the byod workplace and the - employment law alliance...apr 17, 2014 · 4th amendment...
TRANSCRIPT
The BYOD Workplace and the
24/7 Employee: Managing Legal
Risks for Employers
Thursday, April 17, 2014
Moderator
Molly M. DiBianca, Associate,
Young Conaway Stargatt and Taylor
Wilmington, DE
2
Speakers
Adam S. Forman, Principal, Miller, Canfield,
Paddock and Stone, Detroit, MI
Michael S. Glassman, Partner,
Dinsmore & Shohl, Cincinnati, OH
3
Speakers
4
Melanie V. Pate, Partner,
Lewis Roca Rothgerber, Phoenix, AZ
J. E. Jess Sweere, Director, Cross, Gunter,
Witherspoon & Galchus, Little Rock, AR
Introduction
Molly DiBianca
Young Conaway Stargatt & Taylor
5
The Current Landscape
• Key Statistics
– Use of mobile technology
– BYOD policies
• What’s an employer to do?
– Manage risk
– Be a realist
6
Webinar Agenda
• Legal Risks
• Best Practices
• Policy Pointers
7
Legal Risks
Adam S. Forman
Miller, Canfield, Paddock & Stone
J.E. Jesse Sweere
Cross, Gunter, Witherspoon & Galchus
8
CONSTITUTIONAL
PROTECTIONS
9
10
4th Amendment
• Unreasonable searches and seizures
– Murphy v. Spring (N.D. Okla. 2013)
– Chaney v. Fayette Cnty. Pub. Sch.
Dist. (N.D. Ga. 2013)
11
12
“Once It’s There – It’s There To Stay”
9th and 14th Amendments
• Penumbra of “implied constitutional
rights of privacy”
– NASA v. Nelson (U.S. 2011)
– People v. Holmes (Colo. Dist. Ct.
2013)
13
STATUTORY
PROTECTIONS
14
Electronic Communications Privacy Act
• Title 1 – Federal Wire Tap
– No “intercepting” electronic
communications without authorization of 1
party
• Title 2 – Stored Communications Act
− No accessing, without authorization, a
“facility” through which electronic
communication service is provided and
thereby access to an electronic
communication while it is “electronic
storage”
15
Electronic Communications Privacy Act
• Title 2 – Stored Communications Act
– Disputes over “stored”
• Cheng v. Romo (D. Mass. 2013)
– Disputes over “facility”
• Garcia v. City of Laredo (5th Cir. 2012)
– BYOD
• Lazette v. Kulmatycki (N.D. Ohio 2013)
16
NATIONAL LABOR
RELATIONS ACT
17
National Labor Relations Act
• Protects employees who discuss
terms and conditions of employment
• Social media is the today’s workplace
“water cooler”
• For unionized employers – social
media and BYOD policies are a
mandatory subject of bargaining
• Use of monitoring software has
surveillance implications
18
National Labor Relations Board
• Enforces the NLRA
• The Board has taken a very strong
stance on any employer action or
policy designed to restrict employee
communication via social media
• Must be careful not to draft “overly
broad” BYOD policies
19
Fair Labor Standards Act
• Statute that requires the payment of
a minimum wage for all hours
worked, and overtime for all hours
worked in excess of 40 in a work
week
20
Wage and Hour Issues
21
When non-exempt
employees use their own
devices, there is a risk
that employees will raise
wage & hour claims for
time worked “off the
clock.”
Wage and Hour Issues
• Employees have to be paid for “off
the clock” work even when the
employer did not request it.
• Usual situation: making work-related
calls, reading and replying to emails
during off-work hours.
22
Easy Solution?
23
No email or
work-related
calls outside
of working
hours
Not Necessarily
• While this certainly is an option, it
might not always be the best one:
− There is an advantage to having a flexible
staff that can be accessed outside of work
that may outweigh the extra pay
− A blanket prohibition also must be clearly
communicated and employees must be
consistently disciplined for disregarding the
policy
− Enforcing such a bright-line policy is often
unrealistic in practice
24
Password Protection Statutes
• Many states have passed statutes
prohibiting employers from requiring
employees to provide usernames
and passwords to social media
accounts.
• Arkansas’s statute could be
interpreted to prohibit a supervisor
from “friending” or “following” an
employee 25
Password Protection Statutes
• Review your state’s statute carefully
• Train supervisors and managers to
refrain from seeking social medial
credentials of employees and
applicants
26
COMMON LAW
PROTECTIONS
27
Four Common Law Torts
1. Intrusion upon seclusion
2. False Light
3. Appropriation of Likeness
4. Public disclosure of embarrassing
private facts
28
Intrusion upon Seclusion
• Most commonly asserted common
law claim
– Ehling v. Monmouth-Ocean Hosp. Serv.
(D.N.J. 2013)
29
PRACTICAL
CONSIDERATIONS
30
Control of Employer Data
• Increased risk of theft/loss
• Personal v. work device
• Facilitate employee theft
• Greater exposure
• Malware, viruses and hacking
• Consequences for loss
31
Legal Compliance
• EEO laws
• Labor laws
• OSHA
• Privilege issues
• E-discovery
32
BYOD and Harassment
33
The blurring of personal and work-
related use on one device can be
conducive for increased hostile work
environments.
BYOD and Harassment
• The employer has a duty to stop co-
employee harassment when the
employer knows or has reason to
know that such harassment is part of
a pattern of harassment that is taking
place in the workplace and in
settings that are related to the
workplace.
34
OSHA-Related Issues
• Blackberry thumb” & neck problems
− Repetitive motion of texting can
cause injury to the hand
− Cradling small phone between head
and shoulder
• What to do:
− Educate employees regarding
ergonomic use of their device 35
OSHA-Related Issues
• Distracted driving
− Study shows that texting driver takes
twice as long to react than a legally
intoxicated driver
− A company culture of texting while
driving can create liability
• What to do:
− Implement policy prohibiting texting
& possibly talking while driving 36
Litigation Holds – E-Discovery
• When an employer has notice that
litigation is possible, it has a duty to
identify and preserve relevant
sources of data
• Rules of Civil Procedure require a
party to produce documents and
electronically stored information that
are in its “possession, custody or
control” 37
Best BYOD Practices
Melanie V. Pate
Lewis Roca Rothgerber
38
Three Keys to BYOD Success
• Analyze scope of issues and risks
for your particular company
• Create a comprehensive written
policy
• Communicate the policy to
employees
39
Analyze Scope of Issues and Risks for
Your Particular Company
• Do you want to permit employees to
use their own devices for work
purposes?
• Can your in-house IT department
appropriately address BYOD issues
and challenges?
• Do you have “buy-in” from top
officials/leaders in your company?
40
Create a Comprehensive Written Policy
• Benefits of having a specific written
policy
• Risks of not having a specific written
policy
• Develop agreement on policy
components
• Solicit feedback from key employees
41
Communicate the Policy to Employees
• Determine how the policy can and
will be communicated effectively
• Train employees on policy
• Carefully explain what is and what is
not acceptable under policy
• Have employees sign written
acknowledgment
42
Other BYOD Best Practices
• Ensure top executives are covered
by and adhere to BYOD policies
• Allow employees broad device
choice and consider covering part of
device cost
• Require employees to buy devices
through normal consumer channels
to maintain clear lines of ownership 43
Other BYOD Best Practices
• Require contractors to use their own
devices and include them in your
policies
• Provide support and guidance to
employees and help them
understand the responsibilities that
come with BYOD
44
Other BYOD Best Practices
• Keep business data strictly
segregated to support e-discovery
requirements and data retention
policies
• Determine how various IT support
and maintenance tasks will be
addressed
45
Other BYOD Best Practices
• Choose security solutions that allow
employees to self-audit their devices
and quickly report potential security
risks (aka: BYOD for Dummies)
• Monitor data usage to verify that only
authorized use is occurring if costs
are reimbursed
46
BYOD Policy Points
Michael S. Glassman Dinsmore and Shohl
47
What Does a BYOD Policy
Need to Include?
• Determine whether a BYOD policy is
right for your company
48
Policy Development
• What should a BYOD policy
include?
– No “one-size-fits-all” policy exists
– Review and analyze existing policies
to see how they relate to employee
use of personal devices for business
purposes.
49
Policy Development
• Which employees should be eligible
to use their own devices?
• Company provided devices vs.
personal devices
• Network security controls
• Employee consent form
• Lost or stolen devices
• Access by others 50
Acceptable Use
• Define what constitutes acceptable
personal use of personal device on
company time
• Consider whether there are any
apps/software that may not be
installed on a personal device
• Address the need to obtain
authorization to work remotely and
outside of normal working hours 51
Devices and Support
• Specify what devices company will
permit and support
• Require that devices be presented to
IT for approval and configuration
before use on company network
52
Ownership of Information
• Address that the company owns
records, data, work product on
personal device that was created
within scope of employment
• Include non-disclosure
language/reference existing policies
53
Security Controls
• Address security measures for
personal devices
• Require password protection
• Autolocking
• No jailbreaking, rooting, modding
• Encryption
• Limit use to employee 54
Security Controls
• Prohibit transfer of data
• Ability for employer to wipe device
• Consult with IT
55
Company Access to Device
• Employee must relinquish
possession and control of personal
device to company upon request
• Specify that employer can inspect
and take control of device, and
monitor communications, location
and activity
• Company allowed to copy or image
personal device 56
Device Monitoring and Management
• Implement Mobile Device
Management (MDM) software and
inform employee of MDM controls
• Specify that device may be wiped if
lost, employment terminates, or a
data breach
• Specify that employees have no
expectation of privacy with respect to
personal device 57
Please Complete Our Survey
Please take a few minutes to complete the survey that will
appear on your computer screen immediately following
the webinar.
To listen to this webinar again or to any past ELA
webinars, please visit our website at:
www.employmentlawalliance.com.
The ELA is not authorized to give CLE/HRCI/SHRM credit
for its webinars; however, a Certificate of Attendance and
supporting materials are now posted on the ELA website
(click this webinar’s title and scroll down to the link).
Attendees seeking HRCI or SHRM credit should submit
the materials directly to HRCI at www.hrci.org or to SHRM
at www.shrm.org. 58