Mcle Self-study: Managing the Legal Risks Inherent in Byod to Work Policies

• Citation: Vol. 32 No. 4
• Publication year: 2018
• Author: By Tyler M. Paetkau

MCLE Self-Study: Managing the Legal Risks Inherent in BYOD to Work Policies

By Tyler M. Paetkau

Tyler M. Paetkau is a partner in the Silicon Valley office of Procopio, Cory, Hargreaves & Savitch LLP. He represents employers in all aspects of labor and employment law. He can be reached at tyler.paetkau@procopio.com and (650) 645-9027.

I. INTRODUCTION

It was probably inevitable that most employers would adopt "bring your own device" (BYOD) to work policies in light of the proliferation of smartphones, iPads, laptops, tablets, and other portable electronic devices. It is expensive and often impractical for employers to purchase portable devices for employees' work use. BYOD to work policies are far more efficient and practical. Employees are now accustomed to using their personal devices at the workplace, and while at work taking breaks to shop online, post Yelp reviews, check the hockey scores, and conduct other personal business. But employers should make no mistake: they are inviting a host of legal and practical problems by allowing—and in some cases encouraging and requiring—employees to use their own personal devices for work. This article summarizes the emerging legal and practical problems with BYOD to work policies, then offers some practical suggestions for employers to manage and mitigate the legal risks inherent in such policies.

II. LEGAL AND PRACTICAL PROBLEMS WITH BYOD TO WORK POLICIES

Employers necessarily cede a certain amount of control by allowing, or requiring, employees to use their personal devices for work purposes. Employees typically use their personal cell phones, for example, to conduct personal business, both during and outside work time. Allowing or requiring employees to use their personal devices necessarily means that the employer's data, and sometimes its most sensitive information, including trade secrets, may reside on employees' personal devices. BYOD policies also mean that it is much more likely that rogue employees may transfer, save or use their employer's data. BYOD policies increase the risk of data breaches and hacking.

A. Challenges Protecting Employers' Trade Secrets and Other Proprietary and Confidential Information

Since "trade secrets" must derive their value "from not being generally known to the public or to other persons who can obtain economic value from [their] disclosure or use" (Civil Code § 3426.1(d)(1)), and given that the second prong of a trade secret misappropriation claim is that the information be "the subject of efforts that are reasonable under the circumstances to maintain its secrecy" (§ 3426.1(d)(2)), BYOD policies and practices can cause the loss of valuable trade secret status. That is, the employer is necessarily losing some control over the vital "secrecy" element of a trade secret misappropriation claim by allowing employees to download information onto their private devices. It is therefore important to implement appropriate policies and protocols, and train all employees, as discussed further below.

Courts have begun considering whether an employee's social media contacts qualify for trade secret protection.¹ Courts also are considering the effect of employees using their personal devices on the protection of employers' trade secrets. For example, in an unpublished 2011 opinion from an Illinois appellate court, the court held that a company's bidding system and the bids themselves were not trade secrets, in part because the company's project managers were permitted to take their laptop computers anywhere, including their homes, "indicating a lack of concern with the security of the information on the laptop computer."²

B. Inadvertently Obtaining Third Parties' Information

Employees may decide to connect their own technology, or worse yet, a former employer's technology, to the current employer's network. Employers may thus inadvertently find themselves in unwanted and expensive trade secret misappropriation litigation. This may result in tens of thousands of dollars in computer forensics costs to permanently remove the non-company data from the employer's network. In the recently settled Waymo v. Uber litigation in the Northern District of California, Uber contended that Mr. Lewandowski downloaded Waymo's data without Uber's knowledge, permission or consent, and U.S. District Judge Alsup issued a preliminary injunction ordering Uber to quarantine and not use Waymo's data allegedly stolen by Mr. Lewandowski.³

C. Potential Overtime Liability

When nonexempt employees use their personal devices before or after "normal" work hours to check work email or voicemail, make calls, or send text messages, the time is generally compensable.⁴ To avoid liability, including for overtime, the most conservative practice is not to issue such devices to nonexempt employees. However, if the employer does issue these devices to nonexempt employees, a policy should be in place prohibiting them from working after hours and imposing disciplinary consequences for violations of the policy. The employer also should have policies requiring nonexempt employees to record and submit for payment all time worked, i.e., a "no off-the-clock work" policy.

In Allen v. City of Chicago,⁵ a police officer sued the City of Chicago for unpaid overtime related to off-the-clock usage of his smartphone. The officer alleged that the police department issued police officers electronic devices and required them to respond to work-related emails, text messages, and voicemails around the clock while off duty. The court conditionally certified a class of all police officers employed by the City that were required to carry smartphones, and in October 2014, denied the City's motion to decertify the class. The case is still pending.

D. Employee Privacy Rights May Interfere With Recovery of Employers' Data

Employers often encounter problems obtaining their proprietary data and trade secrets back from employees who resign or are involuntarily terminated; in many cases, terminated employees leave with their employers' proprietary data and trade secrets still on their personal devices. Employers are often surprised to learn that they do not enjoy unfettered access to months, if not years, of current and former employees' emails, text messages and records from their personal cellular phones and other personal devices. Even in litigation, more and more courts rule that such broad requests for access to employees' personal devices, even those used for work purposes, are grossly overbroad, unduly burdensome, and impermissibly invasive of current and former employees' constitutional and common law privacy rights.⁶Courts have ruled that employees have a reasonable expectation of privacy in their private cellular phones and other devices, even if they use them for work purposes, and their employer does not have possession, custody or control over the contents of such devices.⁷

Employees will predictably resist...