- Blog post
Are you smart about smart phones?
As an up-to-date HR pro, you may have read about the growing BYOD (Bring Your Own Device) movement, whereby employees use their own smart phones for work purposes rather than employer-issued phones.
But a lot of employers are still handing out smart phones to at least some employees. If you’re one such employer, what do you let people do with these versatile devices? What are your policies and practices when you hand out the phones and when employees give them back?
These are complex issues for HR (as well as for IT and the organization as a whole), because they straddle the line between justified employee privacy and equally justified employer expectations that employees will use company property wisely.
Migrating to your phone
A little background: In case you haven’t already noticed, it can be expensive to own and operate a smart phone.
Different surveys have come up with $47, $70, $80 and $100+ as the cost of an average monthly mobile phone bill these days.
So employees may be looking to economize on their plans by switching some activity to the employer’s phone — or in some cases, dropping their personal smart phones altogether and using their employer’s phone as their only one.
What’s the risk to you if employees use your phone for personal business? Here’s an example of one risk:
An employee of a cell phone company in Ohio was allowed to use her office Blackberry for personal communications. She did so, sending and receiving thousands of e-mails by means of her personal Gmail account.
When the employee left the company, she turned the Blackberry in, but didn’t remove her personal e-mail from the device (although she thought she had). Her supervisor managed to access the e-mail account, and over the next few months he read 48,000 — yes, 48,000! — of these personal e-mails, which covered everything from the former employee’s finances to her health and her family.
The former employee sued for violations of the Stored Communications Act (SCA), which is more or less the anti-wiretapping law for the Internet, and a federal court rejected the employer’s attempt to have the case dismissed.
Expectations of privacy
You’re probably thinking about now: Didn’t this employer tell employees that they had no expectation of privacy on company-owned mobile devices? That’s the standard defense against invasion of privacy lawsuits.
But here’s the thing: As far as the SCA is concerned, it may not matter whether you give employees this kind of notice or not, if a supervisor or another employee does what the supervisor in the Ohio case did.
As Jon Hyman, blogging as The Practical Employer, puts it, “under the Stored Communications Act, personal data is sacred.”
Of course, there are other risks in letting employees use employer-issued smart phones as their personal devices. Among them:
1) Running up your bill with expensive activities like viewing movies, streaming music or gaming.
2) Exposing you to potential liability for harassment if the employee, for instance, sends unwelcome messages or takes embarrassing photos.
3) Setting you up for overtime claims if non-exempt employees use the phones to do work outside office hours.
What to do?
So what can a smart employer do about all these issues? There are several different tacks you can take:
- In consultation with IT, consider going BYOD — moving away from issuing smart devices and toward expecting employees to use their own. This is potentially a big shift, however, involving as it does issues of systems security and allocation of owning/operating costs between employer and employee. Plus, BYOD brings its own laundry list of legal issues, largely around employee privacy.
- Limit smart phone issuance to key employees. Not everybody needs a company smart phone. If you’ve handed out phones to a number of people, review the list to be certain you’re addressing business-critical issues and not just providing people a free phone.
- Decide whether to allow personal use of company devices. You may feel that, in today’s climate, employees expect to use smart phones for both work and non-work activities, and would resent it if you told them not to. But you may conclude, nonetheless, that the risks of allowing personal communications are too great. If your policy bars personal business on your smart phones, you must be prepared to have IT check them periodically, and to discipline employees who break the rule.
- Create policies defining authorized vs. unauthorized kinds of uses (keeping in mind both excess cost and legal factors).
- Additionally, create a policy barring employees from accessing the personal e-mails or text messages of others. A policy like this would help employers in cases like the one from Ohio mentioned earlier.
- When employees turn company smart phones in, make sure IT erases all personal information and data from the devices before you hand them out to someone else.