by Marisa Helms
It’s not unusual these days for employees in every industry to access their work-related email, calendar, and contacts with their latest consumer gadget. It’s so common, in fact, that there’s an acronym for it: BYOD, which stands for Bring Your Own Device.
The BYOD trend is not a flash in the pan. In fact, it is projected to grow as younger employees—the “Millennials”—continue to join the workforce. The younger generation just expects BYOD on the job because their work and personal lives are not as separate as they may be for older employees.
But BYOD is so new that many Minnesota cities are unsure how to handle it. While some smaller cities may not find BYOD to be an issue, many mid-size and large cities with a large number of employees are grappling with making an informed decision about whether or not to allow BYOD for city employees.
Benefits and risks
For employees, the benefits of allowing BYOD seem obvious. For starters, it’s just easier to deal with one smart phone, for example, instead of juggling a city-owned phone and a personal phone.
For cities, BYOD can provide cost savings, especially in the case of the ubiquitous smart phone. Instead of buying an expensive new phone and service contract for an employee, cities could spend a fraction of that by instead putting the cost burden on the employee and then reimbursing the employee for a portion of their cell phone bill each month. Making this even more appealing, the Internal Revenue Service (IRS) issued guidance a few years ago indicating that cell phone reimbursements are generally non-taxable income. (Read IRS Notice 211-72 at http://1.usa.gov/1eA1Yvf.)
Another possible benefit for cities could be less reliance on city IT resources by employees. Since Millennial generation workers are generally more familiar with new technology, they probably won’t need city IT staff to train them how to use their own device. And they would be more likely to keep their device up-to-date with the latest operating systems and security patches.
City liability and BYOD
Aside from the potential benefits of allowing BYOD, there are also some challenges and implicit risks when employees access privileged data with their own devices. So, cities need to find solutions to BYOD that will protect them from liability while still allowing employees the flexibility and access that they’re asking for.
One option is to forbid BYOD, and some cities are going that route as they sort through the practice’s risks and benefits.
The important thing is for cities to be as proactive as possible as they respond to the growing clamor for BYOD, says Greg Van Wormer, assistant technology services director with the League of Minnesota Cities.
“If you’re not prepared, BYOD’s going to run right over you,” says Van Wormer. “We want our cities to make conscious decisions about whether they’re going to allow or disallow BYOD. And, we recommend cities have a well-written BYOD policy so people understand what the expectations are—one way or the other.”
Managing the risks of BYOD
When a city allows an employee’s personal device to connect to the city’s servers, the city opens itself up to network security risks.
Van Wormer illustrates how that risk plays out by using the analogy of how a virus is transmitted person to person. For example, he says, if you live in a rural area and rarely come in contact with other people, you greatly reduce your chances of catching a virus. On the other hand, if you’re somebody who is shaking hands or hugging people all day, like a politician, you have a greater likelihood of catching a virus. “So, think of computers the same way,” explains Van Wormer. “If a city allows people to bring in their own devices, then any one of those devices could have a virus or spyware on it. Or, a hacker could use that personal device to get into a city’s network.”
Fears of exposing the city’s network to security breaches is a primary reason why Brooklyn Center (population 30,200) has a written policy forbidding BYOD, says Patty Hartwig, the city’s IT director.
“At this point, we have serious concerns regarding that kind of vulnerability,” says Hartwig. “We want to protect our data, and personal devices are subject to more risk than a corporate device. With BYOD we would inherit the vulnerabilities of an employee’s device and how they use it.”
E-discovery: another BYOD challenge
All Minnesota cities are responsible for retaining electronic government records, including certain emails, text messages, web pages, digital images, databases, spreadsheets, and word-processing documents.
So, under the Minnesota Government Data Practices Act, any electronic device that generates city data, including a tablet or smart phone, could become discoverable, whether that device is owned by the city or by an employee.
To limit a city’s liability, the League’s Van Wormer says it’s especially important for a city to have a coherent electronic filing system and understandable records retention process and schedule.
“The greater policy is ensuring there’s a place to put [electronic records], making sure people understand where those public records need to be kept, and then ensuring that the location is backed up and secure,” says Van Wormer.
Discovery vs. right to privacy
Some cities saying yes to BYOD have discovered they need to maintain some control over their employee’s personal device in order to shield the city from liability. For example, Willmar and Brooklyn Park recently began allowing BYOD for city workers, and have crafted multi-page policies designed to protect the city.
The number of employees taking part in BYOD right now is relatively small in those two cities, but demand is growing. In Willmar (population 20,000), only about 20 percent of the 130 employees bring their own devices to work. Information Systems Coordinator Mark Boeschen says the city adopted a BYOD policy because he believes it’s important to embrace this change.
In Brooklyn Park (population 76,200), the policy states that by signing on the dotted line, employees indicate they understand that, in the case of discovery, they must hand over their own devices to the IT department.
The policy also allows the city to monitor, record, and audit the use of personal devices, and authorizes IT staff to remotely wipe a device in case of loss, theft, or replacement. When the city wipes a phone, an employee could lose personal data like apps, music, and photos.
Willmar and Brooklyn Park’s policies clearly state that the employee can expect no right to privacy when they agree to BYOD.
Mobile workforce solutions
As one of the few cities with a policy allowing BYOD, Brooklyn Park is “ahead of the game,” says the city’s IT Manager Keith Ehrlichman.
“Over the past year, we’ve been ramping up for a mobile workforce by setting up a virtual desktop infrastructure,” Ehrlichman says. This moves the computing power from individual desktops to a more secure server platform.
That means the city can keep its data safe in one location while still allowing employees to safely connect to their virtual desktop from a variety of devices. No matter what device employees use, they see the same customized digital workspace each time they log on.
A “dual authentication” process provides added security to Brooklyn Park’s BYOD infrastructure. Each time an employee wants access to the city’s virtual network, he or she must supply a password as well as a unique identifier to gain access to the city’s data servers.
Many smaller Minnesota cities currently lack the staff and budget to implement cutting-edge network technology. So, those cities just aren’t allowing BYOD—for now.
“It’s the way the industry is going, so [byod]’s going to happen sooner or later,” says Jason Greninger, information systems director with the City of Rogers (population 8,900). “When we move to BYOD, it will be based on what the staff’s needs are. If they say this is what we need to do our jobs, then absolutely we will steer investment in that direction.”
Marisa Helms is a freelance writer based in Minneapolis.
Some non-exempt employees may not be able to resist the temptation to use their personal devices to check their work email or do other work after hours. This is another risk for cities that allow employees to use their own devices for work. If they’re not careful, these cities may end up paying overtime they didn’t explicitly approve. Under the Fair Labor Standards Act (FLSA), the city must pay non-exempt employees time-and-one-half of their regular rate for additional work over 40 hours in a workweek.
“Generally speaking, the way work time is defined under FLSA includes employee volunteered work time, unless the city prohibits the work and had no reason to know the employee was working it,” says League of Minnesota Cities HR Director Laura Kushner. “The FLSA regulations consider any time spent working that the employer ‘suffered or permitted,’” Kushner adds. “Therefore, if a non-exempt employee uses technology, such as a smart phone, outside of regular work hours and, as a result, works more than 40 hours per week, that work may very well have to be compensated as overtime.”
To limit FLSA claims, Kushner recommends that cities adopt—and enforce—a written policy stating that non-exempt employees may not work outside of scheduled working hours, or during unpaid meal periods, without the prior written authorization of a supervisor. Note: These FLSA requirements are found in the Code of Federal Regulations, Title 29, section 785.11.
* By posting you are agreeing to the LMC Comment Policy.