Is BYOD a good idea?

Human Resource professionals toss around acronyms which shorten conversations about laws, best practices and hardware.  In this example, the BYOD acronym references hardware, which is short for Bring Your Own Device.  In other words, employees already own sophisticated mobile devices (which we used to call telephones) and is there a way to leverage these devices while employers save money and employees receive reimbursement for some or all of their device related costs?  The answer may be BYOD.  The BYOD conversation addresses whether cell phones, smart phones and tablets used at work should be owned by the employer or employee and that conversation must address cost, benefits and risk.

The numbers make for an interesting and relevant conversation.  In a recent article in Corporate Counsel regarding BYOD, the authors cited a Cisco Survey which estimated that 71 million BYOD devices are in use today in the United States, and that number will likely exceed 100 million in a couple years.  On the accounting side of the analysis, Cisco estimates that BYOD programs can save employers up to $3,150 per employee per year if the program is executed effectively.  Before you evaluate the workplace risks and benefits of BYOD, invite your CFO to lunch and talk about the financial impact of BYOD.  Do the cost savings of a BYOD program add up for you as a tribal organization?

In the recent article in Corporate Counsel, the authors spelled out a couple things which must be considered before implementing a program.  If a BYOD program is attractive from a financial perspective, please consider implementing a strong policy which includes provisions covering the employer’s confidential information, the employee’s right to privacy, electronic discovery, and off the clock work.

Confidentiality

Mobile devices may access important tribal files like enrollment records, personnel files, sensitive financial data and player club information.  We must protect the tribe’s data and trade secrets and therefore the inclusion of confidentiality language in your BYOD policy is important.  On this important point, even if you do not have a BYOD program, you still must recognize the risks associated with employee owned devices, and through policy and training, address employee access and potential removal of the tribe’s confidential information and trade secrets.  For example, eliminating use of unofficial email accounts by employees when they are performing tribal business or sending tribal documents is an important part of preserving confidentiality, with or without, a BYOD program.  Once the confidential document is sent to a personal email account, the tribe has lost control over the document.

In addition to promulgating a strong policy, tribal employers must include the policy in its employee training.  Courts will not protect our information unless we protect our information and through policy, training and consistent enforcement of the policy, the tribal employer can demonstrate its due diligence.

During training, increase employee awareness of the risks associated with a breach of confidentiality by discussing:

Loss of device
The risk of a device being stolen
Sharing the device with family or friends
Connecting the device to unsecured networks
Risks associated at the time of employee resignation or termination

Your IT professionals can be a strong source of information in addressing the risks of device confidentiality so therefore include them in drafting policy and planning for effective training..

Privacy

The risks associated with the tribe’s confidential information may conflict with the expectation of privacy from the employee (device owner).  First, the BYOD policy should clearly assert that the employee should have no expectation of privacy regarding any communications made with the device relating to work for the tribe.  Second, employees who participate in the BYOD program must also acknowledge that there is risk that some of their personal information stored on the device may be disclosed to the employer or lost if the employer utilizes a program which erases device data under certain circumstances.  As with all aspects of this and other policies in the workplace, get legal advice in drafting these policies, and as to employee privacy, legal counsel should be prepared to discuss potential risk.

Discovery

Sometimes employers get sued by employees, vendors and others or employers could be audited and in these instances there may be disclosures which are made in the court or audit process.  For example, as the HR Director you approved of hiring Chuck instead of Shirley and the Tribal Employment Rights Office wants more information regarding the failure to hire Shirley as a qualified tribal member.  If some of the relevant emails between the HR Director and manager making the hiring decision are on the employee’s device, those emails may have to be produced.  A method for making this process easier and less expensive, is to create two workplaces within the device wherein one workspace is for work and the other for personal use.  Moreover, employees must be aware of the tribe’s document retention policy which preserves information.  Finally does your policy inform employees that their devices may be reviewed by the employer if there is litigation, an audit or internal investigation.

Off the Clock Work

There is a dispute about whether the Fair Labor Standards Act applies to tribal employers, but if it does, or if the tribe applies the standards, be aware of employee use of employer owned and employee owned devices when the employee is supposed to be off the clock.  This issue is relevant for both your exempt (not overtime eligible) and non-exempt (overtime eligible) employees.  Since these devices make it easier for employees to work more (and shop and game and be distracted more).

Since exempt employees are not entitled to overtime compensation, some employers limit the BYOD program to exempt employees.  In those instances there is still risk of employee use of the device to perform work when the employee has taken time off for vacation or some other purposes.  For example, if the exempt employee takes Friday as a vacation day, but does work on Friday with her device (or with pencil and paper), the exempt employee is entitled to be paid for Friday which may eliminate the need for the vacation day.  The impact of the FLSA on exempt employees is complicated and deserves serious consideration in implementing and executing policy.

For non-exempt employees, these workers are entitled to pay, and if they work enough in a workweek, overtime pay for all hours worked.  Policy should therefore prohibit the use of devices for work when the employee is off the clock and work should include, but not be limited to, checking work related emails or making work related phone calls.  If the employee does perform work on the device (or without the device) policy needs to encourage the employee to report the work time and the employee must be paid for that time and any overtime generated.  This portion of the policy deserves extra attention to make sure it is drafted correctly and applied in a manner which is consistent with the rules.

Now that we have considered the risks and the benefits, let’s review a sample policy which may provide some language for inclusion in your policy.  The Society of Human Resources Professional recommends the following BYOD policy which has been edited in part:

Electronic Devices: Bring Your Own Device (BYOD) Policy

Employees may have the opportunity to use their personal devices for work purposes when authorized in writing, in advance, by the employee and management. Personal electronic devices include but are not limited to personally owned cell phones, tablets, laptops and computers.

The use of personal devices is limited to certain employees and may be limited based on technology.  Contact the HR department for more details.

To ensure the security of company information, authorized employees are required to have an anti-virus and mobile device management (MDM) software installed on their personal mobile devices. This MDM software will store all tribe-related information, including calendars, e-mails and other company-related applications in one area that is password-protected and secure. The IT department must install this software prior to using the personal device for work purposes.

Employees may store tribe-related information only in this area. Employees may not use cloud-based apps or backup that allows tribe-related data to be transferred to unsecure parties. Due to security issues, personal devices may not be synchronized to other devices in employees’ homes. Making any modifications to the device hardware or software beyond authorized and routine installation updates is prohibited unless approved by IT. Employees may not use unsecure Internet sites.

Employees whose personal devices have camera, video or recording capability are restricted from using those functions anywhere in the building or on tribal property at any time unless authorized in advance by management.

While at work, employees are expected to exercise the same discretion in using their personal devices as is expected for the use of tribal devices. The Tribe’s policies pertaining to harassment, discrimination, retaliation, trade secrets, confidential information and ethics apply to the use of personal devices for work-related activities.

Excessive personal calls, e-mails or text messaging during the work day, regardless of the device used, can interfere with employee productivity and be distracting to others. Employees must handle personal matters on nonwork time and ensure that friends and family members are aware of the policy. Exceptions may be made for emergency situations and as approved in advance by management. Managers reserve the right to request employees’ cell phone bills and usage reports for calls and messaging made during working hours to determine if use is excessive.

All employees must use a preset ringtone and alert for tribe-related messages and calls. Personal devices shall be turned off or set to silent or vibrate mode during meetings, conferences and in other locations where incoming calls may disrupt normal workflow.

Nonexempt employees may not use their personal devices for work purposes outside of their normal work schedule without authorization in advance from management. This includes, but is not limited to reviewing, sending and responding to e-mails or text messages, responding to calls or making calls.

Employees may not use their personal devices for work purposes during periods of unpaid leave without authorization from management.  The Tribe reserves the right to deactivate the Tribe’s application and access on the employee’s personal device during periods of unpaid leave.

An employee may not store information from or related to former employment on the Tribe’s application.

Family and friends should not use personal devices that are used for the Tribe’s purposes.

No employee should expect any privacy except that which is governed by law.  The Tribe has the right, at any time, to monitor and preserve any communications that utilize the Tribe’s networks in any way, including data, voicemail, telephone logs, Internet use, network traffic, etc., to determine proper utilization. Management reserves the right to review, retain or release personal and tribe-related data on personal devices to government agencies or third parties during an investigation or litigation. Management may review the activity and analyze usage patterns and may choose to publicize these data to assure that the Tribe’s resources in these areas are being utilized according to this policy. Furthermore, no employee shall knowingly disable any network software or system identified as a monitoring tool.

Employees will receive an agreed-upon monthly stipend to use personal devices based on the position and estimated use of the device. If an employee obtains or currently has a plan that exceeds the monthly stipend, the Tribe will not be liable for the cost difference.

Safety: Employees are expected to follow applicable tribal, state or federal laws or regulations regarding the use of electronic devices at all times.

Employees whose job responsibilities include regular or occasional driving are expected to refrain from using their personal devices while driving. Regardless of the circumstances, including slow or stopped traffic, employees are required to pull off to the side of the road and safely stop the vehicle before placing or accepting a call or texting. Special care should be taken in situations where there is traffic, inclement weather or unfamiliar areas.

Employees who are charged with traffic violations resulting from the use of their personal devices while driving will be solely responsible for all liabilities that result from such actions.

Employees who work in hazardous areas must refrain from using personal devices as doing so can potentially be a major safety hazard.

Lost, Stolen, Hacked or Damaged Equipment: Employees are expected to protect personal devices used for work-related purposes from loss, damage or theft. In an effort to secure sensitive tribal data, employees are required to have “remote-wipe” software installed on their personal devices by the IT department prior to using the devices for work purposes. This software allows the tribe-related data to be erased remotely in the event the device is lost or stolen. Wiping tribal data may affect other applications and data. The Tribe will not be responsible for loss or damage of personal applications or data resulting from the use of tribal applications or the wiping of tribal information. Employees must notify management immediately in the event their personal device is lost or stolen.

If the personal device gets damaged, the employee must notify management immediately. If IT is unable to repair it, the employee will be responsible for the cost of replacement.

Employees may receive disciplinary action up to and including termination for damage to personal devices caused willfully by the employee.

Termination of Employment: Upon resignation or termination of employment, or at any time upon request, the employee may be asked to produce the personal device for inspection. All tribal data on personal devices will be removed by IT upon termination of employment.

Employees who have not received authorization in writing from management and who have not provided written consent will not be permitted to use personal devices for work purposes. Failure to follow policies and procedures may result in disciplinary action up to and including termination of employment.

____________________________________________________________________

Recommendation:  Do your homework relating to mobile phones, devices and tablets.  Weigh the financial benefits against the risks associated with the use of technology and implement a policy which makes sense to your tribe.  Train employees on the policy and apply the policy consistently.

About the Author:

Richard McGee is a lawyer in Minneapolis, Minnesota who focuses his practice on gaming, gaming regulation, tribal employment and litigation in tribal, state and federal courts.  Richard has the privilege of working with tribes and tribal organizations on Human Resources matters including training.  Additionally, tribes ask Richard to address specific topics while incorporating the tribe’s related laws and policies into the sessions.  This is an invitation to engage Richard to produce and facilitate training for your tribe.