employee use of dual-purpose electronic devices: legal
TRANSCRIPT
Employee Use of Dual-Purpose Electronic
Devices: Legal Challenges for Employers Protecting Company Interests When Employees Use Personal Smartphones, Tablets and Laptops for Work
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
THURSDAY, SEPTEMBER 27, 2012
Presenting a live 90-minute webinar with interactive Q&A
Philip L. Gordon, Shareholder, Littler Mendelson, Denver
Michael McGuire, Shareholder, Littler Mendelson, Minneapolis
Josh B. Kirkpatrick, Shareholder, Littler Mendelson, Denver
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality of
your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory and you are listening via your computer
speakers, you may listen via the phone: dial 1-866-258-2056 and enter your
PIN -when prompted. Otherwise, please send us a chat or e-mail
[email protected] immediately so we can address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your
location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of
attendees at your location
• Click the SEND button beside the box
FOR LIVE EVENT ONLY
Conference Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the + sign next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
6
Philip Gordon― Littler, Denver
Joshua Kirkpatrick ― Littler, Denver
Michael McGuire― Littler, Minneapolis
Visit our Practice Group blog: www.workplaceprivacycounsel.com
8
• Ownership of the device affects the
employer’s ability to control the device and
the data
Why does it matter?
9
• IBM – 80,000 employees
– IBM CIO:
• “If we didn’t support them, we figured [employees] would figure out how to support [the devices] themselves.
• Kraft – 800 employees receive stipend to buy PC
– Not available to:
• company executives who handle confidential information
• Legal
• HR staff
• Employees who use their PC to run production equipment
• Factory Workers
Who’s Doing It?
10
• Sybase – 20 different phone options
– Employees buy and own the phones, but Sybase pays for the monthly service contract
• Citrix – $2,100 stipend to purchase a laptop of their choice and a 3-
year warranty.
– Company owned cost was $2,600.
– Adoption rate of about 20%.
• Cisco
• Lockheed
Who’s Doing It?
11
• 75% of companies surveyed allow employees
to use their own personal devices for
business (Aberdeen)
• 48% of IT workers were allowed to purchase a
smartphone of their choice to use for work
(Forester)
Survey Says
12
• Reducing expenses for employers
• Improving employee engagement
• Aiding in the recruitment of new employees
• Solving the “two pocket problem”
• Innovation to reduce cost and promote
collaboration
Why?
13
• All tallied, BYOD doesn’t look pretty from a
cost perspective. A typical mobile BYOD
environment costs 33 percent more than a
well-managed wireless deployment where the
company owns the devices ***.”
– Loss of bulk purchasing power
– Higher help desk/support costs
– Security issues
Does it really reduce costs?
14
• The trend toward employee-owned devices
isn’t saving IBM any money
IBM Experience MIT Technology Review, Monday, May 21
16
• What approach has your company taken to
the BYOD issue?
– Restricts to company-owned devices
– Allows some employees to connect personal devices
but process is ad hoc
– Has a BYOD policy
Your experiences with BYOD
QUESTION ONE
17
• For those with a BYOD/BYOC Policy, what is
adoption rate?
– 0-25%
– 25-50%
– 50% or greater
Your experiences with BYOD
QUESTION TWO
18
• For those with a BYOD/BYOC Policy, have
you experienced employment law/HR issues
as a result?
– Yes
– No
Your experiences with BYOD
QUESTION THREE
19
• For those with a BYOD/BYOC Policy, have
you experienced information security issues
as a result?
– Yes
– No
– Not sure
Your experiences with BYOD
QUESTION FOUR
20
• For those with a BYOD/BYOC Policy, have
you experienced eDiscovery challenges as a
result?
– Yes
– No
– Not sure
Your experiences with BYOD
QUESTION FIVE
22
HR and Employment Law Issues
• Performance
management
• Discrimination, hostile
work environment,
accommodation issues
• Workplace Safety
– Driving and talking or
texting
• Labor
– Mandatory bargaining
– Unlawful surveillance
• International
– Data protection
– Border searches
– Espionage
23
HR and Employment Law Issues
• Wage & Hour
– Off-the-clock work by non-exempt employees
– “Suffered or permitted to work”
– De minimis?
– Emails themselves are evidence of time spent and
notice to employer
– Time spent dealing with IT issues related to
devices
– Work by non-exempt or exempt employees during
weeks off or leaves of absence
24
HR and Employment Law Issues
• Solution to W&H Concerns
– Prohibit non-exempt employees from accessing email or making work-related calls outside of work
– Limit access/program participation to employees who are exempt from OT
– Create process for reporting work performed outside of working hours
– Training
• Employees
• Managers
– Compliant policy
requiring pay for all
hours worked
25
HR and Employment Law Issues
• Expense Reimbursement
– Federal law – expenses
can’t reduce pay below
minimum wage
– Eleven states have
express or implied
expense reimbursement
requirements • California, Montana, North
Dakota, South Dakota, New
Hampshire, Alaska,
Minnesota, Arkansas, Iowa,
Kentucky, Michigan
– California – must reimburse for “necessary expenditures or losses incurred ... as a consequence of the discharge of his/her duties”
– Reimbursement must meet certain criteria in order to be tax exempt
27
IBM Experience MIT Technology Review, Monday, May 21
• IBM surveyed devices and found apps and practices that could pose a security risk
– Forwarding IBM email to web-based email services
– Using device to create WiFi Hotspots
– Dropbox
– iCloud
– Siri
“We found a tremendous lack of awareness as to what constitutes a risk * * * we’re trying to make people aware.”
28
• Security Laws and Regulations – Encryption
– Breach notification
– Secure data destruction
• Employee privacy rights
• Record retention
• Contractual obligations – Indirectly regulated
• Trade secret protection
• eDiscovery obligations
Data is heavily regulated
Allowing
employees to
store company
data on their
own devices
fundamentally
complicates
these
obligations
29
• Loss or theft of devices
– lost and stolen equipment accounted for 31% of breaches
– Lookout helped 9 million people locate their devices; one
locate request every 3.5 seconds
• Malware
– “malware targeting the Android platform rose 3,325
percent” (Juniper)
• Friends and family
– 27.5% of FINCEN suspicious activity reports involving
identity theft involved friends, family, employee in home
Security for company data
30
• Violation of statutory or regulatory requirements to secure personal information: HIPAA, GLBA, and state laws (MA, OR, OK, NV) – Statutes apply to service providers of covered entities
– Enforcement: HHS and MA have recently obtained penalties
• Security breach notification laws: 46 states, DC, PR, USVI, and Guam – Encryption safe harbor
– Encryption requirements: MA, NV, HIPAA
• Avg. cost of a breach is $194/lost record or $5.5M
Implications Of A
Security Breach
31
• Gateway to the cloud
– Employee ownership of the account with the service
provider will limit company access to its data
– No contract with company
– Obligation to “vet” security controls of vendors
– Data may be more available to law enforcement or
others
Security for company data
32
Employee Privacy Rights
Access to private information
• GINA
• Protected Characteristics
Issuing a remote wipe command
• Employees have a reasonable expectation of privacy in their
personal device
• All 50 states have computer trespass laws
• Computer Fraud & Abuse Act if the unauthorized access causes
damages > $5,000
Accessing an employee’s personal e-mail or cloud
account
• Stored Communications Act
– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp
33
Beware of Computer Trespass
• Key facts:
– Sitton used his personal computer to conduct business
for PDI and for a competing business
– Sitton used the computer on PDI’s premises and
connected it to PDI’s network
– When PDI caught wind of Sitton’s disloyalty, a senior
manager entered his office, clicked on an e-mail list,
and printed incriminating e-mail
34
Beware of Computer Trespass
• Ruling: Affirms denial of Sitton’s claims for computer trespass,
computer theft, and computer invasion of privacy
• Reasoning: Lack of authority is an element of each claim, and
PDI’s computer use policy established the manager’s authority
• Key Policy Provisions:
– Policy was not limited to company-owned equipment
– Informed employees that PDI would “inspect the content of
computers … in the course of an investigation triggered by
indications of unacceptable behavior.”
Sitton v. Print Direction, Inc., 2011 Ga. App. LEXIS 849 (Sept. 28, 2011)
35
Federal Stored Communications Act
• Prohibits unauthorized access to an
electronic communication in electronic
storage at an electronic communications
service provider (18 USC §2701(a))
• Criminal statute with civil remedies
– Minimum monetary damages of $1,000
– Punitive damages and attorneys fees
• Consent of the account holder is a defense
36
Access to Personal E-mail
Key Facts: • Pure Power Boot Camp fired Fell
• Fell started a competing business
• PPBC’s owner (Brenner) accessed three of Fell’s personal e-mail accounts
– Hotmail: Fell had accessed the account using PPBC’s computers, leaving username and password behind
– Gmail: username and password found in the Hotmail account
– Warrior Fitness Boot Camp: “lucky guess” same password and username
• PPBC used Fell’s personal e-mail for non-compete action against Fell
37
Access to Personal E-mail
• Claim: PPBC violated the SCA
• Defense: – Electronic resources policy defeated any expectation of privacy
– Fell implicitly consented by leaving username and password on PPBC computers
• Court: summary judgment for Fell – The policy addressed only company equipment used during the
employment relationship
– The e-mail in question were not created on, sent through, or received from PPBC’s e-mail system
– At most, Fell consented to Brenner seeing his password for one account, but not to her using it for any of them
Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp.2d 548 (S.D.N.Y. 2008)
38
“Password Protection Laws”
Generally prohibit employers from asking applicants or employees for personal social media log-in credentials
– Maryland
– Illinois
– California (bill awaits signature)
• Bills pending in 12 states
– DE, IL, MA, MI, MN, MO, NJ, NY, OH, PA, SC, WA
39
“Password Protection Laws”
Illinois: NO exceptions
Maryland: Exceptions for investigations
(A) of securities fraud violations
(B) to protect trade secrets
California: Exception for investigation of
(A) Employee misconduct
(B) Employee violations of applicable law and regulations
40
• SOX and other industry specific regulations
• Contractual obligations
Record Retention and Destruction
41
• “60 percent of American workers who left
their employers [in 2008] took some data with
them.” (Economist)
• Misappropriation may be harder to prove
• Use or disclosure will be the focus
• Access to the devices will be a challenge
Trade Secret Protection
45
• Plan the program
• Technical controls
• Policies
• Operating procedures and capabilities
• Educate and train
Recommendations
46
Recommendation:
Decide whether all employees
should be permitted to participate in
a BYOD program or whether certain
groups should be excluded.
46
47
Limit to employees with a business need
Important to control eligibility – The more people with BYOD, the greater the risk
NOT employees with regular access to sensitive information
―Legal, HR
―Access to highly valuable trade secrets, e.g. product engineers
―Access to highly sensitive, non-public financial infor, e.g., CFO’s group
Non-exempt employees raise off-the-clock issues
Who Should Be Eligible?
50
Recommendation:
Require employees to consent to all
company activities involving the
personal device.
50
51
Employee Consent
Consent to:
1. Access to information stored on the personal device
2. Remote wipe of the device
3. Monitoring the device when accessing corporation information
Expect Pushback
53
The Personal Device Agreement
Critical Terms: Protection against computer trespass,
invasion of privacy and other claims
1. Agree to Company’s use of remote wipe
2. Agree to Company’s monitoring of personal device
when connected to the corporate network
3. Agree to produce the personal device for inspection in
response to a legitimate requests
4. Release Company from any liability for destruction,
or incidental viewing, of personal information
54
Personal Device Agreement
Additional Terms
6. Will install corporate security package
7. Will not modify corporate security package
8. Will immediately report loss or theft of
device
9. Will limit storage of corporate information
10. Acknowledge that all company policies
apply to the dual-use device
55
Recommendation:
Restrict employees from using cloud-
based apps, cloud-based backup, or
synchronizing with home PCs for
work-related data.
55
56
Recommendation:
Ensure that use complies with Wage
and Hour obligations by prohibiting
off-the-clock work and ensuring pay
for all hours worked.
56
59
Training
1. Don’t leave the device unattended
2. Don’t share the device’s passwords
with anyone
3. Don’t share the device with anyone,
including family and friends
4. How to report a lost or stolen device
5. Beware of downloaded apps
60
Security Incident Response
1. Confirm that dual-use device is encrypted
2. Confirm that remote wipe was activated promptly
3. Confirm that unauthorized acquirer had to unlock a
password-protected screensaver
4. If no confirmation, collect e-mail on corporate
exchange server from date the loss/theft occurred
– Search for trigger PII
5. Interview employee concerning contents of local
storage on dual-use device
62
Bottom Line: BYOD creates risks and
challenges for employers
• Data-Related Risks
– Security of company data
– Privacy of employee data
– Records management
– Contractual obligations
– eDiscovery
– Trade Secret Protection
– Contingent Workers
• HR-Related Risks
– Performance
management
– EEO
– Wage & Hour
– Workplace Safety
– Labor
– International