BYOD Carries Legal Threats
Florida attorney Michael D. Lozoff, partner at Shutts & Bowen in Miami, has certainly seen many trends come and go in the credit union industry throughout his 35-year career. But he has seen very few trends as popular as the “bring your own device,” or BYOD, to the workplace.
That concerns him, and other legal professionals as well, who serve the credit union industry. They say cooperatives that don't have sufficient BYOD policies are putting themselves at a high risk for unwanted legal issues that can be costly in more ways than one.
“In general, unfortunately, the technology is still running ahead of the ability of some of these institutions to keep up with policies that they should have,” Lozoff, who chairs the law firm's credit union practice group, said. “We run into all kinds of questions that sometimes surprise us to the extent that the institutions have not addressed something as basic as BYOD.”
To be fair, however, BYOD in the workplace is a relatively new trend. The acronym is believed to have first popped up in 2009 when employees began using their smartphones at work just after the popular iPhone and Android came on the market in 2007 and 2008, respectively.
While many organizations initially attempted to buck the trend, senior leaders at Intel embraced it and surmised BYODs could cut costs and improve productivity, according to GovInfoSecurity.com, a website published by Princeton, N.J.-based Security Media Group Corp., which covers information security, risk management, privacy and fraud.
It's believed that the BYOD trend didn't begin to gain traction until 2011. Consulting group Gartner in Stamford, Conn., projects half of all employers will adopt BYOD by 2017.
Since the early days of smartphones, of course, there have been new and improved versions of the handheld devices and tablets enabling employees to work anytime, anywhere and with anyone.
And while that work flexibility may create many advantages for organizations, BYOD adoption has also created a lot of legal issues such as overtime reporting, work-related data versus personal information, smartphone bill reimbursements, and e-discovery for civil and criminal cases.
Courtrooms across the nation have already heard arguments about these issues, which can teach credit unions valuable lessons and help them stay out of the courtroom.
In the case of Mohammadi v. Nwabuisi, a court found that an employer failed to compensate an employee for overtime work on his BYOD.
“The problems you are going to have with cell phone usage and other BYODs are the same problems that are caused by your most diligent [nonexempt] employees,” Norfolk, Va.-based Attorney John M. Bredehoft said. “They are the ones that check their emails, voicemails, read documents and perform work when they are not in the office, and technically they are not being compensated for it.”
While overtime claims generally don't amount to a lot of money, the Fair Labor Standards Act has a double damages provision. An overtime claim of $10,000 or $20,000 can easily add up to a $100,000 or $150,000 claim.
“So that is why one of the main things we put in all of our BYOD and social media policies is that employees are not authorized to do work outside working hours even if they do get emails,” Bredehoft, who is also a member of the Labor and Employment Law Practice Group at Kaufman & Canoles, said.
However, in another case, White v. Baptist Memorial Health Care Corp., a court ruled that employers are not responsible for compensating employees overtime when they fail to follow an employer's procedures for reporting overtime work.
Lozoff said it's important for credit unions to work appropriate timekeeping procedures into their policies that would enable non-exempt employees to report overtime worked. The burden is on employers to keep records of overtime hours worked. If they don't, then the employee's estimated overtime worked is presumed to be correct.
When it comes to employees using their own devices for both business and personal use, Bredehoft advises his clients to develop a policy that allows them to remotely access all devices on demand.
This is particularly important when devices are lost or stolen or when an employee is fired or resigns. Smartphone theft has become a major problem – in 2012, an estimated 1.6 million smartphones were stolen, and in 2013, that number jumped to 3.1 million, according to Consumer Reports.
When a device is lost or stolen, remote access enables credit unions to delete all of the data in the device. However, when an employee is fired or resigns, a policy could avoid lawsuits.
Read more: One company was sued for wiping personal info off a former employee's device ...
In the case of Rajaee v. Design Tech Homes et al., an employee sued his company for wiping both his business and personal information off his BYOD after he left. His lawsuit was based, in part, on the Computer Fraud and Abuse Act that makes it illegal to cause $5,000 or more in damage to electronically-stored information.
He lost his case, Bredehoft noted, because his claim didn't reach the $5,000 limit.
“I might use that as an example the next time I speak on stupid employer tricks,” he said. “If they did not have a contract allowing them remote access and control, or a policy that the employee agreed to abide by to allow them remote access and control, then that is an incredibly stupid thing to do.”
It's important for credit unions to define the circumstances in their policy under which a device's information will be deleted, he emphasized. In addition, a policy should clearly state that any confidential, proprietary or copyrighted information is the property of the credit union's even when it is stored on a BYOD.
Ken Otsuka, a senior consultant for risk management at CUNA Mutual Group in Madison, Wis., said credit unions can avoid deleting both personal and business information on devices by using a mobile device management solution, which can remotely swipe the business information only.
The issue of reimbursement raises an important question: Should companies pay for a portion of their employees’ bills for personal mobile phones used for work responsibilities?
In California, companies are required to reimburse their employees for a reasonable percentage of their phone bill, according to that state's labor laws. Last year, a California Court of Appeal upheld the law in the Cochran v. Shwan's Home Services Inc. case.
But Bredehoft said he doesn't think the case will have much of a ripple effect outside of the Golden State.
“Most of the clients I advise who have BYOD already do reimburse employees,” he said. “Outside of California, there may be one or two other states that require employers to reimburse their employees. There is no federal law, believe it or not, that requires an employer to reimburse employees for BYOD expenses.”
However, Amanda Tomney, an associate at the law firm of DLA Piper in New York City, said that while this court ruling only applies in California, she believes that other states will eventually follow suit.
Nonetheless, Bredehoft believes it is a sound and reasonable policy for credit unions to reimburse employees who use their digital devices for work duties.
Beyond developing policies for using smartphones and tablets in the workplace, Lozoff advises his credit union clients it is critically important to include a litigation hold policy for electronic discovery issues. Electronic discovery, or e-discovery, is a legal process that allows lawyers to search for electronic data that may be used as evidence in civil or criminal cases.
“Credit unions should be aware that they need a litigation hold policy, particularly when there is threatened litigation or actual litigation,” he explained. “When we get a client who has been sued, we are very quick at getting a litigation hold letter out explaining step-by-step what that client needs to do. We usually send the letter in a memo form that is sent to every employee involved to make sure they retain all of the information and retain it in its original format. Employees also are required to sign a document and acknowledge that they have taken all of the appropriate steps to retain the information.”
The policy will protect an organization because if an employee doesn't follow the litigation hold procedure, then the organization won't be held responsible.
But for organizations that don't establish litigation hold policies, organizations can face serious consequences.
In the Small v. Univ. Med. Center of S. Nevada case, for example, the medical center failed to issue a litigation hold addressing BYOD. Tomney said the (e-discovery) special master declared the defendant's (Univ. Med. Center of S. Nevada) conduct a mockery of the orderly administration of justice and recommended that the court enter a default summary judgement, which favored the plaintiff (Small).
Finally, both Lozoff and Bredehoft recommend that credit unions hold required workplace education and training seminars to ensure employees understand BYOD policies and their related issues.
“I’ve been involved in hundreds if not thousands of depositions of employees, and I’ve been practicing for more than 30 years,” Bredehoft said. “I can count on two hands the number of employees who said, ‘Yes, I read the whole employee handbook.’ People just don't read it.”