When Smartphones Are Not Smart for Your Employees: the Risks of Remote Access in Your Workforce
Smartphones are no longer a luxury in society: they are a staple. Checking emails via smartphone has become part of the standard routine. Employers have seized upon this technological advancement by providing their employees remote access to work accounts from their smartphones or home computers. While the potential for increased productivity is alluring, an employer’s decision to provide remote access technology to its workforce comes with risk.
The Risk of Triggering Overtime Claims
Many non-exempt employees are scheduled to work only eight-hour shifts to avoid triggering the employer’s obligation to pay overtime wages. But what happens when the nonexempt employee goes home after a full shift and responds to several work-related emails? Or what about the employee who conducts remote, work-related email correspondence from his kitchen before heading into an eight-hour shift? Does an employer have an obligation to pay overtime for that additional work? The answer is potentially yes.
Without devolving into an in-depth analysis of the applicable laws regarding wages and overtime, this article can simply look to the definition of “hours worked” provided in several California Wage Orders to see how the above facts could give rise to an overtime claim. The California Wage Orders define “hours worked” as “time during which an employee is subject to the control of the employer, and includes all the time the employee is suffered or permitted to work, whether or not required to do so.” It is a fairly broad definition. The Division of Labor Standards Enforcement (DLSE) takes the position that if an employer or supervisor has reason to know that a non-exempt employee is working overtime, the overtime wages must be paid. See 2002 Update of DLSE Enforcement Policies and Interpretations Manual, March 2006, § 47.6.2.
One can understand how an employer would have knowledge of the overtime hours worked by an employee using remote access technology. All email messages reflect the addressee, and the date and time that they are sent. Such after-hours emails can become exhibits in a failure to pay overtime claim. Similar emails sent during meal periods might also be used to establish a failure to provide duty-free meal periods.
In some cases, courts have found de minimis work to be non-compensable. They define de minimis work as work that takes less than approximately ten minutes, is not regularly performed by the employee, and is administratively too difficult to record. Rutti v. Lojack Corp. (9th Cir. 2010) 596 F.3d 1046, 1058; Lindow v United States (9th Cir. 1984) 738 F.2d 1057, 1062. However, as the Ninth Circuit recently held in Rutti, an employee’s off-the-clock remote access activities, such as remotely logging into an employer’s network for five to ten minutes each day to transmit a brief report, can exceed the de minimis standard. Employers can anticipate similar analysis for employees who make responding to their smartphone emails part of their daily routines.
A mitigation of these risks begins with the threshold determination of which employees should have remote access. An employer can minimize the overtime risks by only issuing remote access technology to exempt employees within its workforce. Furthermore, an employer should institute written policies that prohibit off-the-clock work by non-exempt employees. Employers should also train supervisors to be aware of, and to avoid initiating, off-the-clock work by non-exempt employees.
Risks to Trade Secrets and Other Proprietary Information
Employers should also consider that as more employees have remote access to their networks, the risk of losing sensitive corporate data increases. Trade secrets and other sensitive proprietary materials are more vulnerable to accidental or intentional misuse as remote access increases. Everyone has seen how vulnerable smartphones can be to accidental “typos” or “reply all” emails. Imagine the same occurring with sensitive documents attached. To mitigate this risk, employers should only allow remote access to key personnel. Further, employers should limit what parts of the network can be accessed and ensure that security limits are in place (e.g., passwords and inactivity timers) for lost or stolen equipment. Employers should also institute written policies that govern these vulnerabilities.
Remote access may not be ideal for every employee. Employers should evaluate these risks, ensure that written policies are in place, and train their employees on proper use.