Contact The Editor
Articles By This Author
Reader: Do you know if it is legal for an employer to ask an employee to install a work application on a personal phone?
When I first started working at a manufacturing company seven years ago, I added one app to my personal phone for a bank my company partners with to handle deposits and payments. I didn't think about the possible security issues with the app at the time. But generally, I try to limit my personal presence online. Even when stores offer me a discount for installing their app, I refuse.
Now, all the banks my company works with require multi-factor authentication using an app or physical token. The employer has asked me to add these other banks' apps to my phone as well. They say a physical token isn't available from the banks, and installing the app is the only way, but I doubt that. I suspect there may be a charge for using verification methods other than the app that they don't want to pay.
So far, I'm the only one among my colleagues who has questioned this requirement and declined. Using my personal phone and installing another application for work is a line I do not want to cross.
A: I empathize with your reluctance to add yet another authentication app to your phone. I swear I spend half my life entering six-digit codes into tiny boxes. But I also accept that tedious security measure as the price of convenience.
To answer your question, I don't believe your employer is legally prohibited, at least under federal law, from asking you to install a work-related app on your own phone to help do your job. If you already take work calls or respond to work emails on your own phone under a “bring your own device” policy, it seems reasonable for your employer to ask you to perform other work tasks with it, especially since you've already agreed to download one app. But by the same, er, token, it seems equally reasonable for you to decline that request, as long as you can get the job done using an alternate method.
Between us, I'm not sure having a simple multi-factor authentication app on your phone exposes you to any particular security or privacy risk - but then, I'm not a tech security expert. And when it comes to evolving beyond human defense systems, cyber-scammers are on par with the coronavirus. Also, I respect your right to set boundaries on how you use your personal property.
Besides, your employer is the one primarily at risk by having employees download those apps to their personal devices. If your phone happens to fall into the wrong hands, could you wipe its data remotely to prevent access to your employer's log-ins or other sensitive information? How much oversight does your employer have over what security measures you enable on your phone? What degree of responsibility would you personally bear if those measures failed? And if you left the company, could you still access those bank accounts through your phone?
Those are messy issues that your employer could rectify by issuing its own secure devices. But again, it's a matter of security versus convenience.
Here's what I'm worried about for your sake: Is your employer as adamant about you using those apps as you are about refusing them? At what point will your boss get fed up with your balking?
Instead of continuing in this frustrating standoff, it may be best to push for a formal resolution.
First, try talking to your banks directly about their multi-factor authentication options, so you know for yourself what's available.
You should also speak with folks in your IT team. They may be able to give you some talking points for more secure solutions to present to management - or they may allay your concerns about the apps your employer wants you to install.
Finally, if your employer isn't interested in issuing its own managed devices, see whether you can be reimbursed for purchasing a cheap, bare-bones device that can host the necessary apps.
Your employer seems overdue for a review of its cybersecurity policies. At the very least, it needs to do a better job explaining them to employees.
Pro tip: Some state laws consider personal mobile device costs, such as access or data usage charges, to be reimbursable employee expenses. For example, California explicitly requires employers to reimburse employees for work-related cellphone costs.
Karla L. Miller advises on workplace dramas and traumas.