What’s that, and what should you be doing about it?
Cell phones, laptops, notebooks, tablets, oh my! They’re everywhere and everyone seems to have at least one. All these electronic devices can certainly make both our personal and work lives easier and more organized, but whether you’re an employer, or an employee, they can also bring risk into both our personal and work lives. And when we embark on a path, intentionally or not, to Bring Your Own Device, we have to think about those risks.
More employers are allowing, or even encouraging, employees to use their own smartphones, laptops or tablets for work. But we all know even reading and sending emails involves more time and thought than just hitting "send". Certainly, there can be a cost savings for businesses when employees use their own equipment and pay a portion of the employee’s monthly cell phone bill, for example. For the employee the advantage may be carrying only one cell phone instead of one for work in addition to a personal cell phone; but what about the ability to "get away from it all"? Can we be too connected? Don’t we want our employees to be able to separate their work from their personal lives? It’s something to think about.
What should we as employers be concerned about when employees are using their own devices for work purposes?
In a recent interview reported on HR.BLR.com with Jason Gavejian of Jackson Lewis, LLP and a member of the Privacy, Social Media and Information Management (PSMIM) Practice Group, and results revealed in a survey by Coalfire, [here] an IT governance, risk and compliance services company, several issues employers need to keep in mind are highlighted. Among them:
Wage and hour issues: What happens when hourly employees work on their iPhones after hours? Does that time become compensable under wage-hour laws? Yep, in most cases, it probably would be. Do you have a policy addressing this? Do you have a way to track that time?
Data security/risky behavior: Just 47% of smartphone users and 42% of tablet users even employed passwords. When given the definition of "strong" passwords; only 50% of smartphone users could claim theirs was strong. In addition:
32% of users join public Wi-Fi networks
37% confessed to having clicked on links from emails claiming to be banks (a common phishing tactic)
36% reuse passwords
60% write their passwords down on paper (who hasn’t done that??!!)
Many of those surveyed indicated they had access to corporate networks and sensitive information for their job.
Training and policies: 61% of the survey respondents denied knowledge of a company social media policy and 62% denied knowledge of any policy relating to mobile device usage. As HR professionals, we are often confronted with the "I didn’t know" excuse, despite our communication efforts. However, this survey points out that we need to keep communicating these policies and do so frequently and in many different forms.
All of this is why it’s important for businesses to have a BYOD policy in place, preferably before you allow employees to use their own devices for work purposes.
Electronic discovery obligations:
A scary possibility for anyone who has even occasionally checked email for his/her own phone or laptop is the possibility of electronic discovery obligations. Huh?? A recent article on nbcnews.com [here] talks about that risk.
If your company is involved in any type of litigation — civil or criminal — guilty or innocent --- personal cellphones that were used for work email or other company activity might be confiscated and examined for evidence during the discovery or investigation phases of the process. You could end up "losing" your cell phone or other device for weeks, or even months.
In this article, Giri Sreenivas, a mobile phone security expert at Boston-area firm Rapid7, warns discovery requirements can extend far beyond email stored on smartphones. "Text messages and cellphone records might be subject to discovery, too, even if you never connected to company email," he said. "If lawyers believe the device was used for work purposes, it can be (taken)."
There may be a technology solution to this problem in the future. The newest Blackberry phone claims to create a work data-personal data divide, which has the potential to limit the searches that might be conducted by company lawyers. Certainly, at some point, this will be tested.