Presenting a live 90-minute webinar with interactive Q&A - - PowerPoint PPT Presentation

Employee Use of Dual-Purpose Electronic Devices: Legal Challenges for Employers

Protecting Company Interests When Employees Use Personal Smartphones, Tablets and Laptops for Work

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's

• speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

THURSDAY, SEPTEMBER 27, 2012

Presenting a live 90-minute webinar with interactive Q&A

Philip L. Gordon, Shareholder, Littler Mendelson, Denver Michael McGuire, Shareholder, Littler Mendelson, Minneapolis Josh B. Kirkpatrick, Shareholder, Littler Mendelson, Denver

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-866-258-2056 and enter your PIN -when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of

attendees at your location

• Click the SEND button beside the box

FOR LIVE EVENT ONLY

Conference Materials

If you have not printed the conference materials for this program, please complete the following steps:

• Click on the + sign next to “Conference Materials” in the middle of the left-

hand column on your screen.

• Click on the tab labeled “Handouts” that appears, and there you will see a

PDF of the slides for today's program.

• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.

5

Business Or Pleasure: The Challenges Of Bring Your Own Device Policies In The Workplace

6

Philip Gordon― Littler, Denver pgordon@littler.com Joshua Kirkpatrick ― Littler, Denver Jkirkpatrick@littler.com Michael McGuire― Littler, Minneapolis mmcguire@littler.com

Visit our Practice Group blog: www.workplaceprivacycounsel.com

7

8

• Ownership of the device affects the

employer’s ability to control the device and the data

Why does it matter?

9

• IBM

– 80,000 employees – IBM CIO:

• “If we didn’t support them, we figured [employees] would

figure out how to support [the devices] themselves.

• Kraft

– 800 employees receive stipend to buy PC – Not available to:

• company executives who handle confidential information
• Legal
• HR staff
• Employees who use their PC to run production equipment
• Factory Workers

Who’s Doing It?

10

• Sybase

– 20 different phone options – Employees buy and own the phones, but Sybase pays for the monthly service contract

• Citrix

– $2,100 stipend to purchase a laptop of their choice and a 3- year warranty. – Company owned cost was $2,600. – Adoption rate of about 20%.

• Cisco
• Lockheed

Who’s Doing It?

11

• 75% of companies surveyed allow employees

to use their own personal devices for business (Aberdeen)

• 48% of IT workers were allowed to purchase a

smartphone of their choice to use for work (Forester)

Survey Says

12

• Reducing expenses for employers
• Improving employee engagement
• Aiding in the recruitment of new employees
• Solving the “two pocket problem”
• Innovation to reduce cost and promote

collaboration

Why?

13

• All tallied, BYOD doesn’t look pretty from a

cost perspective. A typical mobile BYOD environment costs 33 percent more than a well-managed wireless deployment where the company owns the devices ***.”

– Loss of bulk purchasing power – Higher help desk/support costs – Security issues

Does it really reduce costs?

14

• The trend toward employee-owned devices

isn’t saving IBM any money

IBM Experience

MIT Technology Review, Monday, May 21

15

Your Experiences with BYOD

15

16

• What approach has your company taken to

the BYOD issue?

– Restricts to company-owned devices – Allows some employees to connect personal devices but process is ad hoc – Has a BYOD policy

Your experiences with BYOD QUESTION ONE

17

• For those with a BYOD/BYOC Policy, what is

adoption rate?

– 0-25% – 25-50% – 50% or greater

Your experiences with BYOD QUESTION TWO

18

• For those with a BYOD/BYOC Policy, have

you experienced employment law/HR issues as a result?

– Yes – No

Your experiences with BYOD QUESTION THREE

19

• For those with a BYOD/BYOC Policy, have

you experienced information security issues as a result?

– Yes – No – Not sure

Your experiences with BYOD QUESTION FOUR

20

• For those with a BYOD/BYOC Policy, have

you experienced eDiscovery challenges as a result?

– Yes – No – Not sure

Your experiences with BYOD QUESTION FIVE

21

HR and Employment Law Issues

21

22

HR and Employment Law Issues

• Performance

management

• Discrimination, hostile

work environment, accommodation issues

• Workplace Safety

– Driving and talking or texting

• Labor

– Mandatory bargaining – Unlawful surveillance

• International

– Data protection – Border searches – Espionage

23

HR and Employment Law Issues

• Wage & Hour

– Off-the-clock work by non-exempt employees – “Suffered or permitted to work” – De minimis? – Emails themselves are evidence of time spent and notice to employer – Time spent dealing with IT issues related to devices – Work by non-exempt or exempt employees during weeks off or leaves of absence

24

HR and Employment Law Issues

• Solution to W&H

Concerns – Prohibit non-exempt employees from accessing email or making work-related calls outside of work – Limit access/program participation to employees who are exempt from OT – Create process for reporting work performed

• utside of working hours

– Training

• Employees
• Managers

– Compliant policy requiring pay for all hours worked

25

HR and Employment Law Issues

• Expense Reimbursement

– Federal law – expenses can’t reduce pay below minimum wage – Eleven states have express or implied expense reimbursement requirements

• California, Montana, North

Dakota, South Dakota, New Hampshire, Alaska, Minnesota, Arkansas, Iowa, Kentucky, Michigan

– California – must reimburse for “necessary expenditures or losses incurred ... as a consequence of the discharge of his/her duties” – Reimbursement must meet certain criteria in

• rder to be tax exempt

26

Privacy/Security Issues

26

27

IBM Experience

MIT Technology Review, Monday, May 21

• IBM surveyed devices

and found apps and practices that could pose a security risk – Forwarding IBM email to web-based email services – Using device to create WiFi Hotspots – Dropbox – iCloud – Siri

“We found a tremendous lack of awareness as to what constitutes a risk * * * we’re trying to make people aware.”

28

• Security Laws and Regulations

– Encryption – Breach notification – Secure data destruction

• Employee privacy rights
• Record retention
• Contractual obligations

– Indirectly regulated

• Trade secret protection
• eDiscovery obligations

Data is heavily regulated

Allowing employees to store company data on their

• wn devices

fundamentally complicates these

• bligations

29

• Loss or theft of devices

– lost and stolen equipment accounted for 31% of breaches – Lookout helped 9 million people locate their devices; one locate request every 3.5 seconds

• Malware

– “malware targeting the Android platform rose 3,325 percent” (Juniper)

• Friends and family

– 27.5% of FINCEN suspicious activity reports involving identity theft involved friends, family, employee in home

Security for company data

30

• Violation of statutory or regulatory requirements

to secure personal information: HIPAA, GLBA, and state laws (MA, OR, OK, NV)

– Statutes apply to service providers of covered entities – Enforcement: HHS and MA have recently obtained penalties

• Security breach notification laws: 46 states, DC,

PR, USVI, and Guam

– Encryption safe harbor – Encryption requirements: MA, NV, HIPAA

• Avg. cost of a breach is $194/lost record or $5.5M

Implications Of A Security Breach

31

• Gateway to the cloud

– Employee ownership of the account with the service provider will limit company access to its data – No contract with company – Obligation to “vet” security controls of vendors – Data may be more available to law enforcement or

• thers

Security for company data

32

Employee Privacy Rights

Access to private information

• GINA
• Protected Characteristics

Issuing a remote wipe command

• Employees have a reasonable expectation of privacy in their

personal device

• All 50 states have computer trespass laws
• Computer Fraud & Abuse Act if the unauthorized access causes

damages > $5,000

Accessing an employee’s personal e-mail or cloud account

• Stored Communications Act

– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp

33

Beware of Computer Trespass

• Key facts:

– Sitton used his personal computer to conduct business for PDI and for a competing business – Sitton used the computer on PDI’s premises and connected it to PDI’s network – When PDI caught wind of Sitton’s disloyalty, a senior manager entered his office, clicked on an e-mail list, and printed incriminating e-mail

34

Beware of Computer Trespass

• Ruling: Affirms denial of Sitton’s claims for computer trespass,

computer theft, and computer invasion of privacy

• Reasoning: Lack of authority is an element of each claim, and

PDI’s computer use policy established the manager’s authority

• Key Policy Provisions:

– Policy was not limited to company-owned equipment – Informed employees that PDI would “inspect the content of computers … in the course of an investigation triggered by indications of unacceptable behavior.”

Sitton v. Print Direction, Inc., 2011 Ga. App. LEXIS 849 (Sept. 28, 2011)

35

Federal Stored Communications Act

• Prohibits unauthorized access to an

electronic communication in electronic storage at an electronic communications service provider (18 USC §2701(a))

• Criminal statute with civil remedies

–Minimum monetary damages of $1,000 –Punitive damages and attorneys fees

• Consent of the account holder is a defense

36

Access to Personal E-mail

Key Facts:

• Pure Power Boot Camp fired Fell
• Fell started a competing business
• PPBC’s owner (Brenner) accessed three of Fell’s

personal e-mail accounts – Hotmail: Fell had accessed the account using PPBC’s computers, leaving username and password behind – Gmail: username and password found in the Hotmail account – Warrior Fitness Boot Camp: “lucky guess” same password and username

• PPBC used Fell’s personal e-mail for non-compete

action against Fell

37

Access to Personal E-mail

• Claim: PPBC violated the SCA
• Defense:

– Electronic resources policy defeated any expectation of privacy – Fell implicitly consented by leaving username and password on PPBC computers

• Court: summary judgment for Fell

– The policy addressed only company equipment used during the employment relationship – The e-mail in question were not created on, sent through, or received from PPBC’s e-mail system – At most, Fell consented to Brenner seeing his password for one account, but not to her using it for any of them

Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp.2d 548 (S.D.N.Y. 2008)

38

“Password Protection Laws”

Generally prohibit employers from asking applicants

• r employees for personal social media log-in

credentials –Maryland –Illinois –California (bill awaits signature)

• Bills pending in 12 states

–DE, IL, MA, MI, MN, MO, NJ, NY, OH, PA, SC, WA

39

“Password Protection Laws”

Illinois: NO exceptions Maryland: Exceptions for investigations (A) of securities fraud violations (B) to protect trade secrets California: Exception for investigation of (A) Employee misconduct (B) Employee violations of applicable law and regulations

40

• SOX and other industry specific regulations
• Contractual obligations

Record Retention and Destruction

41

• “60 percent of American workers who left

their employers [in 2008] took some data with them.” (Economist)

• Misappropriation may be harder to prove
• Use or disclosure will be the focus
• Access to the devices will be a challenge

Trade Secret Protection

42

• Locating the data
• Access to the device
• Collection challenges

eDiscovery Challenges

43

Obligations follow the data

44

Recommendations

44

45

• Plan the program
• Technical controls
• Policies
• Operating procedures and capabilities
• Educate and train

Recommendations

46

Recommendation: Decide whether all employees should be permitted to participate in a BYOD program or whether certain groups should be excluded.

46

47

• Limit to employees with a business need
• Important to control eligibility

– The more people with BYOD, the greater the risk

• NOT employees with regular access to sensitive

information ―Legal, HR ―Access to highly valuable trade secrets, e.g. product engineers ―Access to highly sensitive, non-public financial infor, e.g., CFO’s group

• Non-exempt employees raise off-the-clock issues

Who Should Be Eligible?

48

Recommendation: Install Mobile Device Management software on dual use devices.

48

49

Sandbox Approach

50

Recommendation: Require employees to consent to all company activities involving the personal device.

50

51

Employee Consent

Consent to:

• 1. Access to information

stored on the personal device

• 2. Remote wipe of the

device

• 3. Monitoring the device

when accessing corporation information

• Expect Pushback

52

Recommendation: Modify or create Employee Agreements.

52

53

The Personal Device Agreement

Critical Terms: Protection against computer trespass, invasion of privacy and other claims

• 1. Agree to Company’s use of remote wipe
• 2. Agree to Company’s monitoring of personal device

when connected to the corporate network

• 3. Agree to produce the personal device for inspection in

response to a legitimate requests

• 4. Release Company from any liability for destruction,
• r incidental viewing, of personal information

54

Personal Device Agreement Additional Terms

• 6. Will install corporate security package
• 7. Will not modify corporate security package
• 8. Will immediately report loss or theft of

device

• 9. Will limit storage of corporate information
• 10. Acknowledge that all company policies

apply to the dual-use device

55

Recommendation: Restrict employees from using cloud- based apps, cloud-based backup, or synchronizing with home PCs for work-related data.

55

56

Recommendation: Ensure that use complies with Wage and Hour obligations by prohibiting

• ff-the-clock work and ensuring pay

for all hours worked.

56

57

Recommendation: No use by friends and family members.

57

58

Recommendation: Training

58

59

Training

• 1. Don’t leave the device unattended
• 2. Don’t share the device’s passwords

with anyone

• 3. Don’t share the device with anyone,

including family and friends

• 4. How to report a lost or stolen device
• 5. Beware of downloaded apps

60

Security Incident Response

• 1. Confirm that dual-use device is encrypted
• 2. Confirm that remote wipe was activated promptly
• 3. Confirm that unauthorized acquirer had to unlock a

password-protected screensaver

• 4. If no confirmation, collect e-mail on corporate

exchange server from date the loss/theft occurred – Search for trigger PII

• 5. Interview employee concerning contents of local

storage on dual-use device

61

Recommendation: Revise exit interview processes.

61

62

Bottom Line: BYOD creates risks and challenges for employers

• Data-Related Risks

– Security of company data – Privacy of employee data – Records management – Contractual obligations – eDiscovery – Trade Secret Protection – Contingent Workers

• HR-Related Risks

– Performance management – EEO – Wage & Hour – Workplace Safety – Labor – International

63

Questions

63

64

Thank You

64