By: Martin Risch
Entrepreneurs are always looking for ways that money is being wasted. When electronic advancements came into the modern workplace, few employees owned the new time-saving devices, such as Personal Digital Assistants (PDAs) and pagers. However, nowadays, the opposite is true. Few employees do not already own the electronic devices that assist with their work, such as smartphones and laptops. As a result, Bring Your Own Device (“BYOD”) policies were born; rather than having a company-issued phone or laptop, employees can bring their personal electronics instead. Some companies even offer to pay for a portion of a device’s cost, with the expectation that the employee will then use their personal device for work matters.
Why Would a Company Institute BYOD?
Both employers and some employees find these policies attractive. For instance, an employer does not have to buy these devices, and an employee does not have to ensure that they keep multiple devices safe, make calls on ‘the right phone,’ or use ‘the correct computer’ to work. Additionally, as the employee already owns the device, there are far fewer instances where employees have to get accustomed to a new interface or system. Another benefit of a BYOD program is increased employee satisfaction due to being able to use their preferred devices. Rather than the company providing a specific phone or laptop, the employee can instead use the device they would choose – seeing as they already did so.
IT Issues
IT departments are quick to point out a variety of issues that these policies cause. First, with a variety of devices, there is no guarantee that all are compatible with a relevant program. Is the company going to provide IT support to personal devices? If so, employees may have chosen devices that the IT department may have less experience with, increasing the time and effort required to troubleshoot. In addition, do the company’s firewall and security programs work on all of the devices chosen? However, these issues remain without an explicit BYOD policy.
Who “Owns” the Data?
There is also the issue of ownership of information. It is relatively easy to say that all of the information on a company laptop belongs to the company. After all, the employee signed a device usage policy detailing what the laptop is to be used for and it is company property. With a BYOD policy, the device is still the employee’s personal property. They are likely to use it even when not working. So, who owns the data on the device at the end of the day? Now, if an employee leaves the company and does not want any data the company values, this is a nonissue. There are a variety of programs that companies can use to remotely delete employer data from personal devices – or even deleting all of the data off the device, including the employee’s personal information. Deleting data is easy; if the company wants the data, it can be significantly harder.
It is not difficult to imagine an employee creating a valuable list of suppliers or buyers. If the employee quits or is fired, who gets the list? Was it created with propriety data, or during working hours? Does a contract clarify that it is company property regardless? What if the employee was hired specifically due to their expertise in that field? Some company’s most valuable assets are their trade secrets. But who is the “owner” of the trade secret?[1]
Having a well-written contract stating the information is exclusively the companies helps. But, if an employee is fired, what is the practical effect of the contract if they refuse to give the data to the company or even destroy it? The contract may provide legal remedies, but they may not be adequate. Rather than simply getting the valuable data back, the company could be forced to sue the ex-employee and receive a favorable judgment. This forces the company to spend time and money trying to recover its data. If the data is unrecoverable, the company only gets some money from the ex-employee. If the company would not have sold the data for that price, the remedy is inadequate.
Trade Secret Protections
The earlier issues may be rather clear. However, establishing the company’s ownership of the data does not resolve all issues of a BYOD policy. Even data that is a protected trade secret before the employee is hired is not immune. A trade secret is only protected if it is valuable as a secret and “the owner thereof has taken reasonable measures to keep such information secret”.[2] Here, the company is the owner. That is the easy part; far more difficult is defining the “reasonable measures.” For example, a company may establish rigorous security settings and encrypt the relevant data on an employee’s device. However, is that enough? Few companies would want to risk destroying their trade secret protections based on the actions of employees. Remember, at the end of the day, these are employees’ personal devices. A work laptop may only travel between desks at home and work, but employees use their personal devices in a variety of places. The more places the device moves around to, the higher the risk of it being forgotten or stolen, and the company’s valuable data along with it.
Discovery
In fact, establishing the company’s ownership of data may have unintended consequences. Federal Rule of Civil Procedure 34 (“FRCP 34”) requires a party to produce during discovery, inter alia, the electronically stored information in the responding party’s “possession, custody, or control”.[3] Courts have found that relevant data on employee-owned devices must be produced when requested under FRCP 34, and the failure to do so has resulted in sanctions against the company.[4] On the other hand, well-crafted BYOD policies have allowed other companies to avoid sanctions.[5]
This post has been reproduced with the author’s permission. It was originally authored on March 29, 2021, and can be found here.
Martin Risch, at the time of this post, is a rising third-year law student at Penn State Dickinson Law. His interests in law include intellectual property, international business transactions, contracts, and regulatory compliance.
Sources:
[1] 18 USC §1839(4).
[2] 18 U.S.C. §1839(3)(A).
[3] FED. R. CIV. P. 34(a)(1)
[4] In re Pradaxa (Dabigatran Etexilate) Prod. Liab. Litig., No. 312MD02385DRHSCW, 2013 WL 6486921, at *17 (S.D. Ill. Dec. 9, 2013), order rescinded sub nom. In re Petition of Boehringer Ingelheim Pharm., Inc., & Boehringer Ingelheim Int’l GmbH, in Pradaxa (Dabigatran Etexilate) Prod. Liab. Litig., 745 F.3d 216 (7th Cir. 2014), modified and order aff’d in part sub nom. In re Pradaxa (Dabigatran Etexilate) Prod. Liab. Litig., No. 312MD02385DRHSCW, 2014 WL 984911 (S.D. Ill. Mar. 13, 2014), Small v. Univ. Med. Ctr. of S. Nevada, No. 2:13-CV-00298-APG, 2014 WL 4079507 (D. Nev. Aug. 18, 2014), report and recommendation adopted in part, overruled in part sub nom. Small v. Univ. Med. Ctr., No. 2:13-CV-0298-APG-PAL, 2018 WL 3631882 (D. Nev. July 31, 2018), and report and recommendation adopted in part, overruled in part sub nom., No. 2:13-CV-0298-APG-PAL, 2018 WL 3795238 (D. Nev. Aug. 9, 2018).
[5] H.J. Heinz Co. v. Starr Surplus Lines Ins. Co., No. 2:15-CV-00631-AJS, 2015 WL 12791338, at *2 (W.D. Pa. July 28, 2015), report and recommendation adopted, No. 2:15-CV-00631-AJS, 2015 WL 12792025 (W.D. Pa. July 31, 2015).
Photo Sources:
https://images.app.goo.gl/RafTabYsW65wnzPm7
https://arstechnica.com/gadgets/2021/02/the-worlds-second-most-popular-desktop-operating-system-isnt-macos-anymore/
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101
