BYOD (Bring Your Own Device): Employee-owned Technology in the - - PowerPoint PPT Presentation

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

MCHRMA Spring Conference April 4, 2014

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

PRESENTED BY:

The information contained in this document is intended for general information purposes only and does not constitute legal or coverage advice on any specific matter.

Sonya Guggemos

MCIT Staff Counsel for Risk Control

sguggemos@mcit.org

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Use of Personal Devices for Work

• BYOD: Bring Your Own Device

– Trend for employees to use their own smartphone for work purposes – Dual-use device used for personal and professional tasks

3

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

How Are Employees Using Their Personal Devices?

• Phone calls and voice mail
• Text messaging
• E-mail
• Document review
• Drafting documents
• Access to computer servers or databases

4

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Why BYOD?

• Employee

– Convenience and flexibility – Increased productivity – Employer has limited resources

• Employer

– Believed to be cost- efficient – Increased employee productivity and engagement

5

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Risks to Employer and Employee

• Data retention, preservation and retrieval
• Data privacy and security
• Wage and hour concerns: Fair Labor

Standards Act

6

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

DATA RETENTION, PRESERVATION AND RETRIEVAL

Bring Your Own Device

7

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Data Retention, Preservation and Retrieval

• Both government entity and employee may

have an obligation to retain, preserve or produce data and/or device

– Minnesota Government Data Practices Act (MGDPA) – Litigation hold or discovery – Investigation

8

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Minnesota Government Data Practices Act

• Imposes obligation to

produce government data and an obligation to make data easily accessible for convenient use

• Includes all data

collected, created, received, maintained or disseminated by any government entity

• Government data is not

defined by where it is stored, in what format or how it is used

• Responsive government

data stored on employee’s dual-use device must be produced

9

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Minnesota Government Data Practices Act

• Government entity: Failure to produce data

may be a violation of MGDPA

• Employee

– Failure to cooperate with employer could be grounds for disciplinary action – Willful violation of MGDPA may be just cause for disciplinary sanctions

10

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Litigation Holds and Discovery

• Litigation hold: A means by which relevant

documents, data and other information is identified and preserved for potential use in a lawsuit

• Discovery: Requires production of documents,

electronically stored information or things in a lawsuit

11

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Litigation Holds and Discovery

• Employers are responsible for maintaining or

producing documents or items in possession, custody or control

• Failure to comply could lead to court

sanctions against the employer, employee or both, depending on circumstances

12

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Investigation

• Government entity may need to access

sources of data on employee’s personal device in the course of an investigation

– Internal complaint – Responding to outside investigations – Investigating a data breach

13

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

The Problem

• Government entity owns the data
• Employee owns the device
• Work and personal data are likely inter-

mingled on the device

14

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

The Bottom Line

• Employee

– May be required to provide employer or third-party access to the device or the device itself to avoid discipline or sanctions – This may include access to personal data

• Employer

– May have limited ability to preserve the data – Employee may have reasonable expectation of privacy in devices and personal data on the device

15

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

DATA PRIVACY AND SECURITY

Bring Your Own Device

16

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Data Privacy and Security

• Government entities and employees are
• bligated to keep certain government data

private, confidential and secure

• Minnesota Government Data Practices Act

– Requires that government entity establishes and implements appropriate safeguards – Restricts access to data classified as private or confidential

17

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Data Privacy and Security

• Health Insurance Portability and Accountability

Act (HIPAA)

– Requires covered entity or business associate to implement policies and procedures that restrict unauthorized access to electronic protected health information – Includes “individually identifiable health information”

• Other privacy or security requirements in law or

agreement

18

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

The Problem

• Government entity is legally responsible for

data privacy and security

• Employee is responsible for physically

securing device and data

19

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Inadvertent Release of Data

• Lost or stolen device
• Access by friends and family
• Malware or computer viruses
• Employee upgrades device
• End of employment relationship
• Remote backup and storage

20

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

The Bottom Line

• Employer

– May be responsible for its employee’s inadvertent release of the data and violation of data privacy laws

• Employee

– May be subject to discipline for violating personnel, data privacy and security or records retention policies

• Both

– Other causes of action, such as invasion of privacy, could apply

21

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

WAGE AND HOUR CONCERNS

Bring Your Own Device

22

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Fair Labor Standards Act (FLSA)

• Classifies employees as exempt or nonexempt
• Nonexempt employees generally have the

right to overtime or comp time for time worked beyond 40 hours

• Includes all time “suffered or permitted to

work”

• Applies if employer knows or has reason to

know employee performed work

23

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

FLSA and BYOD

• Checking and answering e-mail, phone calls and

voice mail during nonwork hours may constitute compensable time for nonexempt employees

• Possible FLSA violations

– Failing to compensate employee properly for hours worked – Failing to keep accurate time records

• Could subject employer to fines and entitle

employee to back wages and damages, including attorney fees

24

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

MANAGING THE RISK

Bring Your Own Device

25

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Complex Issue

• Risks to BYOD apply to both employer and

employee

• No one-size-fits-all solution

– Depends on the needs and resources of government entity and employees – May differ between departments and positions

• Multidisciplinary approach may yield best

results

26

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Conduct a Risk Assessment of Current BYOD Use

• Who is using a personal

mobile device for work purposes?

– Exempt vs. nonexempt employees

• How often is the device

used for work purposes?

• Why is the employee

using his or her personal device?

• How is government data

being accessed or stored

• n the device?
• What data or information

is being accessed or stored?

• How is the data or

information classified under the MGDPA?

• What security measures

are in place on device?

27

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Consider Ongoing and Future BYOD Use

• Do the benefits of BYOD outweigh the risks

posed and the potential cost of managing those risks?

• What is the organization’s comfort level with

BYOD?

• Are there certain positions or certain uses

that are not acceptable risks for BYOD?

28

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

The IT Component

• Analyze technological capabilities and

capacity

• Review capacity of IT staff to support

employee personal devices and any BYOD requirements

• Assess the feasibility of implementing

technological strategies for BYOD

29

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Technological Strategies

• Password/passcode protection
• Encryption
• Virtual or remote access
• Mobile device management software

30

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Mobile Device Management Software

• Placed on employee’s personal device but

controlled by employer

• Features can include

– Password protection and encryption – Remote locking of device – Remote wipe of the device – Tracking lost or stolen device through GPS – Restricting application installation

31

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Mobile Device Management Software

• Disadvantage: Improper use could raise issues

under Fourth Amendment or federal and state laws

– Remote wipe of device may delete entire device – Unauthorized tracking of employees after hours

• Best practice: Written informed consent

32

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Educate Employees

• Employees must also weigh benefits of BYOD

against the risks and responsibilities

• Employees have a crucial role in managing

and mitigating any risks

33

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Mitigating the Risks

• Password/passcode to

protect personal devices

• Encrypt any work-

related data to the extent possible

• Use the device’s screen

lock function

• Do not download or

store private government data on the device unless necessary

• Keep work and personal

information separate to the extent possible

34

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Mitigating the Risks

• Report a lost or stolen

device immediately

• Be selective about the

applications downloaded

• Avoid using cloud-based

backup or synchronizing with home computers for work-related data

• Do not let friends and

family use the device unless access to work data is segregated or password protected

35

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Mitigating the Risks

• Comply with data

privacy policies and any

• ther retention

requirements, such as litigation holds

• Inform the government

entity if no longer using the device for work purposes

• Remove or protect any

work-related data prior to receiving technical support or repair

36

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Consider Developing a BYOD Policy

• Set forth conditions for BYOD use
• Detail expectations and responsibilities for

employee using his or her own device for work

• Policy should be consistent with federal and

state laws and collective bargaining agreements

37

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Other Considerations

• Incorporate BYOD into the exit interview

procedure

– Develop procedures for preserving data that may be needed after the employee’s departure – Require that all work-related data be wiped off of employee’s personal devices when terminating employment

• Revise related policies as necessary to include

work-related data stored on dual-use devices

38

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Implement the Program/Policy

• Train employees on the policy requirements
• Educate staff implementing the policy

regarding the risks and legal restrictions

• Be prepared for some employees to end

BYOD

39

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

Avoid FLSA Violations

• If permitting nonexempt

employees to BYOD, consider policy or guidelines

• utlining appropriate use
• Require all nonexempt

employees to keep accurate records of hours worked whether on or off duty, including time reviewing and responding to e-mails

• r telephone calls
• Remind exempt and

nonexempt employees on leave not to read or respond to work-related e- mail (other than for reasons directly concerning their leave)

• Educate employees and

supervisors about the policy and consistently enforce it

40

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

DISCUSSION

Ask Questions and Share Experiences

41

MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

You’re Invited:

MCIT’s 2014 Regional Risk Management Workshops

Plan Now to Attend

• Rochester: Sept. 4
• Marshall: Sept. 10
• Mankato: Sept. 11
• Crookston: Sept. 17
• Grand Rapids: Sept. 18
• St. Cloud: Sept. 24
• Fergus Falls: Sept. 25

It’s for You!

• Commissioners
• Department heads
• Supervisors
• Human resources

professionals

• Risk managers/safety

coordinators

42

Sessions cover: Sessions cover: issues related to claims/coverage, human resources, risk control and governance. Registration Registration begins May 1. begins May 1. Check MCIT.org/ Check MCIT.org/tr trai aining.a ning.aspx spx for detail for details. s.