corporate and Personal Data
8. Monitor Thy Flock — Herd Automatically
9. Manage Thy Data Usage
10. Drink from the Fountain of ROI

In particular, No. 6, “Hold Sacred Personal Information,” is directed at Personally Identifiable Information (PII), the subject of HIPPA laws, other privacy laws, and disclosures of cyberintrusion regulations.

Some privacy laws prevent corporations from viewing that information at all, the e-book notes. Following are items that mobile device management (MDM) policies should be able to parse regarding the information an employer may and may not access:

• personal emails, contacts, and calendars;
• application data and text messages; and
• call history and voicemails.

Employee use of personal devices is going to continue to grow, and protecting privacy — whether regulated like PII or otherwise — is important for employees. Employers need to develop policies that are compliant with the law and sensitive to the employee’s needs.