Presented by: Philip Gordon, Esq.
Margaret Keane, Esq. Michael McGuire, Esq.
March 19, 2013
Managing Retailer's Challenges of
Bring Your Own Device (BYOD) Programs
Philip Gordon, Esq. Littler Mendelson, P.C. Denver Office [email protected]
Margaret Keane, Esq. Littler Mendelson, P.C. San Francisco Office [email protected]
Michael McGuire, Esq. Littler Mendelson, P.C. Minneapolis Office [email protected]
Presented by:
Lingo: Dual Use Mobile Devices and BYOD
• BYOD = Bring Your Own Device
• Dual Use Mobile Device: Mobile device used to create, store and transmit both personal and work-related data
• Some Other Terms: – BYOC: Bring Your Own Computer. Programs
that add laptops to the covered devices
– BYOA: Bring Your Own App. Per Gartner Group, 145 new mobile apps were downloaded per second in Q4 2012
3
What Are Employers Doing?
• 55% of IT managers have made exceptions for “specialized members,” i.e., top executives to use their choice of devices and software (2013 iPass MobileIron study)
• 55% of IT directors will actively accommodate and encourage the use of personal devices (Citrix Study 2012)
• 81% of respondents accommodate personal devices in the workplace (2013 iPass MobileIron study)
• 54% of respondents had a formalized BYOD policy (2013 iPass MobileIron study)
4
• IBM – 80,000 employees – IBM CIO: “If we didn’t support them, we figured [employees] would figure out
how to support [the devices] themselves. • Intel
– Started program in 2008 – Now encompasses 24,000 devices, about 90% of these are smartphones – Uses multiple security levels for access to different categories of documents
• Sybase – 20 different phone options – Employees buy and own the phones, but Sybase pays for the monthly service
contract • Citrix
– $2,100 stipend to purchase a laptop of their choice and a 3-year warranty. – Company owned cost was $2,600. – Adoption rate of about 20%.
Tech Companies Taking The Lead
5
What Are Retailers Doing? December 11, 2011, Good Technology, BYOD customer survey
6
What’s Happening in the Retail Sector?
7
Retail: Mobile is Here to Stay (But is BYOD?)
• Lowes purchased 42,000 iPhones for employees – Smartphones enable employees to check inventory at nearby stores, share
how-to videos, check competitor prices, check order status, check schedules, verify sale prices and better respond to customers
– Developing applications include tools to calculate the amount of paint needed to paint a room
– My Lowe’s can organize info about projects and past purchases – Devices include spare battery and credit card reader to enable sales
associates to ring up sales http://www.bloomberg.com/news/2011-09-08/lowe-s-upgrades-website-to-spur-sales-at-iphone-
equipped-stores.html
• Home Depot distributed 34,000 “First Phones” to employees – Devices permit associates to continuously update and monitor inventory
levels system – First Phones provide instant access to product information and improve
checkout times http://blogs.wsj.com/cio/2012/06/21/home-depot-rolls-out-new-mobile-devices-for-workers/
8
What Are Employees Doing?
Consumerization of IT • 62% of full-time workers
own smartphone • 33% of full-time workers
own tablet • Time spent on a mobile device
each day by U.S. adult has quadrupled from 2009 (22 minutes) to 2012 (88 minutes)
(USA Today 3/7/13)
9
What Are Employees Doing?
How do you use your smartphone?
Source: The iPass Global Mobile Workforce Report, http://mobile-workforce-project.ipass.com/cpwp/wp-content/files_mf/ipass_mobileworkforcereport_q3_2011.pdf
10
What Are Employees Doing? Do you use your tablet primarily as a
personal or work device?
11
Corporate Rationales
• Reducing expenses for employers • Improving employee productivity
– Intel estimates that its BYOD employees save an average of 57 minutes per day by being able to access work materials from personal devices based on three years of employee estimates
• Improving employee engagement • Aiding in the recruitment of new employees • Solving the “two pocket problem”
12
• All tallied, BYOD doesn’t look pretty from a cost perspective. A typical mobile BYOD environment costs 33 percent more than a well-managed wireless deployment where the company owns the devices ***.” – Loss of bulk purchasing power – Higher help desk/support costs – Security issues
• The trend toward employee-owned devices isn’t saving IBM any money. (MIT Technology Review, Monday, May 21, 2012)
Does It Really Reduce Costs?
13
What Are The Risks?
1. Loss of control over your company’s data
• Compliance with Information security laws and contractual obligations to protect or destroy data
• Trade secret protection
2. Loss of control over the device • Conducting internal investigations • E-Discovery
3. HR/Employment Law Issues • Wage & hour • Managing leave • Employee privacy rights
14
Other Challenges
1. Records management requirements 2. Preserving and collecting data from personal
devices for litigation holds and investigations 3. International legal challenges 4. Workplace safety issues 5. Performance management and EEO issues 6. Deploying BYOD in a unionized workplace
15
COPE
• Corporate Owned, Personally Enabled • Emerging as alternative to BYOD • Addresses many of the corporate goals • Minimizes some of the risks • Makes other risks easier to manage
Setting Up a BYOD Program: Overview
A BYOD program includes: • Policies that govern use of personal devices to
access corporate services and conduct company business
• Policies attempt to manage risk, associated with storage and transmittal of data, using devices that may be outside of the employers control
• Policies to address impact of mobile devices on existing workplace behavior
• New processes and capabilities in IT, HR, and business units to implement the policies
17
HR AND EMPLOYMENT LAW ISSUES
Policies Affected by BYOD: Mobile devices have impact on policies
throughout your business
• Data Privacy & Security
• Harassment, Discrimination & EEO
• Workplace Safety
• Time Recording and Overtime
• Acceptable Use of Technology
• Compliance and Ethics
• Records Management
• Litigation Holds
• Confidentiality & Trade Secret Protection 19
Policies Affected by BYOD: Mobile devices have impact on policies
throughout your business
• Labor – Mandatory bargaining – Labor issues
• International considerations • Data protection • Border searches • Espionage
20
Are You at Work? Mobile Technology, BYOD or not,
Blurs the Line Between Home and Work
• By one estimate, 72% of Americans check their email on weekends and vacations and 42% check email while home sick.
– Source: www.kikabink.com/news/most-workers-addicted-to-email-2-out-of-3-u-s-and-u-k-workers-check-mail-outside-business-hours/ (citing Harris Interactive research)
• iPass Mobile Employee Definition: Employee using a mobile device who accesses networks (other than corporate LAN or WLAN) for work purposes
• Average mobile worker works 240 hours per year longer than work force in general
• 43% of mobile workers keep smart phone at arm’s reach when they sleep • 96% of mobile workers under 45 have smart phones • 35% of mobile workers check email first thing upon awakening
– Source: The iPass Global Mobile Workforce Report, August 2011 www.mobile-workforce-project.ipass.com/cpwp/wp-content/files_mf/ipass_mobileworkforcereport-q-3_2011.pdf
21
The 24/7 workplace and the FLSA
• Wage & Hour – Off-the-clock work by non-exempt employees – “Suffered or permitted to work” – De minimis? – Emails may be evidence of time spent and notice
to employer – Time spent dealing with IT issues related to devices – Work by non-exempt or exempt employees during
weeks off or leaves of absence
22
The 24/7 workplace and the FLSA
• Address W&H Concerns − Prohibit non-exempt
employees from accessing email or making work-related calls outside of work
− Limit access/program participation to employees who are exempt from OT
− Create process for reporting work performed outside of working hours
– Training • Employees • Managers
– Compliant policy requiring pay for all hours worked
23
Who pays for BYOD devices
24
Who Will Pay and What Devices
are Included? • Who pays for/owns device?
• Who pays for service plan – employer selected options or reimbursement?
• Options include technology allowances, reimbursement, standard devices issued by employer.
25
Who Picks up the Tab?
• Expense Reimbursement – Federal law – expenses
can’t reduce pay below minimum wage
– Eleven states have express or implied expense reimbursement requirements
• California, Montana, North Dakota, South Dakota, New Hampshire, Alaska, Minnesota, Arkansas, Iowa, Kentucky, Michigan
– California – must reimburse for “necessary expenditures or losses incurred ... as a consequence of the discharge of his/her duties”
– Reimbursement must meet certain criteria in order to be tax exempt
26
PRIVACY & SECURITY ISSUES
78% of respondents cited BYOD as a “significant” security risk (Global Information Security Workforce Study 2013) • Loss or theft of devices
– 47% of IT managers reported dealing with lost or stolen phones (2013 Pass MobileIron study)
– 39% of respondents stated that they have the necessary security controls to address the risks created by mobile devices (Ponemon Study Feb. 2012)
• Malware – 69% of respondents ranked application vulnerabilities as the highest security
concern, with malware and mobile devices a close second at 67% and 66% respectively (Global Information Security Workforce Study 2013)
• Friends and family – 27.5% of FINCEN suspicious activity reports involving identity theft involved
friends, family, employee in home
Security For Company Data
28
Implications Of A Security Breach
• Violation of statutory or regulatory requirements to secure personal information: HIPAA, GLBA, and state laws (MA, OR, OK, NV) – Statutes apply to service providers of covered entities
– Enforcement: HHS and MA have recently obtained penalties
• Security breach notification laws: 46 states, DC, PR, USVI, and Guam – Encryption safe harbor
– Encryption requirements: MA, NV, HIPAA
• Avg. cost of a breach in 2011 was $194/lost record or $5.5M (Ponemon Study 2012)
29
• Gateway to the Cloud – Employee ownership of the account with the
service provider will limit company access to its data
– No contract with company – Obligation to “vet” security
controls of vendors – Data may be more available
to law enforcement or others
Security For Company Data
30
• 50% of responding employees who left or lost their job in the preceding 12 months kept confidential corporate information, and 40% planned to use it in their new job (Symantec Survey 2013)
• Misappropriation may be harder to prove • Use or disclosure will be the focus • Access to the devices will be a challenge • Confidential information sent “to the cloud”
Trade Secret Protection
31
Can Data in the Cloud Undermine Your Trade Secret Protection?
Trade Secrets Must Be: 1. Maintained in confidence 2. Have commercial value from not being generally known 3. Must not be readily ascertainable by proper means
Risk Areas: 1. LinkedIn – Customer lists in the public domain? 2. Sasqua Group, Inc. v. Cartney, No. CV 10-528, 2010 WL 36138855 (EDNY, August 2,
2010) – Customer information not a trade secret where publicly available information “exceeded the
amount and level of detail contained in the Sasqua database.” – Sasqua did not have password protected computers; did not require employee to sign
confidentiality or non-solicitation agreement
3. LinkedIn contacts may violate non-solicit and non-compete restrictions (TEK Systems v. Hammernick, Civ. No. 10-CV-00819 (D. Minn. Mar. 16, 2010)
32
Employee Privacy Rights
Issuing a remote wipe command • Employees have a reasonable expectation of privacy in their personal
device
• All 50 states have computer trespass laws
• Computer Fraud & Abuse Act if the unauthorized access causes damages exceeding $5,000
Accessing an employee’s personal e-mail or cloud account • Stored Communications Act
– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp
Access to private information • GINA
33
Beware of Computer Trespass
• Key facts: – Sitton used his personal computer to conduct
business for PDI and for a competing business – Sitton used the computer on PDI’s premises and
connected it to PDI’s network – When PDI caught wind of Sitton’s disloyalty, a
senior manager entered his office, clicked on an e-mail list, and printed incriminating e-mail
Sitton v. Print Direction, Inc., 2011 Ga. App. LEXIS 849 (Sept. 28, 2011)
34
Beware of Computer Trespass
• Ruling: Affirms dismissal of Sitton’s claims for computer trespass, computer theft, and computer invasion of privacy
• Reasoning: Lack of authority is an element of each claim, and PDI’s computer use policy established the manager’s authority
• Key Policy Provisions: – Policy was not limited to company-owned equipment – Informed employees that PDI would “inspect the content of
computers … in the course of an investigation triggered by indications of unacceptable behavior.”
35
Federal Stored Communications Act
• Prohibits unauthorized access to an electronic communication in electronic storage at an electronic communications service provider
-- 18 USC §2701(a) • Criminal statute with civil remedies
– Minimum monetary damages of $1,000 – Punitive damages and attorneys fees
• Consent of the account holder is a defense
36
Access to Personal E-Mail
Key Facts: • Pure Power Boot Camp fired Fell • Fell started a competing business • PPBC’s owner (Brenner) accessed three of Fell’s personal
e-mail accounts – Hotmail: Fell had accessed the account using PPBC’s
computers, leaving username and password behind – Gmail: username and password found in the Hotmail
account – Warrior Fitness Boot Camp: “lucky guess” same
password and username • PPBC used Fell’s personal e-mail for non-compete action
against Fell 37
Access to Personal E-Mail
• Claim: PPBC violated the SCA • Defense:
– Electronic resources policy defeated any expectation of privacy – Fell implicitly consented by leaving username and password on
PPBC computers • Court: summary judgment for Fell
– The policy addressed only company equipment used during the employment relationship
– The e-mail in question were not created on, sent through, or received from PPBC’s e-mail system
– At most, Fell consented to Brenner seeing his password for one account, but not to her using it for any of them
Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp.2d 548 (S.D.N.Y. 2008)
38
International Data Protection Issues
• The number of countries with broad data protection laws has increased dramatically in the past three years
• Ability to roll out program globally can vary substantially by country
− France, Mexico, Spain: Yes
− Brazil, Czech Republic: No
− Singapore: Yes with adjustments
39
• Locating the data • Access to the device • Collection challenges • Increased costs
eDiscovery Challenges
40
TOP TEN RECOMMENDATIONS
• Decide whether all employees should be permitted to participate in a BYOD program or whether certain groups, such as non-exempt employees, should be excluded.
42
Recommendation #1:
Who Should Be Eligible?
• Important to control eligibility – The more people with BYOD, the greater the risk
• Limit to employees with a business need • NOT employees with regular access to sensitive
information – Legal, HR – Access to highly valuable trade secrets, e.g., product
engineers – Access to highly sensitive, non-public financial info, e.g.,
CFO’s group
• Non-exempt employees raise off-the-clock issues
43
Recommendation #2:
• Install mobile device management software on dual-use devices.
44
Sandbox Approach
45
What is MDM – Mobile Device Management?
Mobile Device Management: • Software that allows corporate IT to manage use of mobile devices.
Component of BYOD programs. Features may allow an employee to: – Require users to install software as condition of storing company data
on device and connecting to company network – Lock down end user’s ability to use specific device features or apps,
such as cameras or iCloud – Enable remote locking or wipe of device – Enforce use of strong passwords – Prevent users from jailbreaking device or
disabling or altering security settings on devices
46
Key Security Controls
1. Encryption 2. Passcodes 3. Remote wipe capability 4. Lockdown after short period of inactivity 5. Wipe device after a set number of unsuccessful
passcode attempts 6. Anti-malware protection (limited availability) 7. Device locator (Geolocation features may require
employee consent)
47
BYOD is NOT a Best Practice for Processing Credit Card Transactions
• On February 13, 2013, PCI issued Mobile Payment Acceptance Security Guidelines to Merchants and End-Users
• “Since the BYOD scenario does not provide the merchant with control over the content and configuration of the device, it is not recommended as a Best Practice.”
48
• Implement policies tailored to your program, culture, and risks – COPE – BYOD
49
Recommendation #3:
Key Provisions
1. Eligible users and eligible devices 2. Technical and physical security controls 3. Application of corporate policies 4. Restrictions on uses of a dual-use device 5. Corporate access, monitoring, and deletion
of data 6. Reporting loss of theft 7. Responsibility for maintenance 8. Responsibility for payment
50
Recommendation #4:
• Require employees to consent to all company activities involving the personal device
51
The Dual-Use Device Agreement
Critical Terms: Protection against computer trespass, invasion of privacy and other claims 1. Agree to Company’s use of remote wipe 2. Agree to Company’s monitoring of personal
device 3. Agree to produce the personal device for
inspection and copying in response to a legitimate requests
4. Release Company from any liability for destruction or incidental viewing of personal information
• Expect Pushback 52
The Dual-Use Device Agreement
Additional Terms 5. Will install corporate security package
6. Will not modify corporate security package
7. Will immediately report loss or theft of device
8. Will limit storage of corporate information
9. Acknowledge that all company policies apply to the dual-use device
53
• Restrict employees from using cloud-based apps, cloud-based backup, or synchronizing with home PCs
54
Recommendation #5:
Protection of Trade Secret Information in the Cloud
• Take Reasonable Measures to Protect Trade Secrets in a BYOD Environment
• Use Confidentiality Agreements/Proprietary Information Assignment Agreements (“PIAA”)
55
• Ensure that use complies with wage and hour obligations by prohibiting off-the-clock work and ensuring pay for all hours worked
56
Recommendation #6:
• Evaluate payment options: How much to contribute to payment for the personal device? For the personal plan?
57
Recommendation #7:
• No use by friends and family members
58
Recommendation #8:
Recommendation #9
• Training for managers, HR, and IT staff as well.
59
Security Incident Response
1. Confirm that dual-use device is encrypted
2. Confirm that remote wipe was activated promptly
3. Confirm that unauthorized acquirer had to unlock a password-protected screensaver
4. Depending on responses, may need to: – collect e-mail on corporate email server from date the loss/theft
occurred and search for trigger PII
– Interview employee concerning contents of local storage on dual-use device
60
• Revise exit interview processes
61
Recommendation #10:
Go to: www.workplaceprivacycounsel.com Search: “BYOD”
Littler BYOD White Paper
Social Media Summit
Littler’s Social Media Summit
April 10, 2013 San Francisco, CA
http://www.littler.com/events
Questions?
Philip Gordon, Esq. Littler Mendelson, P.C.
Denver Office [email protected]
Margaret Keane, Esq.
Littler Mendelson, P.C. San Francisco Office [email protected]
Michael McGuire, Esq.
Littler Mendelson, P.C. Minneapolis Office