Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs Protecting Employers' Proprietary Information by Developing and Enforcing Effective Policies and Procedures Today’s faculty features: 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10. WEDNESDAY, JUNE 3, 2015 Presenting a live 90-minute webinar with interactive Q&A Aaron K. Tantleff, Partner, Foley & Lardner, Chicago Michael N. Westheimer, Shareholder, Buchalter Nemer, San Francisco
Transcript
Bring Your Own Device in the Workplace:
Minimizing Legal Risks of BYOD Programs Protecting Employers' Proprietary Information by Developing
Take advantage of newer technology supplied by individual employees as opposed to budget for the purchase of new devices for the workforce
Accommodate an employee's desire to carry one device
Enable employees to more easily work in their preferred operating system
Avoid employee training on how to use a company-issued device
Create guidelines and outline employer expectations for a practice that may be underway regardless
Disadvantage
Increase technology expenses
Wage and hour liability for nonexempt employees using devices outside of regular business hours
Privacy and security for personal data
Confidentiality and security for employer data
Employer's legal duties to retain information
Employer liability for an employee's wrongful use of the device
Data collection, retention and destruction
Litigation holds or contractual agreements
Intellectual Property ownership and protection
Violation of unrelated policies while using a personal device
Access to data with respect to separated employee
Productivity
12
Who owns the device?
– BYOD versus CYOD
Who owns the data?
– Does it matter, personal versus corporate data?
Courts have not addressed unique aspects of BYOD
No laws specific to BYOD
13
14
Forrester: 48% of information workers buy smartphones without even considering what their company supports.
Dell Kace Study: 87% of companies unable to effectively protect corporate data and intellectual property because of employees who use some kind of personal device for work -- including laptops, smartphones, and tablet computers.
15
Forrester: 50% of information workers are splitting their
time between the office and home or another location,
underscoring the need for mobile devices.
ISACA: two-thirds of employees ages 18 to 34 have
personal devices they use for work purposes
Gartner: 9-40% savings using employee PCs.
16
MarketWatch: Eighty-seven percent of companies say
they have employees that use personal tech devices for
work.
eWeek: Sixty-two percent of IT administrators feel they
don’t have the tools to properly manage personal
devices.
1 in 10 workers already use their own device as their
primary work device.
17
Employee BYOD Trends Enterprise IT BYOD Challenges
88% of employed adults use at least one
personally owned electronic device for
business use1
1 out of 2 companies have experienced
data breach due to insecure devices2
44% of companies have a mobile security
strategy3
37% of companies employ malware
protection for mobile devices 3
1PwC, Consumer privacy: What are consumers willing to share? July 2012
2Ponemon and Websense Survey of 4,640 companies, 2012
3PwC Global State of Information Security Survey, 2013
Participation in the program is a privilege, not a right.
Presentation to employees
22
Restrictive
Executive or managerial
employees
– Reduce risk of losing or leaking
confidential company information
General employees
– Avoid potential issues under the NLRA
Nonexempt employees
– Avoid wage claims for minimum wage
or overtime compensation for work
performed outside of or beyond the
standard 40 hour workweek
Temporary employees and
independent contractors
Permissive
Employees who travel extensively
Work from home or other remote
locations
On call / hours are not fixed
Approved devices
23
No Expectation of Privacy – Employees may not have a right to privacy in their electronic communications when using employer-
provided devices (see City of Ontario, Cal. v. Quon, 560 U.S. 746 (2010)), but, absent agreement to the contrary, they do have that right when using their own devices.
– The federal Computer Fraud and Abuse Act and state computer trespass laws criminalize some unauthorized access of another's computer, and the federal Stored Communications Act protects the privacy of wire and electronic communications while in electronic storage (such as e-mails stored on a server).
– Employers may also face liability for viewing protected personal information stored on an employee's own device
Employees' Written Consent – Require an employee's written consent to monitor, intercept, review and erase both personal and
business content stored on or transmitted by an employee's personal device.
– Consider specific consent or acknowledgment rather than blanket acknowledge of all policies
Tracking Employee Movements – Devices may allow individual tracking. Use with caution
– Mobile device management, or MDM, solutions may provide location tracking services • Useful to employers wishing to confirm their employees are actually at work when they claim to be
• May be an invasion of privacy – New York Court of Appeals held that a government employer's covert GPS tracking of a vehicle to monitor an employee's movements
was unreasonable where the employer did not make a reasonable effort to avoid tracking the employee outside of business hours (Cunningham v. New York State Dep't of Labor, 997 N.E. 2d 468 (N.Y. 2013)).
– Some states prohibit the use of GPS tracking in most situations (e.g., Tennessee's statutory prohibition on GPS tracking, Tenn. Code Ann. § 39-13-606.)
24
Employee training is key
When to conduct/repetition
Designate a go-to person or group for questions
– Importance of a uniform message
Consider follow-up e-mail and memos to highlight key
areas
25
Monitoring compliance
Employee enforcement
Technological enforcement
Ensuring related company policies are followed
– Litigation hold
– Retention
– Trade secret protection
26
Seven Key Risks
27
28
Mixing business and personal data
Information security
Software licensing issues
Discovery/Border searches and seizures
Repetitive stress and other workplace injuries
Shared use of devices with non-employees
Employee disposal of device
29
Data segregation – the future
Privacy concerns
– Employee
– Third parties
Other “data” – the great American novel
Location tracking
Remote wipe
30
Extending the corporate security policy to BYOD
Enforcing security policies on BYOD
BYOD security software
Remote wipe
Tracking
Malware on mobile devices
31
Drains battery life
Renders device non-functional
Could infect company systems
Deletes information from device
Snoopware - records and transmits information
32
33
Mobility has generated a deluge of business data, but deployment of mobile security has not kept
pace with use
Smart phones, tablets, and the “bring your own device” trend have elevated security risks. Yet
efforts to implement mobile security programs do not show significant gains over last year, and
continue to trail the proliferating use of mobile devices.
Initiatives launched to address mobile security risks
19%
30%
35%
37%
39%
42%
N/A
33%
31%
36%
38%
40%
Use of geolocation controls
Ban of user-owned devices in the workplace/network access
Strong authentication on devices
Protect corporate e-mail and calendaring on employee- and user-owned devices
Mobile device-management software
Mobile security strategy
2012 2013
PwC Global State of Information Security Survey 2014, Question 16: “What initiatives has your organization launched to address mobile security
risks?” (Not all factors shown.)
34
Company software
– Which applications?
– What do the licenses say?
Employee personal software
– Ex. Microsoft Office Home
Get ready for audits
35
BYOD are fair game in litigation
– Employees must understand
Litigation hold
Cost of responding to discovery
Beware at the border
– Data and devices can be copied or seized
– Increased risk of data theft
36
Some information resides only on device, despite potential data flow through the company’s server
Not all devices are created equal, requiring different software and tools, depending on the device
Forensics utilizes both "physical" and "logical" acquisition of data - advanced analysis requires obtaining operating system files, device memory and other technical information, plus personal email or documents or phone data
Can't just “remove the hard drive”
Non-iOS devices may contain an extra memory card – needs to be imaged separately from the phone
Some devices do not have in/out ports (such as USB), difficult to access and remove memory
37
Data is volatile – over-the-air device wiping is a risk
Lack of employer control over right to access personal information and data stored on employee-owned devices / services
Need cooperation and passcode from employee to access the device – May need to crack passwords, which is time-consuming
“Jailbreaking” is typically easier on Android products than Apple
Some devices do not indicate data volume size, may make scoping of the collection difficult
Different information (text, GIS, photos, etc) can be obtained, depending on the device, however it may not be all appropriate for collection, and may require planning and consent
38
Repetitive stress and other work related injuries can arise
from BYODs.
Disclaim liability
Urge employees to follow vendor recommendations
Check insurance coverages
39
Friends, family, neighbors, etc.
A risk that cannot be completely controlled
– Impossible to obtain consent
– Policy coverage
Security implications
Company proprietary and confidential information at risk
Privacy and other issues
40
EOL of BYOD
The eBay threat, garage sales, Craig’s list
– Army hardware being sold on streets of Afghanistan
– Broker-dealer Blackberry on eBay
Company notice of sale or transfer
– Policy issue
Terminated employees likely to be reluctant
41
Mobile Device Management
42
Provide Control and Visibility to Mobile Devices
Simplify User Setup and Enrollment
Enable Rich Policy Controls
Support All Your Mobile Devices
BUT…
– Your employees may have other ideas
43
Putting it All Together
44
BYOD is here to stay
Develop workable policies that support the business case
Train employees to ensure they understand their
obligations; Follow-up
Develop and institute enforcement procedures
Understand the key risks
45
Selected Regulations
46
Health Insurance Portability and Accountability Act of
1996 (HIPAA)
Health Information Technology for Economic and Clinical
Health (HITECH) Act
– expanded HIPAA security standards to encompass business
associates (i.e., vendors, contractors, and subcontractors that
access, use, disclose, or create PHI on covered entities’
behalf)
47
Information Security Regulations (“Security Rule”)
pursuant to HIPAA
– Required implementation of technical, physical and
administrative safeguards for protected health information
(PHI) in electronic form – 45 CFR Parts 160, 162 and 164
48
The HIPAA Privacy Rule
– Protects PHI
– Applies to health plans, health care clearinghouses, and those
health care providers that conduct certain health care
transactions electronically
– Requires appropriate safeguards to protect the privacy of PHI,
and sets limits and conditions on the uses and disclosures that
may be made of such information without patient authorization – 45 CFR Part 160 and Subparts A and E of Part 164
49
American Recovery and Reinvestment Act (ARRA) &
HITECH Act
– Prohibit storage of unencrypted personally identifiable
information and protected health information on any computing
device
50
Consider rules requiring that internal communications
regarding a company’s business and those with its
customers be maintained, retrievable and reviewed
– SEC Rules 17a-3 and 17a-4
– NASD Rules 2210, 3010, 3110 & 31101
– NYSE & NASD “Joint Guidance” regarding capture of
communications between broker/dealers and customers
51
Gramm-Leach-Bliley Act (GLBA)
– Covers information created or received by a “financial
institution” as part of a customer relationship
• 15 U.S.C. ßß 6801 – 6809
– Financial institutions must protect an individual’s personal
• Physical security designed to prevent unauthorized access
• Procedures to limit disclosure based on “need to know”
• Measures to emphasize to recipients the confidential nature of the information
Art of Living Foundation v. Does (N.D. Cal. May 1, 2012) Reasonable efforts can include:
1. Advising employees of existence of trade secret
2. Limiting access to information on a need to know basis
3. Requiring employees to sign confidentiality agreements
4. Keeping secret documents under lock
57
Protecting Trade Secrets
FormFactor v. Micro-Probe (N.D. Cal. June 7, 2012) • No confidentiality agreement
• Employee was allowed to use personal email and personal home computer for company business, and to back up company data onto external hard drives and thumb drives
• No request to return company data when employee resigned
• Company lacked evidence that trade secrets at issue had never been publicly disclosed or placed in public domain
58
Using Device for Business Purposes
Company-Owned Device Usage Policy • Device is company property
• Device is to be used solely for business purposes
• Company reserves right to inspect device
• Company monitors employee’s use of device
• Employee’s use of device is being recorded
• Employee has no expectation of privacy in using the device
• Device and all data must be returned at end of employment
59
Using Device for Business Purposes
BYOD vs. CYOD • Bring Your Own Device: employees are given access to company
systems and data on employee-owned devices
• Choose Your Own Device: employees are given a choice between a limited number of approved devices for accessing company systems and data
Who owns / pays? • Purchase of equipment
• Provision of voice / text / data plan
• Allowance / expense reimbursement
60
Using Device for Business Purposes
Reimbursement of Business Expenses
• Cal. Labor Code § 2802: Employee shall be reimbursed for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties, or of his or her obedience to the directions of the employer
• Cochran v. Schwan’s Home Service, 228 Cal.App.4th 1137 (Aug. 12, 2014)
» When employees must use personal cell phones for work-related calls, the employer must reimburse them
» Whether the employees have cell phone plans with unlimited minutes or limited minutes, the reimbursement owed is a reasonable percentage of their cell phone bills
61
Privacy Rights
Computer Fraud and Abuse Act (CFAA) • Prohibits intentionally accessing and obtaining information from a
protected computer either without authorization or exceeding authorized access
Stored Communications Act (SCA) • Protects electronic communications transmitted via an electronic
communication service that are in electronic storage and not public
• Prohibits intentionally accessing the communication either without authorization or exceeding authorized access, and obtaining, altering or preventing authorized access to the communication
62
Privacy Rights
Ehling v. Monmouth-Ocean Hosp. Service (D. N.J. Aug. 20, 2013)
• Non-public Facebook wall posts were found to be protected communications under the Stored Communications Act
• Here no violation because a co-worker that employee “friended” had authorized co-worker’s access to her wall, who voluntarily took screenshots of posts and gave them to the employee’s manager
Pure Power Boot Camp v. Warrior Fitness Boot Camp (S.D. N.Y. Aug. 23, 2008, Dec. 22, 2010)
• Company violated Stored Communications Act by accessing former employee’s personal emails from Hotmail and Gmail accounts
• Court rejected argument that authorization was implied because employee had logged in from work computer
63
Privacy Rights
Social Media Privacy Statutes • Arkansas, California, Colorado, Illinois, Louisiana, Maryland, Michigan,
Montana, Nevada, New Hampshire, New Mexico, New Jersey, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Virginia, Washington, Wisconsin
California Labor Code § 980 (effective Jan. 1, 2013) • Employer shall not require or request that an employee or applicant:
1. disclose username or password for the purpose of accessing personal social media;
2. access personal social media in the employer’s presence; or
3. divulge any personal social media
• Exception: personal social media reasonably believed to be relevant to investigation of allegations of employee misconduct or violation of law
• OK to get username / password to access employer-issued device
64
Privacy Rights
Personal privacy • Financial
• Sexual matters / sexual orientation
• Medical condition / records
• Genetic information
HR Best Practices • Protocols for ensuring that employment decisions are made based on
job-related criteria
• Restrictions on collecting and providing access to information about employee protected status – age, race, ethnicity, national origin, disability, etc.
65
Off-the-Clock Issues (Non-exempts)
Compensability of non-exempt employees’ after-hours use of BYOD devices
• Portal-to-Portal Act » Commute time
» Preliminary and postliminary activities
• De minimus time
• Continuous workday rule
• On-call time
66
Off-the-Clock Issues (Non-exempts)
White v. Baptist Memorial Health Care Corp., 699 F.3d 869 (6th Cir. 2012)
• Auto-deduct for meal breaks, company had override procedures where employees could get paid by reporting missed meal breaks in an exception log or reporting payroll errors for correction
• Employee sued for unpaid missed meal breaks, but did not report them in exception log and did not utilize payroll correction procedure
• Court held that under the circumstances, the time was not compensable under the FLSA:
» “Under the FLSA, if an employer establishes a reasonable process for an employee to report uncompensated work time the employer is not liable for non-payment if the employee fails to follow the established process.”
» When the employee fails to follow reasonable time reporting procedures she prevents the employer from knowing its obligation to compensate the employee and thwarts the employer’s ability to comply with the FLSA.”
67
Off-the-Clock Issues (Non-exempts)
Prescott v. Prudential Insurance Co., 729 F.Supp.2d 357 (D. Maine 2010)
• Employee presented evidence at class certification stage that:
» Employees understood that the company, with some exceptions, would not approve OT and did not pay employees for OT work they performed
» The company, by instituting company-wide metrics for performance, knowingly created a situation where employees likely would work extra hours and that the employees in fact did so
• Court found the employee’s evidence was sufficient to meet the “modest” factual showing required for conditional certification of FLSA collective action, subject to possible decertification at a later stage in the proceedings
68
Strategic Implementation
BYOD Policy • Addresses onboarding, use during employment, termination of
employment
• Sets protocols for appropriate use of device and data protection
• Establishes confidentiality, nondisclosure
• Creates consent to access and obtain information
• Curtails privacy expectations
Mobile Device Management (MDM) • Reasonable efforts to protect trade secrets
• Prevention of both intentional misappropriation and inadvertent disclosure
69
Strategic Implementation
Wage & Hour
• Reasonable, established procedures for:
» Tracking compensable work time
» Reporting additional compensable work time that is not captured with regular procedures
» Prohibiting off-the-clock work
» Reimbursing for business expenses where required
