It is a growing trend, one that may already be occurring at your company. Employers are implementing policies and practices that permit, or even require, their employees to use their personal electronic devices (e.g., laptops and smartphones) and data services (e.g., backup and file-sharing software) for work-related purposes. The appeal of such Bring-Your-Own-Device (BYOD) practices for both employers and employees is undeniable. Employers avoid the up-front costs and administrative hassle of purchasing laptops and smartphones as well as employees’ demands for the latest and greatest gadgets, and employees do not have to carry around multiple devices. Overall, this is a much simpler and more efficient way of doing business, right?

Not so fast. BYOD practices are replete with unexpected risks, legal pitfalls and counterintuitive legal requirements. Before instituting BYOD practices, you as an employer should seek to ensure that those practices do not compromise the security of and your right of access to your information and data, and that your policies comply with all attendant legal obligations. You should take the following prophylactic steps before requiring, or even allowing, any employee to use his or her personal device (including the ubiquitous mobile phone) for work purposes.

1. Determine which employees may participate in BYOD. 

You minimize complications if you only authorize use of personal electronic devices for work-related purposes by those employees whose job duties truly necessitate it. Additionally, you should try to avoid, if at all possible, authorizing work-related use of personal devices by nonexempt hourly employees. If a nonexempt employee uses his or her personal mobile phone to make a work call or send a work email outside of working hours, the time that he or she spends making that call or sending that email is generally compensable, and must be tracked and paid for by the employer. Allowing a nonexempt employee to use personal devices for work creates the risk of unauthorized overtime and “off-the-clock” work.

If it is absolutely necessary for a nonexempt employee to use his or her personal devices for work, the employer should do one of two things: (1) strictly prohibit the employee from using his or her personal device for work purposes outside of regular working hours and require the employee to acknowledge and agree to that prohibition in writing; or (2) if the employer is willing to allow the employee to perform work-related tasks outside of regular working hours, require the employee to accurately record all time worked  and take all applicable meal and rest periods during those working hours away from the office.  A well written agreement containing these requirements is strongly recommended.

2. Establish a reimbursement policy for personal device expenses.

When your employees use their personal devices for business purposes with your knowledge and consent, you are required to reimburse the employees for that use even if an employee does not incur any expense in excess of his or her normal service bill as a result of work-related use. For example, if an employee uses his or her personal mobile phone to make work calls or send work emails, but does not incur any additional expense because he or she has a plan with unlimited minutes and unlimited data allowance, the employer still must reimburse the employee for a “reasonable percentage” of his or her phone bill. An employer can satisfy this obligation by providing employees who use their personal mobile phones for work purposes a set “reasonable” monthly stipend. However, if the employee does incur additional expense as a result of his or her work-related use of the mobile phone that exceeds the amount of the stipend, the employer must also reimburse the employee for that additional expense.  You should implement a policy and a clear mechanism for the employee to submit documentation of any such additional expense. In this area, you may be liable for unreported expenses so you are well advised to regularly audit to identify and pay for any unreimbursed expenses.

3. Consider establishing a data recovery policy for departing employees.

In the event that a remote wipe of a departing employee’s device is not possible and you need physical access to the device to remove data, you should have a policy and procedure in place that requires that departing employee to provide his or her personal device to your IT department for cleaning. You should advise your employees well in advance of any anticipated separation, and preferably when they first start using their personal devices for work purposes, of their obligation to provide their personal devices for cleaning when their employment ends. It is best to initiate the cleaning prior to the employee’s departure; you do not want to have to chase down a former employee for access to his or her device after he or she has left.

Be sure to keep a detailed record of all personal devices belonging to your employees that contain company data, and require the departing employee to sign a certification confirming that he or she does not have any company information or data on any other personal device (including any external storage device, such as a hard drive or USB key).

4. Provide employees a clear and comprehensive written BYOD policy. 

Your BYOD policy should cover a broad range of topics, including:

• Which employees are permitted to use personal devices for work purposes;
• Acceptable and unacceptable use of personal devices for work purposes;
• Your ownership of and right of access to all employer data on employees’ personal devices and employees’ lack of privacy rights in that data;
• Your security and data protection protocols;
• Your employees’ obligations with respect to maintaining the security of employer data (e.g., a provision requiring employees to protect all devices that contain employer data with a password or PIN);
• A disclaimer that the employer is not responsible for the security of the employee’s personal data;
• Reimbursement for the employee’s use of his or her personal devices; and
• Rules and/or restrictions regarding work-related use of personal devices outside of working hours (if authorizing use by a nonexempt employee).

Employers also should consider periodic reminders of the BYOD policy and offer training sessions, as well as ongoing education regarding the importance of protecting the employer’s trade secrets, confidential and proprietary information and data.

This list is by no means exhaustive. Issues and questions unique to each industry, to each employer, to each employee and to each device will always arise and require case-by-case evaluation. However, putting the necessary time and resources into establishing a proper foundation before authorizing employees to use their personal devices will go a long way toward ensuring that the employer reaps the benefits of its BYOD practices without suffering many common pitfalls.