informa
/
Commentary

BYOD: California Ruling A Wakeup Call

California's Cochran v. Schwan court case casts a pall over BYOD plans, but clear corporate policies can eliminate liability concerns.

California, the land of sun and surf, has just dealt what some are calling a death knell to BYOD plans by way of a legal ruling set down Aug. 12 by the Court of Appeals.

The ruling in the case of Cochran v. Schwan's Home Service has a lot of folks wondering if BYOD is dead in California, or at least severely crippled. The ruling holds that "when employees must use their personal cell phones for work-related calls... the employer [is] to reimburse them."

That sounds pretty cut and dried; if you have to use your phone for work, you need to be paid, hence BYOD is pretty much out the window. Let's just stop this whole BYOD concept and go back to having employees using laptops to do their work and employer-issued phones if they need to make calls. This would solve a lot of problems for the IT departments that have to come up with those BYOD plans and for the corporate types who never liked the idea of employees using their own devices to interact with the company.

[Want more on juggling BYOD? Read 3 BYOD Risk Prevention Strategies. ]

Oh, wait -- we are in the second decade of the 21st century, and a phone isn't just a phone anymore. Mobile phones are the way we stay connected to everything that is important to us in both work and play. So what are we to do? BYOD has already taken over, and nearly everyone has his own device. We, as IT, know that people find a way to use these devices for work whether we want them to or not.

This is where BYOD policy becomes so important. Your corporate BYOD policy is what will give your employees the freedom to access the information they want and also, possibly, protect the company from litigation, if handled properly.

When you look at the Cochran ruling, there are a couple of key points. First off, the ruling specifically relates to cell phone usage for calls and the cost of the minutes for those calls. It does not mention data at all, though that's an easy jump, if using this ruling as a precedent in future cases about data. Second, although the ruling is vague about when it applies, there is some very specific language about when an employee needs to be reimbursed. In the case disposition, the court states that "if an employee is required to make work-related calls on a personal cell phone, then he or she is incurring an expense for purposes of section 2802" (section 2802 being a California labor code that refers to cell phone reimbursement).

The key word in that disposition is "required," and isn't that really the opposite of the spirit of BYOD? When I look at BYOD, it is an optional benefit, not a requirement for employees. BYOD gives employees the choice to use their own devices if they so choose, but is not a requirement of their job. This is where your BYOD policy becomes crucial in determining how and whether employees will have access to data and a right to reimbursement for usage, if any.

"Although [the decision] remains subject to further appellate activity... employers should begin to review their cell phone policies now to assess this emerging issue," advises The National Law Review in response to the California court ruling.

A company’s BYOD policy can protect both the employee and the corporation, so creating a policy needs to be the first step companies should take to allow employees to use their own devices for work. When writing that policy, here are three basics companies should consider:

1. You must have a BYOD policy.
This seems like a no-brainer, but lots of companies are still struggling to develop a policy. Some companies believe they don't need a policy because they don't allow access to their systems, but this is like saying, "if I close my eyes, you can't see me." You need a clear BYOD policy and clear exit practices for departing employes, advises attorney Nancy Yaffe of Fox Rothschile LLP. Even if you are restricting access from employee phones, you must have a policy in place that specifically states that, and you must regularly inform employees that you do not allow them to use their own devices for company business.

2. Consider complete BYOD versus hybrid.
Many companies have employees who need to use devices in their work; in these cases the company should have a mechanism that either pays for part or all of the bill. A BYOD policy "should clearly set out how the business and personal uses of the device will be differentiated and paid for," advises attorney Andrew Hinkes.

3. BYOD should be a voluntary, opt-in choice.
Any employee who wants to access corporate data on her device should be required to specifically opt in to the BYOD plan. When an employee does opts in, she should be specifically informed that BYOD is voluntary and that the company provides other means for data access that do not involve personal expense. If other means of access aren't provided, then a reimbursement policy, at least in California, should be designed and implemented.

Cochran vs. Schwan is an important case and one of many to come as technology evolves, but it need not be a death blow to your BYOD dreams. It should, however, be a wakeup call to those who have not implemented corporate BYOD policies.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)