Mobile // Mobile Devices
Commentary
8/22/2014
08:20 AM
Mike Jennett
Mike Jennett
Commentary
Connect Directly
RSS
E-Mail
50%
50%

BYOD: California Ruling A Wakeup Call

California's Cochran v. Schwan court case casts a pall over BYOD plans, but clear corporate policies can eliminate liability concerns.

California, the land of sun and surf, has just dealt what some are calling a death knell to BYOD plans by way of a legal ruling set down Aug. 12 by the Court of Appeals.

The ruling in the case of Cochran v. Schwan's Home Service has a lot of folks wondering if BYOD is dead in California, or at least severely crippled. The ruling holds that "when employees must use their personal cell phones for work-related calls... the employer [is] to reimburse them."

That sounds pretty cut and dried; if you have to use your phone for work, you need to be paid, hence BYOD is pretty much out the window. Let's just stop this whole BYOD concept and go back to having employees using laptops to do their work and employer-issued phones if they need to make calls. This would solve a lot of problems for the IT departments that have to come up with those BYOD plans and for the corporate types who never liked the idea of employees using their own devices to interact with the company.

[Want more on juggling BYOD? Read 3 BYOD Risk Prevention Strategies. ]

Oh, wait -- we are in the second decade of the 21st century, and a phone isn't just a phone anymore. Mobile phones are the way we stay connected to everything that is important to us in both work and play. So what are we to do? BYOD has already taken over, and nearly everyone has his own device. We, as IT, know that people find a way to use these devices for work whether we want them to or not.

This is where BYOD policy becomes so important. Your corporate BYOD policy is what will give your employees the freedom to access the information they want and also, possibly, protect the company from litigation, if handled properly.

When you look at the Cochran ruling, there are a couple of key points. First off, the ruling specifically relates to cell phone usage for calls and the cost of the minutes for those calls. It does not mention data at all, though that's an easy jump, if using this ruling as a precedent in future cases about data. Second, although the ruling is vague about when it applies, there is some very specific language about when an employee needs to be reimbursed. In the case disposition, the court states that "if an employee is required to make work-related calls on a personal cell phone, then he or she is incurring an expense for purposes of section 2802" (section 2802 being a California labor code that refers to cell phone reimbursement).

The key word in that disposition is "required," and isn't that really the opposite of the spirit of BYOD? When I look at BYOD, it is an optional benefit, not a requirement for employees. BYOD gives employees the choice to use their own devices if they so choose, but is not a requirement of their job. This is where your BYOD policy becomes crucial in determining how and whether employees will have access to data and a right to reimbursement for usage, if any.

"Although [the decision] remains subject to further appellate activity... employers should begin to review their cell phone policies now to assess this emerging issue," advises The National Law Review in response to the California court ruling.

A company’s BYOD policy can protect both the employee and the corporation, so creating a policy needs to be the first step companies should take to allow employees to use their own devices for work. When writing that policy, here are three basics companies should consider:

1. You must have a BYOD policy.
This seems like a no-brainer, but lots of companies are still struggling to develop a policy. Some companies believe they don't need a policy because they don't allow access to their systems, but this is like saying, "if I close my eyes, you can't see me." You need a clear BYOD policy and clear exit practices for departing employes, advises attorney Nancy Yaffe of Fox Rothschile LLP. Even if you are restricting access from employee phones, you must have a policy in place that specifically states that, and you must regularly inform employees that you do not allow them to use their own devices for company business.

2. Consider complete BYOD versus hybrid.
Many companies have employees who need to use devices in their work; in these cases the company should have a mechanism that either pays for part or all of the bill. A BYOD policy "should clearly set out how the business and personal uses of the device will be differentiated and paid for," advises attorney Andrew Hinkes.

3. BYOD should be a voluntary, opt-in choice.
Any employee who wants to access corporate data on her device should be required to specifically opt in to the BYOD plan. When an employee does opts in, she should be specifically informed that BYOD is voluntary and that the company provides other means for data access that do not involve personal expense. If other means of access aren't provided, then a reimbursement policy, at least in California, should be designed and implemented.

Cochran vs. Schwan is an important case and one of many to come as technology evolves, but it need not be a death blow to your BYOD dreams. It should, however, be a wakeup call to those who have not implemented corporate BYOD policies.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Mike Jennett is HP's Enterprise IT Mobility Program Director. He is responsible for development, deployment, and integration of HP IT's mobile applications and infrastructure.  View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
8/31/2014 | 1:56:42 PM
Re: Personal vs. Work
@ChrisMurphy> "I wonder if we'll just see more stipends to cover part of a personal phone. In all but the most unusual of cases, someone required to use their personal phone for work can't reasonably argue they don't also use it for personal use."

That's what I used to get; a monthly stipend for cell phone. As you went up the company ranks, or based on job role, the stipend would vary (after all, sales folks are expected to use their phone more for example), but it was a fixed fee and you were done. That worked pretty well for me - it didn't necessarily cover the entire bill, but then, it was my personal phone. In the UK I worked for a company who reimbursed based on call percentage. e.g. if my bill was $50/month and half the minutes I used were for work, I would expense $25. That way we didn't get into any issues of work paying for personal minutes and the risk of that being seen as a taxable benefit.
yalanand
50%
50%
yalanand,
User Rank: Ninja
8/30/2014 | 2:40:31 PM
Companies should conduct reviews of their BYOD policies
I totally concur with this post. Companies who haven't set up their bring-your-own-device policies should speedily write them up and implement them in a way that offers protection to both the enterprise and the employees. Even though California's Cochran ruling is bound to side-track BYOD for some enterprises, it really shouldn't.There will be other such court battle relating to businesses and ITin the foreseeable future, but other states do not have laws comparable to California's Section 2802 and BYOD is too strong a force to stop. Nevertheless, companies should conduct a comprehensive review on their reimbursement and BYOD policies.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
8/28/2014 | 1:07:45 PM
Re: The next leaps...
Interesting thought on home internet, MichiganJeff. The gray area there (which also exists on cell phones) is how many employees would not have home internet access if they had to pay and did a little bit of work from home once in a while. Unless there are usage-based charges where activities done for work can be itemized, it's hard to say the company should pay for everything.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
8/28/2014 | 1:06:01 PM
Re: Personal vs. Work
Our policy is very similar, TerryB. In the case of roaming data, we require staff with company-owned phones to let us know if they are traveling out of the country. We either pay for data for business travel or make them pay for data for personal travel. It is very clear. The policy also states that nothing will be paid and the phone can be cancelled if the conversation doesn't happen in advance.
impactnow
50%
50%
impactnow,
User Rank: Ninja
8/26/2014 | 3:14:53 PM
Re: The next leaps...
If employees are using their own devices to access company records and client personal information we should have some assurance these devices are secure. The risk to everyone is tremendous, especially with the number of lost devices.
MichiganJeff
50%
50%
MichiganJeff,
User Rank: Apprentice
8/25/2014 | 2:11:52 PM
The next leaps...
The next iteration of this suit will be data useage on the personal phone, as mentioned in the article, and internet access at home, which would be the de facto fall back if the BYOD policy prevented access from the employee's phone.  I suspect it will be nearly impossible to find a method, other than company-paid/issued, of staying connected to work that doesn't cause the employee some expense.
impactnow
50%
50%
impactnow,
User Rank: Ninja
8/22/2014 | 2:50:29 PM
BYOD costs

There are actual costs for BYOD and the costs of managing devices. The policies should also include language around device security and information stored on personal devices, the next major breach could easily be from an employee's personal device.

TerryB
50%
50%
TerryB,
User Rank: Ninja
8/22/2014 | 1:29:13 PM
Re: Personal vs. Work
This is interesting. Here, I have the joy of managing the cell service for the 35 or so people who have them. The majority have phones from our company contract with AT&T but a few use other carriers and get whatever phone they want. What we do is reimburse up to the cost of what a company plan would cost for minutes/data for that person's job role. We don't play hardball, technically we don't use text in a work context but we will reimburse if person needs text service.

Where this gets interesting is in data roaming charges. We had guy with company issued phone who didn't restrict his data service during a vacation to Aruba. He racked up $1000 in charges in one week. We paid because we had no choice but not clear what we would have done if that had been employee's phone. Technically, the person should pay it because they made mistake of leaving roaming on. But whether we would alienate a valued employee over that is another question.
ChrisMurphy
100%
0%
ChrisMurphy,
User Rank: Author
8/22/2014 | 9:29:23 AM
Personal vs. Work
I wonder if we'll just see more stipends to cover part of a personal phone. In all but the most unusual of cases, someone required to use their personal phone for work can't reasonably argue they don't also use it for personal use.   
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
8/22/2014 | 9:23:58 AM
The legalities of BYOD
Great points around BYOD.  From an employer standpoint, while it does save costs when employees use their own personal devices, yes, it is important to clearly outline how reimbursement for voice and data costs will impact the employee.  Many organizations probably still get away with "you can use your personal device, but we're not covering you for it", which not only raises questions when it comes to ownership of the data on the device, but can lead to resentment, especially when it comes to large data bills.  It's also important to make sure that security policies when it comes to BYOD are clearly explained, as some organizatiosn might use remote wiping technologies if an employee leaves the company, which if not done properly means wiping the ENTIRE device, and if it's a personal phone, could cause some headaches for all parties involved.
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.