Читать книгу Employment Law Update - Jonathan Ingber - Страница 49

Technology has continued to blur the lines between one's work life and personal life, and that blurring is being compounded by the willingness of some companies to allow employees to conduct work activities using personally owned devices. Although not inherently wrong or evil, the crossover between work and personal activities raises some vexing questions for employers:

 Are the devices secure, or can they be used as a “back door” into company e-infrastructure?– Failure of the company to implement bring your own device (BYOD) security protocols, educate employees about BYOD security, and monitor security performance can leave the company exposed to a wide variety of malware, viruses, misappropriation risks, and data corruption risks.

 In civil suits or regulatory proceedings, the BYOD device can be subject to discovery. Practically speaking, this means that everything on the device may be subject to disclosure to the opposing party or regulator — whether the information is work-related or personal. Many companies now use mobile device management systems (MDM) to virtually segment work and personal information on a variety of smartphones and operating platforms. This software may assist the employer in differentiating work and personal data, but may not be infallible given today's crossovers of our business and personal lives.– In employment cases, the key issue is going to be whether the employee had a reasonable expectation of privacy because the device belonged to the employee.Note: A carefully drafted APA and BYOD policy is a MUST if the employer is going to successfully argue that the employee's expectation of privacy was removed. The policy must clearly spell out if the employer will be monitoring work-related internet use or emails or text messages sent or received using employee-owned devices, or using GPS tracking (only during work hours) of employee-owned devices; describe the steps the employer will take to segregate or otherwise protect personal information of the employee; and obtain the consent of the employee to monitoring of employee-owned devices based on the employer's legitimate business purposes.The BYOD policy also needs to cover the employee's obligations to preserve information on the device when a “litigation hold” is issued because the employer is sued or named in a regulatory proceeding, or litigation is reasonably anticipated.The employer needs to ensure that litigation hold notifications cover all employees and devices that may contain information potentially related to a suit or proceeding.If the employer has any concerns about employees deleting electronic communications, the employer could choose to make a mirror image of the hard drive of the company server through which the communications are routed. This action should be taken only after consulting legal counsel so that the company understands all of the legal implications of taking this action.

 The BYOD policy should educate employees about the possibility that customs, border enforcement, or law enforcement personnel could seize devices believed to contain company information, with a corresponding loss of personal information on the BYOD device.

 Employers also need to consider how the BYOD policy should address the loss of personal information caused by installation or operation of company-owned software; the loss of personal information because of security breaches not prevented by company systems; and the possible exposure to repetitive stress injuries (for example, carpal tunnel syndrome) from use of BYOD devices.

 When an employee is terminated, the employer may have a standing instruction for the IT department to remotely “wipe” a device clean to prevent the misappropriation or the inadvertent loss of company data. What happens if an employee's device is wiped, with a loss of personal information, pictures, videos, or emails? You can guess that a former employee is unlikely to give the company the benefit of the doubt when asking how personal data came to be deleted.

 The use of personal devices for work communications by non-exempt employees after work hours can expose the employer to overtime claims by these workers, especially if the employer makes a habit of contacting the employees after work hours. We further explore the topic of “off-the-clock” work later and in chapter 6.