If you’ve got a BYOD policy, you’ve got legal risks.
Many associations allow employees to use their own mobile devices for work. Bring-your-own-device (BYOD) programs may enhance productivity and decrease IT costs, but they also lead to legal and other risks, including the increased probability of data breaches. Recent reports indicate that almost half of employers with BYOD programs have experienced a data breach resulting from employee error or intentional wrongdoing.
Here are some steps associations can take to mitigate BYOD risks:
BYOD policy: Your association should have a written BYOD policy—not boilerplate but customized to meet the realities of your activities and workplace. The policy should address trade secret protection, access to association email and other system-related resources, data breach response plans, sexual harassment and other equal employment opportunity matters, and employee-training initiatives.
Privacy: The use of a single mobile phone for work and personal purposes presents complications when an association wants to monitor activities for security or investigative reasons. Personal information may be deleted when devices are updated. Also, devices may need to be searched for relevant information in the event of litigation or enforcement actions. The BYOD policy and other communications to employees should explain how and for what purposes their devices may be accessed or searched.
Data security: Implement adequate safeguards for sensitive information, such as personally identifiable member financial data, that can be accessed using mobile devices. Know what information must be protected, and implement the necessary procedures to satisfy applicable legal requirements.
Agency: Employers can be held liable for employees’ harmful conduct or criminal behavior or for binding obligations and contracts they establish with third parties. Define clearly what constitutes work and private use of mobile devices to reduce exposure to vicarious liability.
Other employment issues: BYOD programs blur the line between work hours and personal time and may lead to disputes about overtime pay and expense reimbursement. They could also expose an association to liability under federal or state law if an employee is injured while responding to work-related emails or text messages under unsafe conditions (such a while driving or exercising). Consider internal policies for these situations, and inform employees about their rights, obligations, and limitations under those policies.