Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs

(1)

Bring Your Own Device in the Workplace:

Minimizing Legal Risks of BYOD Programs

Protecting Employers' Proprietary Information by Developing and Enforcing Effective Policies and Procedures

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, SEPTEMBER 18, 2013

Presenting a live 90-minute webinar with interactive Q&A

Eric Schlissel, CEO, GeekTek IT Services, Los Angeles

Aaron K. Tantleff, Senior Counsel, Foley & Lardner, Chicago

(2)

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-888-601-3873 and enter your PIN

when prompted. Otherwise, please send us a chat or e-mail

[email protected] immediately so we can address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

(3)

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the word balloon button to send

(4)

Bring Your Own Device in the Workplace:

Minimizing Legal Risks of BYOD Programs

Eric Schlissel

(5)

Bring Your Own Device

• Employees are bringing their own tools to the workplace, accessing company intellectual property and data

• Drivers behind the Bring Your Own Device (BYOD) momentum – Employee Demand

– Consumerization of IT – Improved Mobility

– Increased Productivity – Perceived Cost Savings

40% of workers are using their personal devices to access business applications & resources. (Source: AirWatch Whitepaper)

(6)

Current State

• The BYOD adoption rate is accelerating even if company policies aren’t in place and outpacing security strategies

• Half of employers will require employees to supply their own work devices by 2017 (Source: Gartner)

• Many major corporations have a BYOD policy, such as IBM, Colgate-Palmolive

• Industries adopting Mobility: Banking, Entertainment, Healthcare, Financial Services, Education, Manufacturing, Education, Retail, Automotive. (Source: [x]cube labs)

71 million BYOD devices in use in America today, expected to grow to 108 million by 2016 (Source: Cisco Survey)

(7)

BYOD Support

Source: ZDNet / Tech Republic

(8)

Risks of BYOD

• IT has limited or partial control of devices

• Company data mingling with personal data

• Lost and stolen devices

• Shared devices

• Unauthorized access to devices

• Improper disposal of old devices

• Data recovery post employment separation

“35% of IT leaders and 25 percent of IT professionals are not confident their organization’s BYOD policy is compliant with data and privacy protection acts, HIPAA, Dodd-Frank or other government-mandated regulations.” (Source: Teksystems’ Survey)

(9)

Shadow IT

• Company provided tools are not as easy to use as consumer grade

tools

• Employees use the tools that work for them, not necessarily those

provided by IT, creating Shadow IT

• Shadow IT creates problems with compliance

• When employees use their own software, company trade secrets are

not under IT management

• Creates data silos between employees, vendors and partners

Of the office workers surveyed, 42% would use "unapproved" cloud services to get a job done, and 36% already have done.

(Source: Imperial College Business School Survey)

(10)

Mobile Attack Methods

• Outdated Operating Systems

• Jailbroken Devices

• Lax Device Security

• SMS Attacks

• Marketplace Vulnerabilities

• Malware

• Fake Apps

• Hardware Hacks

At the end of this quarter (Q3 2013), the total number of samples in our mobile malware “zoo” reached 50,926, with 28 percent of that arriving in 2013. (Source: McAfee)

(11)

Android Malware

New Android Malware

Source: Symantec

(12)

Mobile Device Management

• Centralized policy and configuration management for mobile devices • Secure, monitor, manage and support mobile devices and tablets • Simplifies support of mobile devices

• Automatically configures email, access other settings • Supports most Android, Windows and iOS devices • Over-the-air hardware software and network inventory • Similar to PC life cycle management tools

• Over 100 Key Players in market estimated at over $500 million (Source: Gartner Paper-Critical Capabilities for Mobile Device Management

"33% of IT leaders & 46% of IT pros said their organizations lack the ability to remotely wipe data from employee devices if

necessary.“(Source: Computerworld)

(13)

Mobile Management Methods

• Containerization • App Wrapping

• MAM – Mobile Application Management

• MCM – Mobile Content Management (aka MIM) • Mobile Virtualization

"73% of IT leaders and IT professionals said poor BYOD policies put sensitive corporate data at risk by potentially exposing it on personal mobile devices.“ (Source: Computerworld)

(14)

Eric Schlissel

CEO, GeekTek IT Services

4344 Laurel Canyon Blvd., Suite 6 Studio City, CA 91604 [email protected] Direct: 323-518-1200 www.geektek.com Twitter: @geektek 14

(15)

©2013 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

Bring Your Own Device in the Workplace:

Minimizing Legal Risks of BYOD Programs

Aaron Tantleff

(16)

BYOD is Uncharted Territory

•

Who owns the device?

–

BYOD versus CYOD

•

Who owns the data?

–

Does it matter, personal versus corporate data?

•

Courts have not addressed unique aspects of

BYOD

(17)

What is a Trade Secret?

•

Defined State-by-State

•

Uniform Trade Secret Act (UTSA)

–

Trade secret means information, including a

formula, pattern, compilation, program, device,

method, technique or process, that:

• derives independent economic value, actual or potential,

from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and

• is the subject of efforts that are reasonable under the

(18)

Preserving Trade Secrets

•

Failure to take reasonable measures to

protection trade secrets may result in the loss

of such trade secrets

(19)

Preserving Trade Secrets

•

Disallow personally owned devices

•

Limit nature of information on personally

owned devices

•

Consider purchasing devices for employees

–

CYOD

(20)

Preserving Trade Secrets

•

Written BYOD policy

–

Demonstrates company has undertaken reasonable

measures to protect its trade secrets

–

Courts look to what measures a company took

• Without a written BYOD policy, did the company take

(21)

BYOD Effect on Trade Secrets

•

Trade Secrets exist in electronic form

–

Instantaneous email, transfer or posting online

• Uncontrollable, widespread dissemination

–

Inadvertent disclosure by sharing device or using in

(22)

BYOD Effect on Trade Secrets

•

Company data stored and transmitted by

devices and over networks not controlled by

the company

(23)

Information Leakage

•

Lost, stolen, hacked or exposed to malware

•

The “friends and family plan”

•

Poof – its in the cloud

•

Location, location, location… you took the

(24)

Protecting Trade Secrets

•

What are reasonable efforts?

–

Case-by-case

–

State-by-state

–

Courts review measures taken by employer to

maintain secrecy of information

•

Policy considerations

–

Written agreements

–

Limiting access and copies

(25)

Confidentiality Agreements

•

Most recognized way to protect trade secrets

•

Must be also be enforceable after employee

leaves company

–

Policies generally are not applicable to departed

(26)

Malware – Threats

• Drains battery life

•

Renders device non-functional

•

Could infect company systems

•

Deletes information from device

•

Snoopware - records and

(27)

Malware – Policy

•

Policies must account for third party

applications

–

Consider whether one can defeat a claim that a

company has taken adequate steps to protect

confidential information or trade secrets

•

Policies must address whether and how such

third party applications can be downloaded and

installed

(28)

Information Security

•

Extending the corporate security policy to BYOD

•

Enforcing security policies on BYOD

•

BYOD security software

•

Remote wipe

•

Tracking

•

Regular audit of information/data security

policies to ensure they provide adequate

protection

(29)

Information Security

•

Malware on mobile devices

•

Mobile device management (“MDM”) solution

–

Consider employee work arounds or exporting data

outside of corporate environment / MDM solution

•

Data transferred over both secured and

(30)

Information Security

•

BYOD devices use of cloud networks

–

Information is pushed and pulled from devices to

cloud providing an additional outlet for theft of

trade secrets

–

Many cloud services make theft easier than

breaking into company’s servers

–

Information resident on cloud services is not

(31)

Shared Use of Device

•

Friends, family, neighbors, etc.

•

A risk that cannot be completely controlled

–

Impossible to obtain consent

–

Policy coverage

•

Security implications

•

Company proprietary and confidential

information at risk

(32)

Employee Disposal

•

EOL of BYOD

•

The eBay threat, garage sales, Craig’s list

–

Army hardware being sold on streets of Afghanistan

–

Broker-dealer Blackberry on eBay

•

Company notice of sale or transfer

–

Policy issue

(33)

Misappropriation of Trade

Secrets

•

UTSA imposes liability for misappropriation of

trade secrets

–

Use or disclosure of trade secret, or

–

Acquisition by improper means

• Problem - Employee already has right to store company

information on personal device

•

Collecting evidence

–

Company owned device versus personally owned

(34)

(35)

Healthcare

•

Health Insurance Portability and Accountability

Act of 1996 (HIPAA)

•

Health Information Technology for Economic

and Clinical Health (HITECH) Act

–

expanded HIPAA security standards to encompass

business associates (i.e., vendors, contractors, and

subcontractors that access, use, disclose, or create

PHI on covered entities’ behalf)

(36)

Healthcare

•

Information Security Regulations (“Security

Rule”) pursuant to HIPAA

–

Required implementation of technical, physical and

administrative safeguards for protected health

information (PHI) in electronic form

(37)

Healthcare

•

The HIPAA Privacy Rule

–

Protects PHI

–

Applies to health plans, health care clearinghouses,

and those health care providers that conduct

certain health care transactions electronically

–

Requires appropriate safeguards to protect the

privacy of PHI, and sets limits and conditions on the

uses and disclosures that may be made of such

information without patient authorization

(38)

Healthcare

•

American Recovery and Reinvestment Act

(ARRA) & HITECH Act

–

Prohibit storage of unencrypted personally

identifiable information and protected health

information on any computing device

(39)

Financial

•

Consider rules requiring that internal

communications regarding a company’s

business and those with its customers be

maintained, retrievable and reviewed

–

SEC Rules 17a-3 and 17a-4

–

NASD Rules 2210, 3010, 3110 & 31101

–

NYSE & NASD “Joint Guidance” regarding capture

of communications between broker/dealers and

customers

(40)

Financial

•

Gramm-Leach-Bliley Act (GLBA)

–

Covers information created or received by a

“financial institution” as part of a customer

relationship

• 15 U.S.C. ßß 6801 – 6809

–

Financial institutions must protect an individual’s

(41)

Contact Info

Aaron K. Tantleff, Esq. Senior Counsel

IP / IT & Outsourcing Foley & Lardner LLP Tel: 312.832.4367

(42)

Michael N. Westheimer

Buchalter Nemer PC

55 Second Street, Suite 1700 San Francisco, California 94105 Direct: (415) 227-3530

Fax: (415) 904-3111

Email: [email protected]

Bring Your Own Device in the Workplace:

(43)

Agenda

• Proliferation of BYOD in the workplace

• Dual objectives of a BYOD policy

 _{Protection of confidential business information and}

trade secrets

_{Compliance with employment laws / HR best practices}

• Strategic implementation

(44)

Proliferation of BYOD

Gartner Study (April 2013)

• By 2017, half of employers will require employees to supply their own device for work purposes

Reasons for Proliferation of BYOD

• More mobile workforce • Increased productivity • Cost savings

• Employees want it

(45)

Protecting Trade Secrets

“Trade Secret” -

Uniform Trade Secrets Act

• Not generally known to other persons, and not readily ascertainable by proper means by other persons

• Is the subject of reasonable efforts to maintain its secrecy

Apple v. Psystar (N.D. Cal. 1/3/12)

– Public disclosure is fatal to existence of trade secret

– No protection if information is discovered by fair and honest means, including accidental disclosure

(46)

Protecting Trade Secrets

Reasonable Efforts -

Restatement (Third) of Unfair Competition § 39, cmt (g)

• Physical security designed to prevent unauthorized access • Procedures to limit disclosure based on “need to know” • Measures to emphasize to recipients the confidential

nature of the information

Art of Living Foundation v. Does (N.D. Cal. 5/1/12) –

Reasonable efforts can include:

1. Advising employees of existence of trade secret

2. Limiting access to information on a need to know basis 3. Requiring employees to sign confidentiality agreements 4. Keeping secret documents under lock

(47)

Protecting Trade Secrets

FormFactor v. Micro-Probe (N.D. Cal. 6/7/12)

• No confidentiality agreement

• Employee was allowed to use personal email and personal home computer for company business, and to back up data onto external hard drives

• No request to return company data when employee resigned

• Company lacked evidence that documents had never been publicly disclosed or placed in public domain

(48)

Company-Provided Devices

Company-Owned

Device Usage Policy

• Device is company property

• Device is to be used for business purposes • Company reserves right to inspect device

• Company is monitoring employee’s use of device • Employee’s use of device is being recorded

• Employee has no right of privacy

• Device and all data must be returned at end of employment

(49)

Privacy Rights

Computer Fraud and Abuse Act (CFAA)

• Prohibits intentionally accessing and obtaining information from a protected computer without authorization or exceeding authorized access

Stored Communications Act (SCA)

• Protects electronic communications transmitted via an electronic communication service that are in electronic storage and not public

• Prohibits intentionally accessing the communication

without authorization or exceeding authorized access and obtaining, altering or preventing authorized access to it

(50)

Privacy Rights

Ehling v. Monmouth-Ocean Hosp. Service (D. N.J. 8/20/13)

• Non-public Facebook wall posts are protected communications under SCA

• Here no violation because a co-worker that employee “friended” had authorized access to her wall, voluntarily took screenshots and gave them to employee’s manager

Pure Power Boot Camp v. Warrior Fitness Boot Camp

(S.D. N.Y. 8/23/08, 12/22/10)

• Company violated SCA by accessing former employee’s personal emails from Hotmail and Gmail accounts

• Court rejected argument that authorization was implied because employee had logged in from work computer

(51)

Privacy Rights

Social Media Privacy Statutes

• A growing number of states have these: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico,

Oregon, Utah, Washington

California Labor Code § 980 (effective 1/1/13)

• Employer shall not require or request employee or applicant to:

1. Disclose username or password for the purpose of accessing personal social media

2. Access personal social media in employer’s presence 3. Divulge any personal social media

• Exception: personal social media reasonably believed to be relevant to investigation of allegations of employee misconduct or violation of law • OK to get username / password to access employer-issued device

(52)

Privacy Rights

Personal privacy

• Financial

• Sexual matters / sexual orientation • Medical condition / records

• Genetic information

HR Best Practices

• Employment decisions based on job-related criteria • Restricting information about protected status – age,

ethnicity, national origin, disability, marital status, etc.

(53)

Strategic Implementation

BYOD Policy

• Addresses onboarding, use during employment, termination of employment

• Sets protocols for appropriate use and data protection • Establishes confidentiality, nondisclosure

• Creates consent to access and obtain information • Curtails privacy expectations

Mobile Device Management (MDM)

• Reasonable efforts to protect trade secrets

• Prevention of intentional misappropriation and inadvertent disclosure

(54)

Strategic Implementation

Considerations

• Finding the right balance

• Functionality vs. preserving confidentiality • Keeping trade secrets under lock

• Scope of consent / authorization to access • Voluntary consent

• Segregating work use and personal use • Reimbursement

• On-the-clock / salary test issues

(55)

Michael N. Westheimer

Buchalter Nemer PC

55 Second Street, Suite 1700 San Francisco, California 94105 Direct: (415) 227-3530

Fax: (415) 904-3111

Email: [email protected]