By now, most employers are familiar with “Bring Your Own Device to Work” policies. These policies allow employees to access company information through their own computers, smartphones, tablets, etc. While these policies provide employers and employees with more convenient and seamless access to work information, they also raise a number of important legal and technical questions.
Information technology professionals typically caution employers about the risks presented to company information systems through employees’ devices, which may lack the same virus protections and firewalls that company computers possess. Employers often require installation of anti-virus software as well as programs that allow the employer to remotely erase company information from the employees’ devices in the event they leave employment.
In addition to these steps, employers should also consider obtaining specific consent from employees to access their personal devices for legitimate business purposes. These purposes could include discovery requirements, government inquiries, or internal investigations. The federal Stored Communications Act may prohibit employers from remotely accessing employees’ personal devices absent specific advance consent. As a condition of allowing employees access to company information systems, employers should get written authorization that sets out examples of situations where the company may search the employees’ devices.
Of course, such access rights should only be exercised in situations involving a clear business need. The searches should be limited to company information and should not include access to, copying, or erasure of personal information or data that is unrelated to the specific business purpose. As technology and employer expectations change, the authorizations may need to be periodically updated to cover additional subjects.