Presented by: Philip Gordon, Esq.

Margaret Keane, Esq. Michael McGuire, Esq.

March 19, 2013

Managing Retailer's Challenges of

Bring Your Own Device (BYOD) Programs

Philip Gordon, Esq. Littler Mendelson, P.C. Denver Office pgordon@littler.com

Margaret Keane, Esq. Littler Mendelson, P.C. San Francisco Office mkeane@littler.com

Michael McGuire, Esq. Littler Mendelson, P.C. Minneapolis Office mmcguire@littler.com

Presented by:

Lingo: Dual Use Mobile Devices and BYOD

• BYOD = Bring Your Own Device

• Dual Use Mobile Device: Mobile device used to create, store and transmit both personal and work-related data

• Some Other Terms: – BYOC: Bring Your Own Computer. Programs

that add laptops to the covered devices

– BYOA: Bring Your Own App. Per Gartner Group, 145 new mobile apps were downloaded per second in Q4 2012

3

What Are Employers Doing?

• 55% of IT managers have made exceptions for “specialized members,” i.e., top executives to use their choice of devices and software (2013 iPass MobileIron study)

• 55% of IT directors will actively accommodate and encourage the use of personal devices (Citrix Study 2012)

• 81% of respondents accommodate personal devices in the workplace (2013 iPass MobileIron study)

• 54% of respondents had a formalized BYOD policy (2013 iPass MobileIron study)

4

• IBM – 80,000 employees – IBM CIO: “If we didn’t support them, we figured [employees] would figure out

how to support [the devices] themselves. • Intel

– Started program in 2008 – Now encompasses 24,000 devices, about 90% of these are smartphones – Uses multiple security levels for access to different categories of documents

• Sybase – 20 different phone options – Employees buy and own the phones, but Sybase pays for the monthly service

contract • Citrix

– $2,100 stipend to purchase a laptop of their choice and a 3-year warranty. – Company owned cost was $2,600. – Adoption rate of about 20%.

Tech Companies Taking The Lead

5

What Are Retailers Doing? December 11, 2011, Good Technology, BYOD customer survey

6

What’s Happening in the Retail Sector?

7

Retail: Mobile is Here to Stay (But is BYOD?)

• Lowes purchased 42,000 iPhones for employees – Smartphones enable employees to check inventory at nearby stores, share

how-to videos, check competitor prices, check order status, check schedules, verify sale prices and better respond to customers

– Developing applications include tools to calculate the amount of paint needed to paint a room

– My Lowe’s can organize info about projects and past purchases – Devices include spare battery and credit card reader to enable sales

associates to ring up sales http://www.bloomberg.com/news/2011-09-08/lowe-s-upgrades-website-to-spur-sales-at-iphone-

equipped-stores.html

• Home Depot distributed 34,000 “First Phones” to employees – Devices permit associates to continuously update and monitor inventory

levels system – First Phones provide instant access to product information and improve

checkout times http://blogs.wsj.com/cio/2012/06/21/home-depot-rolls-out-new-mobile-devices-for-workers/

8

What Are Employees Doing?

Consumerization of IT • 62% of full-time workers

own smartphone • 33% of full-time workers

own tablet • Time spent on a mobile device

each day by U.S. adult has quadrupled from 2009 (22 minutes) to 2012 (88 minutes)

(USA Today 3/7/13)

9

What Are Employees Doing?

How do you use your smartphone?

Source: The iPass Global Mobile Workforce Report, http://mobile-workforce-project.ipass.com/cpwp/wp-content/files_mf/ipass_mobileworkforcereport_q3_2011.pdf

10

What Are Employees Doing? Do you use your tablet primarily as a

personal or work device?

11

Corporate Rationales

• Reducing expenses for employers • Improving employee productivity

– Intel estimates that its BYOD employees save an average of 57 minutes per day by being able to access work materials from personal devices based on three years of employee estimates

• Improving employee engagement • Aiding in the recruitment of new employees • Solving the “two pocket problem”

12

• All tallied, BYOD doesn’t look pretty from a cost perspective. A typical mobile BYOD environment costs 33 percent more than a well-managed wireless deployment where the company owns the devices ***.” – Loss of bulk purchasing power – Higher help desk/support costs – Security issues

• The trend toward employee-owned devices isn’t saving IBM any money. (MIT Technology Review, Monday, May 21, 2012)

Does It Really Reduce Costs?

13

What Are The Risks?

1. Loss of control over your company’s data

• Compliance with Information security laws and contractual obligations to protect or destroy data

• Trade secret protection

2. Loss of control over the device • Conducting internal investigations • E-Discovery

3. HR/Employment Law Issues • Wage & hour • Managing leave • Employee privacy rights

14

Other Challenges

1. Records management requirements 2. Preserving and collecting data from personal

devices for litigation holds and investigations 3. International legal challenges 4. Workplace safety issues 5. Performance management and EEO issues 6. Deploying BYOD in a unionized workplace

15

COPE

• Corporate Owned, Personally Enabled • Emerging as alternative to BYOD • Addresses many of the corporate goals • Minimizes some of the risks • Makes other risks easier to manage

Setting Up a BYOD Program: Overview

A BYOD program includes: • Policies that govern use of personal devices to

access corporate services and conduct company business

• Policies attempt to manage risk, associated with storage and transmittal of data, using devices that may be outside of the employers control

• Policies to address impact of mobile devices on existing workplace behavior

• New processes and capabilities in IT, HR, and business units to implement the policies

17

HR AND EMPLOYMENT LAW ISSUES

Policies Affected by BYOD: Mobile devices have impact on policies

throughout your business

• Data Privacy & Security

• Harassment, Discrimination & EEO

• Workplace Safety

• Time Recording and Overtime

• Acceptable Use of Technology

• Compliance and Ethics

• Records Management

• Litigation Holds

• Confidentiality & Trade Secret Protection 19

Policies Affected by BYOD: Mobile devices have impact on policies

throughout your business

• Labor – Mandatory bargaining – Labor issues

• International considerations • Data protection • Border searches • Espionage

20

Are You at Work? Mobile Technology, BYOD or not,

Blurs the Line Between Home and Work

• By one estimate, 72% of Americans check their email on weekends and vacations and 42% check email while home sick.

– Source: www.kikabink.com/news/most-workers-addicted-to-email-2-out-of-3-u-s-and-u-k-workers-check-mail-outside-business-hours/ (citing Harris Interactive research)

• iPass Mobile Employee Definition: Employee using a mobile device who accesses networks (other than corporate LAN or WLAN) for work purposes

• Average mobile worker works 240 hours per year longer than work force in general

• 43% of mobile workers keep smart phone at arm’s reach when they sleep • 96% of mobile workers under 45 have smart phones • 35% of mobile workers check email first thing upon awakening

– Source: The iPass Global Mobile Workforce Report, August 2011 www.mobile-workforce-project.ipass.com/cpwp/wp-content/files_mf/ipass_mobileworkforcereport-q-3_2011.pdf

21

The 24/7 workplace and the FLSA

• Wage & Hour – Off-the-clock work by non-exempt employees – “Suffered or permitted to work” – De minimis? – Emails may be evidence of time spent and notice

to employer – Time spent dealing with IT issues related to devices – Work by non-exempt or exempt employees during

weeks off or leaves of absence

22

The 24/7 workplace and the FLSA

• Address W&H Concerns − Prohibit non-exempt

employees from accessing email or making work-related calls outside of work

− Limit access/program participation to employees who are exempt from OT

− Create process for reporting work performed outside of working hours

– Training • Employees • Managers

– Compliant policy requiring pay for all hours worked

23

Who pays for BYOD devices

24

Who Will Pay and What Devices

are Included? • Who pays for/owns device?

• Who pays for service plan – employer selected options or reimbursement?

• Options include technology allowances, reimbursement, standard devices issued by employer.

25

Who Picks up the Tab?

• Expense Reimbursement – Federal law – expenses

can’t reduce pay below minimum wage

– Eleven states have express or implied expense reimbursement requirements

• California, Montana, North Dakota, South Dakota, New Hampshire, Alaska, Minnesota, Arkansas, Iowa, Kentucky, Michigan

– California – must reimburse for “necessary expenditures or losses incurred ... as a consequence of the discharge of his/her duties”

– Reimbursement must meet certain criteria in order to be tax exempt

26

PRIVACY & SECURITY ISSUES

78% of respondents cited BYOD as a “significant” security risk (Global Information Security Workforce Study 2013) • Loss or theft of devices

– 47% of IT managers reported dealing with lost or stolen phones (2013 Pass MobileIron study)

– 39% of respondents stated that they have the necessary security controls to address the risks created by mobile devices (Ponemon Study Feb. 2012)

• Malware – 69% of respondents ranked application vulnerabilities as the highest security

concern, with malware and mobile devices a close second at 67% and 66% respectively (Global Information Security Workforce Study 2013)

• Friends and family – 27.5% of FINCEN suspicious activity reports involving identity theft involved

friends, family, employee in home

Security For Company Data

28

Implications Of A Security Breach

• Violation of statutory or regulatory requirements to secure personal information: HIPAA, GLBA, and state laws (MA, OR, OK, NV) – Statutes apply to service providers of covered entities

– Enforcement: HHS and MA have recently obtained penalties

• Security breach notification laws: 46 states, DC, PR, USVI, and Guam – Encryption safe harbor

– Encryption requirements: MA, NV, HIPAA

• Avg. cost of a breach in 2011 was $194/lost record or $5.5M (Ponemon Study 2012)

29

• Gateway to the Cloud – Employee ownership of the account with the

service provider will limit company access to its data

– No contract with company – Obligation to “vet” security

controls of vendors – Data may be more available

to law enforcement or others

Security For Company Data

30

• 50% of responding employees who left or lost their job in the preceding 12 months kept confidential corporate information, and 40% planned to use it in their new job (Symantec Survey 2013)

• Misappropriation may be harder to prove • Use or disclosure will be the focus • Access to the devices will be a challenge • Confidential information sent “to the cloud”

Trade Secret Protection

31

Can Data in the Cloud Undermine Your Trade Secret Protection?

Trade Secrets Must Be: 1. Maintained in confidence 2. Have commercial value from not being generally known 3. Must not be readily ascertainable by proper means

Risk Areas: 1. LinkedIn – Customer lists in the public domain? 2. Sasqua Group, Inc. v. Cartney, No. CV 10-528, 2010 WL 36138855 (EDNY, August 2,

2010) – Customer information not a trade secret where publicly available information “exceeded the

amount and level of detail contained in the Sasqua database.” – Sasqua did not have password protected computers; did not require employee to sign

confidentiality or non-solicitation agreement

3. LinkedIn contacts may violate non-solicit and non-compete restrictions (TEK Systems v. Hammernick, Civ. No. 10-CV-00819 (D. Minn. Mar. 16, 2010)

32

Employee Privacy Rights

Issuing a remote wipe command • Employees have a reasonable expectation of privacy in their personal

device

• All 50 states have computer trespass laws

• Computer Fraud & Abuse Act if the unauthorized access causes damages exceeding $5,000

Accessing an employee’s personal e-mail or cloud account • Stored Communications Act

– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp

Access to private information • GINA

33

Beware of Computer Trespass

• Key facts: – Sitton used his personal computer to conduct

business for PDI and for a competing business – Sitton used the computer on PDI’s premises and

connected it to PDI’s network – When PDI caught wind of Sitton’s disloyalty, a

senior manager entered his office, clicked on an e-mail list, and printed incriminating e-mail

Sitton v. Print Direction, Inc., 2011 Ga. App. LEXIS 849 (Sept. 28, 2011)

34

Beware of Computer Trespass

• Ruling: Affirms dismissal of Sitton’s claims for computer trespass, computer theft, and computer invasion of privacy

• Reasoning: Lack of authority is an element of each claim, and PDI’s computer use policy established the manager’s authority

• Key Policy Provisions: – Policy was not limited to company-owned equipment – Informed employees that PDI would “inspect the content of

computers … in the course of an investigation triggered by indications of unacceptable behavior.”

35

Federal Stored Communications Act

• Prohibits unauthorized access to an electronic communication in electronic storage at an electronic communications service provider

-- 18 USC §2701(a) • Criminal statute with civil remedies

– Minimum monetary damages of $1,000 – Punitive damages and attorneys fees

• Consent of the account holder is a defense

36

Access to Personal E-Mail

Key Facts: • Pure Power Boot Camp fired Fell • Fell started a competing business • PPBC’s owner (Brenner) accessed three of Fell’s personal

e-mail accounts – Hotmail: Fell had accessed the account using PPBC’s

computers, leaving username and password behind – Gmail: username and password found in the Hotmail

account – Warrior Fitness Boot Camp: “lucky guess” same

password and username • PPBC used Fell’s personal e-mail for non-compete action

against Fell 37

Access to Personal E-Mail

• Claim: PPBC violated the SCA • Defense:

– Electronic resources policy defeated any expectation of privacy – Fell implicitly consented by leaving username and password on

PPBC computers • Court: summary judgment for Fell

– The policy addressed only company equipment used during the employment relationship

– The e-mail in question were not created on, sent through, or received from PPBC’s e-mail system

– At most, Fell consented to Brenner seeing his password for one account, but not to her using it for any of them

Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp.2d 548 (S.D.N.Y. 2008)

38

International Data Protection Issues

• The number of countries with broad data protection laws has increased dramatically in the past three years

• Ability to roll out program globally can vary substantially by country

− France, Mexico, Spain: Yes

− Brazil, Czech Republic: No

− Singapore: Yes with adjustments

39

• Locating the data • Access to the device • Collection challenges • Increased costs

eDiscovery Challenges

40

TOP TEN RECOMMENDATIONS

• Decide whether all employees should be permitted to participate in a BYOD program or whether certain groups, such as non-exempt employees, should be excluded.

42

Recommendation #1:

Who Should Be Eligible?

• Important to control eligibility – The more people with BYOD, the greater the risk

• Limit to employees with a business need • NOT employees with regular access to sensitive

information – Legal, HR – Access to highly valuable trade secrets, e.g., product

engineers – Access to highly sensitive, non-public financial info, e.g.,

CFO’s group

• Non-exempt employees raise off-the-clock issues

43

Recommendation #2:

• Install mobile device management software on dual-use devices.

44

Sandbox Approach

45

What is MDM – Mobile Device Management?

Mobile Device Management: • Software that allows corporate IT to manage use of mobile devices.

Component of BYOD programs. Features may allow an employee to: – Require users to install software as condition of storing company data

on device and connecting to company network – Lock down end user’s ability to use specific device features or apps,

such as cameras or iCloud – Enable remote locking or wipe of device – Enforce use of strong passwords – Prevent users from jailbreaking device or

disabling or altering security settings on devices

46

Key Security Controls

1. Encryption 2. Passcodes 3. Remote wipe capability 4. Lockdown after short period of inactivity 5. Wipe device after a set number of unsuccessful

passcode attempts 6. Anti-malware protection (limited availability) 7. Device locator (Geolocation features may require

employee consent)

47

BYOD is NOT a Best Practice for Processing Credit Card Transactions

• On February 13, 2013, PCI issued Mobile Payment Acceptance Security Guidelines to Merchants and End-Users

• “Since the BYOD scenario does not provide the merchant with control over the content and configuration of the device, it is not recommended as a Best Practice.”

48

• Implement policies tailored to your program, culture, and risks – COPE – BYOD

49

Recommendation #3:

Key Provisions

1. Eligible users and eligible devices 2. Technical and physical security controls 3. Application of corporate policies 4. Restrictions on uses of a dual-use device 5. Corporate access, monitoring, and deletion

of data 6. Reporting loss of theft 7. Responsibility for maintenance 8. Responsibility for payment

50

Recommendation #4:

• Require employees to consent to all company activities involving the personal device

51

The Dual-Use Device Agreement

Critical Terms: Protection against computer trespass, invasion of privacy and other claims 1. Agree to Company’s use of remote wipe 2. Agree to Company’s monitoring of personal

device 3. Agree to produce the personal device for

inspection and copying in response to a legitimate requests

4. Release Company from any liability for destruction or incidental viewing of personal information

• Expect Pushback 52

The Dual-Use Device Agreement

Additional Terms 5. Will install corporate security package

6. Will not modify corporate security package

7. Will immediately report loss or theft of device

8. Will limit storage of corporate information

9. Acknowledge that all company policies apply to the dual-use device

53

• Restrict employees from using cloud-based apps, cloud-based backup, or synchronizing with home PCs

54

Recommendation #5:

Protection of Trade Secret Information in the Cloud

• Take Reasonable Measures to Protect Trade Secrets in a BYOD Environment

• Use Confidentiality Agreements/Proprietary Information Assignment Agreements (“PIAA”)

55

• Ensure that use complies with wage and hour obligations by prohibiting off-the-clock work and ensuring pay for all hours worked

56

Recommendation #6:

• Evaluate payment options: How much to contribute to payment for the personal device? For the personal plan?

57

Recommendation #7:

• No use by friends and family members

58

Recommendation #8:

Recommendation #9

• Training for managers, HR, and IT staff as well.

59

Security Incident Response

1. Confirm that dual-use device is encrypted

2. Confirm that remote wipe was activated promptly

3. Confirm that unauthorized acquirer had to unlock a password-protected screensaver

4. Depending on responses, may need to: – collect e-mail on corporate email server from date the loss/theft

occurred and search for trigger PII

– Interview employee concerning contents of local storage on dual-use device

60

• Revise exit interview processes

61

Recommendation #10:

Go to: www.workplaceprivacycounsel.com Search: “BYOD”

Littler BYOD White Paper

Social Media Summit

Littler’s Social Media Summit

April 10, 2013 San Francisco, CA

http://www.littler.com/events

Questions?

Philip Gordon, Esq. Littler Mendelson, P.C.

Denver Office pgordon@littler.com

Margaret Keane, Esq.

Littler Mendelson, P.C. San Francisco Office mkeane@littler.com

Michael McGuire, Esq.

Littler Mendelson, P.C. Minneapolis Office

mmcguire@littler.com