10 Keys to an Effective BYOD and Remote Access Policy

This alert was originally published by Phelps on March 22, 2022 and was expanded for additional publication by Law360.

Today, 87% of companies depend on their employees' ability to access business software and data from their personal devices.[1]

And that percentage is likely to grow, as 36.2 million Americans are expected to work remotely by the year 2025 — nearly double prepandemic levels.[2] With these trends come new policy and litigation considerations — particularly on how and when employees can access a company's electronic data.

These procedures are often called bring-your-own-device, or BYOD, policies and remote access policies. BYOD policies regulate employees' use of personal or employee-owned devices to access the company's electronic data, most commonly accessing their work email on a personal smartphone or tablet.

BYOD policies largely predate remote access policies, which have been around for some time, but came to prominence during the pandemic and now appear to be a staple of modern business.

Remote access policies do not depend on the use of a personal device, but instead dictate how the company's electronic data and systems can be accessed away from the office — e.g., remote desktops, virtual private network connections and mobile access applications.

Sometimes, the BYOD and remote access policies are combined into one omnibus policy. Other times, they are separated into two policies. Either approach works, so long as the policies are well-crafted, monitored and enforced.

Allowing the use of personal devices and remote work is naturally appealing to companies given the potential to reduce expenses and boost productivity. But, employees' increased access to company data and ability to work anywhere and — perhaps more concerning, anytime — presents new challenges for companies to navigate.

Without sound BYOD and remote access policies in place, companies can leave themselves exposed to the growing number of off-the-clock suits, data ownership issues and cybersecurity risks that increased remote access has brought about.

For example, in response to a growing number of cyber incidents, Congress recently passed bipartisan legislation — the Cyber Incident Reporting for Critical Infrastructure Act — requiring owners and operators of critical infrastructure to report cyber incidents to the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.

CIRCIA was included in the fiscal year 2022 omnibus appropriations bill[3] and signed into law by President Joe Biden March 15.[4] Among its many requirements, CIRCIA is most notable for imposing upon breached companies a 72-hour reporting deadline, which is significantly shorter than any state's data breach notification law, with most states affording 30 days or more to report a cyber incident.

In addition to each state's own data breach notification requirements, federal breach notification requirements are increasing and putting more pressure on companies to respond quickly in the wake of a cyber incident, adding even more incentive for companies to have strong policies to prevent such incidents from occurring in the first place.

Moreover, recent litigation developments have highlighted the need for sound BYOD policies, including the recent In re: Pork Antitrust Litigation suggesting that a properly crafted BYOD policy may determine whether a company has a legal obligation to collect and produce certain data found only on employee-owned devices. Decisions like these demonstrate the power that BYOD policies can wield in shaping and limiting a corporate party's discovery obligations.

Technology can, and often does, outpace the law and employer policies. Still, as we adapt to an increasing reliance on remote work and access, these 10 tips can guide the analysis of BYOD and remote access policies, whether auditing existing policies or considering them for the first time.

Like all workplace policies, these apply with equal force to law firms.

1. Understand the landscape of the company's device population. 

The starting point of any BYOD and remote access policy is an examination of the devices the company will support and which devices can access the company's data. Will the company allow only laptops? Tablets? Macs versus PCs? iPhones versus Androids, etc.?

Also, the company will need a general understanding of what types of mobile devices and smartphones employees already have, as this will affect some of the technical specifications the company is able to roll out. Certain applications work great on iPhones, but not so well on Androids, for example.

For that reason, this should be the first step in crafting or reviewing any BYOD and remote work policy. An employee survey and discussions with the information technology department can normally accomplish this step with minimal complications.

2. Establish a mandatory authorization process.

If an employee wants to access the company's network, the company needs to be informed of any access. Require and plainly state that employees must get permission from IT or a similar department to obtain remote access to the company's data.

This applies to not only BYOD situations involving personal devices, but also when employees take company devices off of the premises, such as taking their company-issued laptops home and accessing data through their personal Wi-Fi network. Create a system that tracks employee access rights and requires all new devices to register with the IT department.

3. Require encryption or password protection. 

The ability to access company data remotely or on a personal device should, without exception, require passwords or encryption to protect the company's data. If employees have remote access to company data, this means that other people outside the company could have access as well, depending on the personal safeguards each employee uses.

From a technical perspective, these protections can look like a password for the entire device, an authentication process for logging into a certain app — likely an email app — or some combination of these factors.

As noted above, Congress recently passed CIRCIA, that requires that companies affecting and fueling the nation's critical infrastructure must now report a covered cyber incident within 72 hours after the company reasonably believes the incident occurred.

Federal data breach notification requirements already exist for certain industries, like the Health Insurance Portability and Accountability Act breach notification rule for covered health care entities,[5] but CIRCIA is far more expansive and imposes tighter deadlines. Because of that expansion into more private sector business, CIRCIA is considered one of the most significant pieces of cybersecurity legislation in years.

CIRCIA also represents a move toward a more unified reporting structure, in contrast to the state-specific structure largely in place at the moment. And while CIRCIA does not affect all private sector companies, it serves as a harbinger of more federal legislation to come in the cyber reporting and enforcement space.

These increased reporting demands only add to the operational and economic strains that a cyber incident can impose upon a company when its data is compromised. As such, strong encryption and password protections, at a minimum, are key components of any BYOD and remote work policies.

Strong policies minimize the risk of a cyber incident as more and more company data resides on devices outside the physical walls of the company.

4. Clarify data ownership. 

An effective BYOD policy will expressly identify who owns the data between the company and the employee. This is important for BYOD policies because employees are using their own devices, meaning they will likely have personal information on their devices as well as corporate information. This issue comes up most often in the discovery context when determining the scope of a company's preservation and production requirements.

Put simply, the company must demarcate who owns what.

Indeed, the Pork Antitrust Litigation in the U.S. District Court for the District of Minnesota indicates that a properly crafted BYOD policy may determine whether the company has a legal obligation — or a right, depending on your frame of reference — to collect unique data from an employee-owned device, meaning data that cannot be retrieved through other company sources.

In that case, the court found that the company's BYOD policy sufficiently limited the access granted to the company to employee-owned devices to exclude those devices from the company's possession, custody or control and thus limit the company's discovery obligations to produce such data.

In the discovery context, this issue largely turns on when a company has possession, custody or control over a data source. And, while a circuit split remains on the interpretation of "possession, custody, or control," companies should still take steps to address these issues in their BYOD policies to better insulate themselves from future discovery obligations and burdens.

More often than not, the unique data at issue is employee text messages or photos, because any corporate emails to and from the employee would likely be accessible from the company's email server. This obviates the need to collect that data from the employee's device.

But if the employee is using their device for work purposes, such as checking emails, and also for personal purposes, such as sending text messages, where are the lines drawn?

A properly crafted BYOD policy can place such unique employee-owned or generated content outside of the company's possession, custody or control. Accordingly, the company must consider how much data the company truly wants to hold on to and what might be worth divesting when crafting a BYOD policy.

5. Limit or explain employees' expectations of privacy. 

To avoid invasion of privacy claims down the road, a proper BYOD policy should include a clause that explains and generally disclaims employees' expectation of privacy in the workplace and a stated right that the company can monitor and intercept data conveyed through its systems, up to and including the complete erasure of company data stored on personal devices.

Indeed, in some states, notifying employees of electronic surveillance is not merely best practice, it is required. New York's S.B. 2628[6] became effective May 7, and requires every private sector employer to provide prior written notice of its electronic monitoring practices to all employees upon hiring and post the notice in a conspicuous place.

The new law is focused on protecting employees' privacy rights as the workforce has shifted to more electronic-based remote work in response to the COVID-19 pandemic, but is not the first of its kind. Other states, like Delaware and Connecticut, have similar laws already on the books.

When employee devices commingle personal data and company data, it is incumbent upon the company to address and identify the level of privacy, if any, its employees can expect for company data transmitted on or through a personal device.

The company should also ensure that the company is not infringing on employees' privacy rights by improperly encroaching into the employee's personal data on the employee's own device. A BYOD policy does not give an organization carte blanche to access an employee's personal photos, messages and similar information simply because an employee also accesses company email on the same device. Nor should a company want such access for the reasons identified above.

6. Address limits on device use outside of working hours. 

The company must ensure that any BYOD or remote access policy includes a clause expressly prohibiting nonexempt employees from performing work while off the clock — e.g., reviewing or answering work emails from home.

Work outside these hours can trigger certain payment obligations under the Fair Labor Standards Act and various state wage and hour laws. Organizations should expressly state in their remote work policy that off-the-clock work is not permitted, condoned or expected — and then ensure that managers are trained on this matter.

While it might not seem apparent when working through the mechanics of these tech-focused policies, remote work is fertile ground for allegations of off-the-clock work, and these lawsuits, often brought by a single employee, can quickly mobilize into an entire class of similarly situated employees under the collective action mechanism of the FLSA or corollary class action mechanisms.

For example, in 2021 in Montelongo v. Waste Management Inc. in the U.S. District Court for the Northern District of Illinois, when Waste Management transitioned many of its employees to remote work, the company was hit with a lawsuit alleging that it failed to pay hundreds of dispatchers and routers when those workers performed off-the-clock work before and after their shifts while working from home — and outside the purview of their supervisors.

Such off-the-clock suits have been common for quite some time, but have proliferated as employees shift to increased remote work where it is harder, if not impossible, to monitor employee work hours.

Accordingly, a key defense in any such lawsuit is a strongly worded policy prohibiting off-the-clock work and requiring employees to record or report all time worked, even if away from the office or performed on personal devices.

7. Address business-specific privacy issues and compliance with existing policies. 

Any company allowing remote access or access on employee-owned devices must consult its existing vendor and client agreements to ensure that the company's policies are consistent with the obligations of those agreements, mainly obligations to protect and maintain the confidentially of data exchanged between the parties.

Most commercial agreements that contemplate the transfer of data between the parties — or even the mere possibility — include strenuous data security measures to ensure the protection and safeguarding of that data in an effort to limit the risks of cyber incidents and potential legal exposure flowing from same.

And, to that end, an oft-explored area in such agreements is employees' access to data on their own devices or remotely. Failing to review existing contractual agreements and obligations before rolling out a BYOD and remote access policy is very problematic.

If these issues are not considered until after a cyber incident has occurred, it is too late.

8. Clearly identify procedure in the event of loss or theft. 

It is a sound, if not necessary, practice to be able to wipe a device of company data in the event of loss or theft to protect the company's data and address security concerns. Many applications and mobile device management tools allow the ability to wipe devices if threats are detected.

However, if the company intends to do this, the company should let its employees know in advance and establish the proper technological requirements. Of course, this dovetails with the issue of delineating data ownership, so as to ensure that the company is not improperly wiping personal data from an employee's device.

9. Obtain employee consent to policy terms. 

Like most workplace policies, the company should get employees' consent to any and all BYOD and remote work policies, especially those focusing on data security and timekeeping practices.

Ask employees to sign and acknowledge the policy, so that the company has a written record that it can point in the event there is a dispute or later incident.

10. Draft a written policy separate from the employee handbook. 

The company should consider separating its BYOD and remote work policies from its employee handbook, instead creating a stand-alone document or addendum. This will allow the company to update these policies more readily without having to reissue an entire handbook, as technology changes more frequently than most handbook provisions.

Staying nimble is critical when trying to keep up with rapidly evolving technological demands and threats.

If you have any questions or need compliance advice or guidance, please contact Jason Pill or any member of Phelps’ Labor and Employment team.