Bring your own device (BYOD) programs, which allow employees to use their own personal computing devices for work purposes, are gaining popularity because they offer many potential benefits. Employees are happier when they can use the device of their choice. Employees also like the increased flexibility and better integration of their personal and work lives that a BYOD program offers, which may lead to increased job efficiency. And many employers believe there is a cost savings.
However, along with the benefits of a BYOD program come a number of risks. For example, employers should proceed with caution when it comes to passing the costs of a BYOD program on to their employees. A California appellate court recently issued a ruling that potentially creates class action liability for employers that fail to reimburse employees for mandatory work-related phone calls made on personal cell phones, even if the employee has unlimited minutes of call time and does not incur any additional out-of-pocket expenses for the calls.
In Cochran v. Schwan’s Home Service Inc., the plaintiff, a customer service manager for a food delivery provider, filed a putative class action suit against his employer on behalf of 1,500 customer service managers who were not reimbursed for expenses pertaining to the work-related use of their cell phones. He alleged a claim for violation of California Labor Code Section 2802 as well as a number of other claims. Section 2802 (a) states, “An employer shall indemnify his or her employee for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the direction of the employer[.]” The court noted that, according to the legislative history, the purpose of Section 2802 is “to prevent employers from passing their operating expenses on to their employees.”
The court held that, when employees must use their personal cell phones for work-related calls, Section 2802 requires reimbursement from the employer, regardless of whether the employees have cell phone plans with unlimited minutes and regardless of whether the phone bill is paid by a third party (e.g., through a “friends and family” plan). According to the Cochran decision, employers must always reimburse employees when they require their employees to use their personal cell phones. According to the decision:
The threshold question in this case is this: Does an employer always have to reimburse an employee for the reasonable expense of the mandatory use of a personal cell phone, or is the reimbursement obligation limited to the situation in which the employee incurred an extra expense that he or she would not have otherwise incurred absent the job? The answer is that reimbursement is always required. Otherwise, the employer would receive a windfall because it would be passing its operating expenses on to an employee.
The court did not provide any guidance as to how much employers must reimburse employees for their cell phone use, other than to note that compliance with Section 2802 requires that employers pay “a reasonable percentage” of the employees’ cell phone bills. The calculation of reimbursement owed to each employee was left to the trial court for a determination on a case-by-case basis due to the differences in cell phone plans and work-related scenarios.
Because the Cochran decision assumed for purposes of its analysis that the use of personal cell phones was mandatory, it leaves open the question of when the use of a personal device will be considered “necessary” under Section 2802 in other scenarios. Given the possibility of class action liability, employers (at least in California) would be wise to think carefully about how they handle the costs of a BYOD program.
BYOD programs also create greater risks in protecting company data because the company has less control over an employee-owned device than over a company-owned device. To be sure, a BYOD program allows greater freedom by letting employees work while out of the office. But as a result, the company’s own sensitive and proprietary information (e.g., trade secrets, customer lists, and financial data), as well as the sensitive data of its employees and customers, which it has a legal obligation to protect (e.g., Social Security numbers, birthdates, health care information), may now reside on its employees’ smartphones and tablets. The company’s obligation to protect the data is no different just because it does not own the device on which the data resides. Therefore, the loss or theft of an employee’s device could trigger data breach notification obligations, regulatory enforcement, and civil liability—not to mention reputational damage.
BYOD programs also pose risks to employers because they have access to their employees’ personal data. For example, employers attempting to protect corporate data and the corporate network can potentially gain access to their employees’ personal emails, photos, social networking activity, website browsing history, and even location tracking. An employee may file an employment discrimination claim based on allegations that the employer impermissibly took adverse action based on its BYOD monitoring activities.
Potential liability also can arise when a company implements a remote “wipe” to delete data from an employee’s device when the device is reported lost or stolen. The employee may file a civil lawsuit claiming that his valuable personal property was wrongfully destroyed. An employer also could face criminal penalties for unauthorized destruction of employee data under the U.S. Computer Fraud and Abuse Act or other criminal laws.
Some companies attempt to address these risks by requiring employees to “sandbox” their personal devices, essentially keeping separate containers for work activity and personal activity. But whether this approach works depends on how scrupulous employees are about keeping their work activity separate from their personal activity when using their personal devices. Therefore, it may not always be possible or practical to keep the personal completely separate from the business.
If a company does decide to implement a BYOD program, a user agreement is an absolute must. The user agreement should define the scope of the BYOD program clearly so that both the company and its employees can benefit while mitigating potential risks. Some issues to consider in formulating a user agreement include:
- Who is eligible to participate in the BYOD program? Is it open to everyone or just those with specific job responsibilities?
- Is the program mandatory or voluntary?
- Who pays for the device—the employer or employee? Employers should check with their legal counsel before making that determination lest they become targets for potential liability à la Cochran.
- Should the employee look to the employer’s IT department or the device vendor when help is needed?
- What are the employee’s responsibilities for keeping the device in compliance with the employer’s network security policies?
- Are there apps that employees are prohibited from installing?
- Are there websites that users are forbidden from visiting while at work?
- What happens if a device is lost or stolen? Remember, even though the device is not owned by the employer, the employer still must be able to address the loss of the data on the device, including compliance with applicable data breach notification laws and other regulatory requirements. The user agreement also should state that locking or wiping the device remotely may be necessary and that personal data may be removed from the device if it is lost or stolen.
- What are the consequences for failing to comply with the user agreement?
Once a user agreement has been prepared, the employer should make sure each employee is given a copy, trained on the BYOD program, and signs off on the user agreement. Because of the continually changing landscape in technology, compliance, and liability concerns, employers should regularly consult with their legal advisors for updates on the law.