ARTICLE
16 January 2025

Risks And Considerations About Bring Your Own Device Policies

FL
Fennemore

Contributor

Fennemore, an Am Law 200 firm, has been a trailblazer in legal entrepreneurship since 1885. We guide businesses that driv e industry, transform communities, and empower people. From pioneering the use of cutting-edge AI to a history of client suc cess and industry-leading job satisfaction, Fennemore isn't just keeping pace—it’s accelerating ahead.
The new year provides a good opportunity for employers to review and potentially update internal policies. One such policy to consider is a "bring your own device" (BYOD) program.
United States Privacy

The new year provides a good opportunity for employers to review and potentially update internal policies. One such policy to consider is a "bring your own device" (BYOD) program.

During the pandemic, many businesses decided to pivot their workforce to remote or hybrid work. Some companies implemented versions of a BYOD program to allow employees to use personal devices to do their jobs. While there can be cost savings and employee flexibility benefits to such programs, they also come with inherent risks.

As many employers implement partial or total return to office policies, it is important for companies to consider the role of personal devices in this changing landscape.

We checked in with Sarah Gohmann Bigelow, Of Counsel in Fennemore Seattle's office for insights on how to protect against increased litigation costs and risks when deciding whether to adopt a BYOD policy.

If an employer allows workers to use their personal devices for work, what challenges does this pose if the employer becomes subject to discovery?

When litigation requires the collection of employer documents and data, the fact that an employee used their personal device for work could make discovery compliance more burdensome and costly because the employer might be required to collect, review and produce data from employee personal devices that contain both work-related and personal data.

How can you reduce the potential risk that employers will be responsible for collecting and reviewing broad swaths of their workers' personal data as part of discovery?

The recent case of In re Pork Antitrust Litigation is instructive. No. 18-cv-1776 (JRT/HB), 2022 U.S. Dist. LEXIS 60214 (D. Minn. Mar. 31, 2022). There, plaintiffs sought an order compelling Hormel Foods to produce its employees' text messages. Hormel objected that it did not have possession, custody or control of its employees' personal cell phone data. Hormel's BYOD policy allowed, but did not require, employees to use their personal cell phones for work.

Importantly, the BYOD policy contained language which limited Hormel's ownership to company-synced data and did not include the employee's personal and un-synced data. The court concluded that the fact that the policy gave Hormel the right to remotely wipe the entire phone if the security of its data was at risk did not give Hormel control over employee personal data.

The court cited the Sedona Conference, a highly regarded legal research and educational institute, which "has taken the position that an employer does not legally control personal text messages despite a BYOD policy when the policy does not assert employer ownership over the texts and the employer cannot legally demand access to the texts."

Are there key components of a BYOD policy that employers should adopt to reduce risks and potential litigation costs should a lawsuit arise?

By implementing a BYOD policy which explicitly limits the scope of the employer's ownership and access, companies may be able to reduce the discovery burdens associated with having to collect and produce from employees' personal devices. Note, though, that while Hormel Foods itself avoided the need to collect data from the personal cell phones in this case, the court enforced subpoenas directed to employees for the same text message data. But significantly, the subpoena was not enforced against the lone employee who "observed a clear boundary about the use of her personal cell phone and could say without qualification that she did not use it in any manner for work purposes."

Does restricting employees' work to employer-owned devices help to ensure that employers do not have to produce data from personal devices and thus reduce the burden of discovery for an employer in litigation?

Yes, the Hormel case suggests that limiting employees' work to company-owned devices may be the best way to ensure that employers do not have to comply with burdensome requests to produce data from employees' personal devices, and to protect against employees being the subject of document subpoenas that require coordination and add another layer of expense and risk for a company in litigation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More