BYOD and social media: an employer’s perspective
August 2014 | SPECIAL REPORT: TECHNOLOGY IN BUSINESS
Financier Worldwide Magazine
August 2014 Issue
As the millennial generation continues to suffuse the workforce, employers must decide whether they want to embrace the technology that millennials want, and often expect, as a condition of employment. One such area of technology is the increasingly popular bring your own device (BYOD) program. An almost unavoidable drawback of an employee BYOD program, however, is an employee’s increased use of social media. Many personal devices come readily equipped with applications for access to the most popular social media sites, such as Facebook, Twitter and Instagram. Accordingly, employers choosing to embrace BYOD must also embrace social media.
While providing an employer with benefits such as heightened employee productivity, efficiency and contentment, BYOD programs and social media use also pose a security threat to the employer’s confidential business information and trade secrets. Thus, to take full advantage of any benefits, an employer must find an effective means by which to mitigate the security risk inherent to both BYOD programs and employee social media use. A trifecta of appropriate policy language, signed employee acknowledgments and employee training is generally the best approach.
A threshold concern for employers is determining what language is, in fact, ‘appropriate’ for a BYOD policy or a social media policy. While employers want to protect themselves from security breaches, they also want to protect themselves from the scrutiny of the National Labor Relations Board (NLRB). Indeed, even non-unionised employees are protected by Section 7 of the National Labor Relations Act (NLRA). Although BYOD policies have not yet come under fire by the NLRB, both social media and confidentiality policies have. Employers can expect that BYOD policies will have their time in the NLRB’s spotlight.
Accordingly, employers need to steer clear of blanket policies prohibiting employees from disclosing confidential information – either via social media or via their personal devices. The NLRB will likely attempt to strike down such blanket policies because employees might construe the policies as efforts to prohibit employee discussions about wages, hours or other terms and conditions of employment.
To illustrate, the NLRB recently struck down an “overly broad” confidentiality policy stating that “dissemination of confidential information within [the company], such as personal or financial information, etc., will subject the responsible employee to disciplinary action or possible termination”. MCPc, Inc., 360 N.L.R.B. 39 (2014). Although the legality of the NLRB’s recent decisions regarding confidentiality and social media policies could be impacted and revisited after the United States Supreme Court’s decision in NLRB v. Noel Canning, 573 U.S. __ (2014) (holding that the 2012 NLRB recess appointments were invalid), the decisions are nevertheless still in force and should be treated accordingly by employers.
Thus, to pass muster under the NLRA, a BYOD or social media policy prohibiting employees from disseminating confidential information must clearly define what types of information or documents constitute trade secrets or confidential business information and should identify specific examples, such as customer or client information, business partner and employee data, marketing strategies or the development of company systems or processes. Moreover, given the NLRB’s praise of employer policies containing example scenarios, a well-drafted policy should also set forth examples clarifying what type of conduct is prohibited and what type of conduct is allowed. If an employee is still uncertain about whether certain information is confidential or about what conduct is prohibited, the policy should also direct employee questions to a specific company contact (preferably a legal contact). Although waiver language will not save an overly broad policy, such language cannot hurt. Accordingly, a BYOD policy or a social media policy should clearly state that the prohibition against disclosing confidential information does not include information about wages, hours, terms and conditions of employment or other concerted activity.
Employees’ intentional dissemination of confidential business information or trade secrets is not the only avenue by which security breaches arise. BYOD programs in particular also carry the risk of employees inadvertently disclosing confidential business information. At a minimum, a BYOD policy should address some of the more common and inadvertent security risks associated with employees using their personal devices for work.
For example, most smartphones make it fairly easy for an employee to quickly switch between personal email and business email – making it just as easy to accidentally send confidential business information to a personal contact. To reduce this type of risk, a BYOD policy should require employees to download software that separates business information from personal information and requires a separate password or PIN to access any business information and applications contained on the personal device.
A BYOD policy might also prohibit employees from accessing unsecured wireless internet networks and direct employees to configure their devices so that they do not automatically connect to any available wireless networks. Otherwise, for example, a hacker could potentially capture an employee’s login credentials and obtain free access to the employee’s business email if that employee logged into his or her business email while working remotely over an unsecured wireless network. A similar type of breach could occur if an employee unknowingly connects to an unsecured wireless network (with a name mimicking a legitimate network) that was, in fact, created by a hacker.
An employer must nevertheless take into account both its line of business and the type of employees on its workforce to develop a functional policy. That is, prohibiting employees from accessing unsecured wireless networks is not always a practical solution. An employer with a highly mobile workforce, with a number of employees who travel or telecommute, for example, may want to invest more resources into a security policy that encrypts internet traffic, including email. A common example is implementing a Virtual Private Network (VPN) and requiring employees to connect to the VPN client prior to accessing any business information. Either way, a BYOD policy should at least prohibit employees from actually entering any login credentials – for any site, either personal or business – while connected to an unsecured network. A policy should also direct employees to utilise different login information for their various personal and business accounts and require employees to regularly change their business email passwords.
Security breaches also arise when employees’ personal devices are lost, stolen or upgraded. With respect to lost or stolen devices, an employer should consider a BYOD policy that puts the onus on employees to report lost or stolen devices to both the company and their mobile carriers within 24 hours after the loss or theft of a personal device. The employer should also ensure that its policy gives the company the ability and right to remotely wipe any corporate data from the device if it is lost or stolen. An additional safeguard could include the requirement that all personal devices lock themselves if idle for longer than a certain period of time. A strong password or PIN, rotated on a regular basis, should be required to unlock the device.
With the proliferation of newer and better consumer devices, many employees will likely upgrade their devices at some point during their employment. Selling an old device is a fairly common practice, which creates a risk of subsequent owners accessing company information. In order to minimise this risk, a policy might address the manner in which old devices should be dealt with when an employee upgrades his or her device. For example, a BYOD policy should include a provision that requires an employee to reset an older device to its factory settings upon upgrading to a new device. An effective BYOD policy should further require employees to notify the company prior to selling, upgrading or trading-in a personal device so that the company’s IT department can inspect the old device to ensure that it no longer has company information or the ability to access company information.
Similar security risks arise with an employee’s departure from the company. As with employee device upgrades, the BYOD policy should outline a procedure that gives the employer the ability to inspect the device prior to an employee’s departure from the company, as well as some measure that allows the employer to ‘scrub’ the device of company information. Oftentimes, an employee’s separation from the company can be messy and quick. Accordingly, a policy must also provide for a remote wipe option if the employer is unable to physically inspect and scrub the device of company information prior to the employee’s departure. Moreover, the individual or department that oversees employee terminations must be made aware of, and trained on, the company’s BYOD policy and its requirements upon an employee’s departure. Best practices might also include creating an exit interview checklist that reminds the company interviewer to review with the departing employee the requirements of the company’s BYOD policy.
The above policy considerations are just the first step. Employers must do more than simply roll out appropriate policies. They must also regularly audit and update their policies to take into account advancing technology and changing law; provide regular employee training on their policies and updates; and be diligent about obtaining signed employee acknowledgements for any distributed versions of the policies. Only then can employers perhaps sit back and enjoy some of the benefits offered by modern technology (at least until the next policy audit comes around).
Allegra J. Lawrence-Hardy is a partner and Lisa M. Haldar is a staff attorney at Sutherland Asbill & Brennan LLP. Ms Lawrence-Hardy can be contacted on +1 (404) 853 8497 or by email: allegra.lawrence-hardy@sutherland.com. Ms Haldar can be contacted on +1 (404) 853 8222 or by email: lisa.haldar@sutherland.com.
© Financier Worldwide
BY
Allegra J. Lawrence-Hardy and Lisa M. Haldar
Sutherland Asbill & Brennan