What California’s BYOD Reimbursement Ruling Means to CIOs

A California Court of Appeal ruling that companies have to reimburse employees for business calls on their personal phones adds another layer of complexity and heaps of uncertainty to the already-shaky Bring Your Own Device (BYOD) movement, says David Schofield, partner at Network Sourcing Advisors, an Atlanta-based mobile consultancy that advises companies on both BYOD and corporate-owned mobile device policies.

Schofield has borne witness to the realities of BYOD, which at times can be terribly harsh. One company in the first year of its BYOD program was collectively $300,000 over budget, he says. Another large company forced employees to shoulder the cost of BYOD, Shofield says, which might be a problem in light of the California Court of Appeal ruling.

[Related: Court Ruling Could Bring Down BYOD]

It’s this kind of uncertainty brought on by the ruling that can derail the BYOD movement, at least from the CIO’s point of view. There are already signs of a BYOD pullback.

Nearly half of CIOs in Europe aren’t doing BYOD at all, according to a report from IDC Europe. A CompTia survey found anywhere from 39 percent to 51 percent of respondents are not doing BYOD. Most recently, results from a Software Advice survey show that only 39 percent of workplaces have a BYOD policy.

[Related: What Is Going Wrong With BYOD?]

But BYOD is far from dead, rather it’s just happening behind the CIO’s back. A TrackVia online survey of more than 1,000 employees and 250 IT workers found that more than half of employees admit to using stealth apps to do their jobs. CIOs attending the CIO 100 Symposium last week said they’re aware of stealth BYOD but are unsure how to deal with it.

CIO.com sat down with Schofield to understand the impact of the California Court of Appeal ruling, as well as how companies should navigate BYOD’s tricky waters.

 CIO.com: What do you see as the impact on BYOD from the recent California Court of Appeal ruling?

David Schofield: It’s still not finalized, because now it goes to the next step: possible class recognition. If that happens, man, it’s going to hit the fan. We’ve been warning companies for some time now about changes in the market.

I’ll give you an extreme example. I had a CIO that I spoke with over a year ago who told me that he was going to introduce BYOD to tens of thousands of corporate users. I asked, “Are you going to do stipends?” He said, “We’re not going to pay them anything.” I said, “A lot of them travel internationally. What are you going to do about international roaming?” He said, “We’re not going to pay them back anything.” I said, “How do you rationalize that?” He said, “Well, we don’t buy their pants either, but it’s required for the office.” I’d be interested in what they say now.

We are just seeing the tip of the iceberg. If this gets class action, it could go back several years to reimburse these employees. I’m not as concerned about current employees who are glad to have a job. Former employees are going to be the real pain in the neck. They may come back and say, “Well, I quit that job because of the BYOD policy.”

I’ve told a few companies to take the number of their employees, times it by $40 or $50, go back three years, and set that money aside.

 CIO.com: Most companies with a BYOD policy already issue an expense reimbursement or payroll stipend or even a credit on the phone bill. Will this ruling affect them?

Schofield: Unfortunately in the court decision they determined it as “reasonable”; they didn’t provide a percentage. If employees feel that it’s reasonable, fair and equitable, [companies] probably don’t have a problem as long as they’ve documented all of this. If not, they probably want to put that together. If [the court] comes out with a percentage, then it could be that someone who was paying a well-over $100 unlimited plan in the previous market may not have been reimbursed reasonably. I have seen a shrinking in the stipend, and companies look at where the market rates are going.

CIO.com:  If an employee opts in and signs a BYOD policy, then don’t they waive the right to challenge reasonable reimbursement?

Schofield: That’s true; they waive their right to keep their job. They don’t want to rock the boat. But this comes back to the former employees. Did they potentially feel like they were being intimidated, that they had to do this to keep their job? An attorney can say, “You really can’t sign your rights away.”

Look at it from the risk factor. If your BYOD policy is challenged by an employee, how much is it going to cost you? At what point does the risk outweigh what’s determined to be a financial benefit for the company and ease of use for an employee?

CIO.com: The ruling covers minutes but opens the door to data usage, device storage, home Wi-Fi, any personal device or app used for business purposes. How do you weigh the risk against so much uncertainty?

Schofield: That’s what the trial will have to determine. Home Wi-Fi is a perfect example. Almost everyone has it in their home to support their personal usage, but they might also be using it to access the corporate network. The U.S. Labor Department, too, has been pressing that maybe people working after-hours and going into the corporate network should be paid for that time.

CIO.com: This ruling is just in California.

Schofield: So goes California, so goes the rest of the country. There are other states that have similar language within their labor laws. It really depends on this case. Even if it doesn’t win in California, this doesn’t stop someone from using what they learned from a failed California attempt to succeed somewhere else, say, New York.

There are other rulings coming up, like the search and seizure, that calls into question who owns the phone. Let’s say an employee has a personal device that has non-partitioned corporate data on it. The employee does something that another party feels is incorrect, and the device is subpoenaed and [authorities] seize it with a warrant — under a previous ruling, they can’t just crack it open anymore.

What if the employee calls the MDM provider and says, “Hey, I lost my device. Can you wipe it?” If the MDM kills it within a couple of minutes, are they wiping out evidence? If it doesn’t get wiped out, then the other party sees all this company stuff. What if that stuff is client records, social security numbers? Is this a data breach?

That’s something in the future to be concerned about.

CIO.com: What’s the alternative to BYOD? Are we going to step back in time when employees carried two devices?

Schofield: If you watch the adoption of BYOD and the revenues of the carriers, the two travel in the same direction. Individuals that got off corporate plans may have gotten a straight discount but didn’t have access to custom plans and additional recurring monthly credits built into corporate discounts. So they actually ended up paying a little bit more, sometimes a whole lot more because now they were adding in some kind of family plan. There was definitely an increase to the cost for an employee.

Because of the privacy issues — not the cost issues — a lot of people are starting to carry two devices again. The one for corporate will keep their business completely separate, and they’ll be able to turn it off at night. Facebook, games, private conversations, and whatever else they’re doing will also be completely separate on the personal phone. With all the software, they don’t want any chance of having eyes on their private lives.

There was a big movement that it was all about the morale, that we couldn’t get the millennials because they want to be able to use their device. I think that’s fallen by the wayside. You hear about all these millennials who don’t have jobs. If they have to use a corporate device, would they still take the job? Yeah, probably.

There are a lot of early adopters who went to BYOD, jumped on it really hard, and are coming back. But you’re not going to see that publicized. Who’s going to advertise that they went in this direction and completely failed and are going back?

CIO.com: CIOs have told me that employees are using their personal devices for work anyway. There are statistics showing stealth BYOD happening at a large scale. What should companies do about this?

Schofield: Rogue-stealth BYOD is a hot topic, as employees get more and more self-sustainable. They understand DNS (domain name system) and MX (mail exchanger) records and can adapt pretty easily. The risk-legal managers need to get in the mix with IT. Depending on the sensitivity or regulatory impact on the company should data be released, the enterprise needs to understand the consequences.

Companies need to ask themselves: Why is this happening? What is the employee not getting from the current access from the current device? Is it poor carrier performance driving them to some other means? Did they lose their previous device and have the phone store transfer everything over? Or is this an attack from within?

The data security personnel have to determine with the business units [how] to defend network access and estimate what damage can result while keeping the experience easy to use. That is a tough order.

You’ll have to review and adjust the game plan regularly. This can be difficult internally because change usually asks the employee to access data in a different way and affect the way they work. The new way has to be right, or they will find a work around.

CIO.com: BYOD-related vendors are coming up with all sorts of solutions to separate business and personal data and apps — even business-data usage — on BYOD phones and tablets. On the payment side, some vendors help companies issue BYOD reimbursements, stipends or credits. Won’t this solve the problem?

Schofield: Germany had this issue a long time ago. Even though the company owned the device and the subscription, it couldn’t see the data because of privacy laws. On the voice side, there were [vendors] way out ahead of this a decade ago. The employee would get the call-detail records each month and have to identify which calls were personal and corporate. The [vendor] software would remember the identified numbers and automatically put them in the business or personal records, and the company billed the employee for personal costs.

The technology is out there, but then you come down to another level of complexity. At what point does it become too complex that it’s just not worth it anymore?