Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs

Bring Your Own Device in the Workplace:

Minimizing Legal Risks of BYOD Programs

Protecting Employers' Proprietary Information by Developing and Enforcing Effective Policies and Procedures

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, JUNE 3, 2015

Presenting a live 90-minute webinar with interactive Q&A

Aaron K. Tantleff, Partner, Foley & Lardner, Chicago Michael N. Westheimer, Shareholder, Buchalter Nemer, San Francisco

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-370-2805 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program.

For additional information about CLE credit processing call us at 1-800-926-7926 ext. 35.

Aaron Tantleff Partner

5

Business Imperative – Enabling worker mobility

State of the union

Three key elements of a mobile strategy

– Policy – Training

– Enforcement

Seven Key Risks

Mobile Device Management

Putting it All Together

9

Enabling mobile workers

24/7 work environment

Competitive advantage

Workplace “perk”

– Workers more comfortable and productive

11

Advantage

Reduce technology expenses

Take advantage of newer technology supplied by individual employees as opposed to budget for the purchase of new devices for the workforce Accommodate an employee's desire to carry one device

Enable employees to more easily work in their preferred operating system

Avoid employee training on how to use a company-issued device

Create guidelines and outline

employer expectations for a practice that may be underway regardless

Disadvantage

Increase technology expenses

Wage and hour liability for nonexempt

employees using devices outside of regular business hours

Privacy and security for personal data

Confidentiality and security for employer data Employer's legal duties to retain information Employer liability for an employee's wrongful use of the device

Data collection, retention and destruction Litigation holds or contractual agreements Intellectual Property ownership and protection Violation of unrelated policies while using a personal device

Access to data with respect to separated employee

Who owns the device?

– BYOD versus CYOD

Who owns the data?

– Does it matter, personal versus corporate data?

Courts have not addressed unique aspects of BYOD

No laws specific to BYOD

Forrester: 48% of information workers buy smartphones

without even considering what their company supports.

Dell Kace Study: 87% of companies unable to

effectively protect corporate data and intellectual property

because of employees who use some kind of personal

device for work -- including laptops, smartphones, and

tablet computers.

15

Forrester: 50% of information workers are splitting their

time between the office and home or another location,

underscoring the need for mobile devices.

ISACA: two-thirds of employees ages 18 to 34 have

personal devices they use for work purposes

MarketWatch: Eighty-seven percent of companies say

they have employees that use personal tech devices for

work.

eWeek: Sixty-two percent of IT administrators feel they

don’t have the tools to properly manage personal

devices.

1 in 10 workers already use their own device as their

primary work device.

17

Employee BYOD Trends Enterprise IT BYOD Challenges

88% of employed adults use at least one

personally owned electronic device for business use1

1 out of 2 companies have experienced data breach due to insecure devices2

44% of companies have a mobile security

strategy3

37% of companies employ malware

protection for mobile devices 3

1_{PwC, Consumer privacy: What are consumers willing to share? July 2012} 2_{Ponemon and Websense Survey of 4,640 companies, 2012}

Three Key Elements of a

Mobile Strategy

19

Policy

Training

Make your business case

Developing an approach

– Anything goes

– Approved devices only – Stipend

– Ownership

21

Integration with existing company policies

Write an understandable policy

– Most common failure

Participation in the program is a privilege, not a right.

Presentation to employees

Restrictive

Executive or managerial employees

– Reduce risk of losing or leaking confidential company information

General employees

– Avoid potential issues under the NLRA

Nonexempt employees

– Avoid wage claims for minimum wage or overtime compensation for work performed outside of or beyond the standard 40 hour workweek

Permissive

Employees who travel extensively Work from home or other remote locations

On call / hours are not fixed Approved devices

23

No Expectation of Privacy

– Employees may not have a right to privacy in their electronic communications when using employer-provided devices (see City of Ontario, Cal. v. Quon, 560 U.S. 746 (2010)), but, absent agreement to the contrary, they do have that right when using their own devices.

– The federal Computer Fraud and Abuse Act and state computer trespass laws criminalize some unauthorized access of another's computer, and the federal Stored Communications Act protects the privacy of wire and electronic communications while in electronic storage (such as e-mails stored on a server).

– Employers may also face liability for viewing protected personal information stored on an employee's own device

Employees' Written Consent

– Require an employee's written consent to monitor, intercept, review and erase both personal and business content stored on or transmitted by an employee's personal device.

– Consider specific consent or acknowledgment rather than blanket acknowledge of all policies

Tracking Employee Movements

– Devices may allow individual tracking. Use with caution

– Mobile device management, or MDM, solutions may provide location tracking services

• Useful to employers wishing to confirm their employees are actually at work when they claim to be • May be an invasion of privacy

– New York Court of Appeals held that a government employer's covert GPS tracking of a vehicle to monitor an employee's movements was unreasonable where the employer did not make a reasonable effort to avoid tracking the employee outside of business hours (Cunningham v. New York State Dep't of Labor, 997 N.E. 2d 468 (N.Y. 2013)).

– Some states prohibit the use of GPS tracking in most situations (e.g., Tennessee's statutory prohibition on GPS tracking, Tenn. Code

Employee training is key

When to conduct/repetition

Designate a go-to person or group for questions

– Importance of a uniform message

Consider follow-up e-mail and memos to highlight key

areas

25

Monitoring compliance

Employee enforcement

Technological enforcement

Ensuring related company policies are followed

– Litigation hold – Retention

Mixing business and personal data

Information security

Software licensing issues

Discovery/Border searches and seizures

Repetitive stress and other workplace injuries

Shared use of devices with non-employees

Employee disposal of device

29

Data segregation – the future

Privacy concerns

– Employee – Third parties

Other “data” – the great American novel

Location tracking

Extending the corporate security policy to BYOD

Enforcing security policies on BYOD

BYOD security software

Remote wipe

Tracking

31

Drains battery life

Renders device non-functional

Could infect company systems

Deletes information from device

33

Mobility has generated a deluge of business data, but deployment of mobile security has not kept pace with use

Smart phones, tablets, and the “bring your own device” trend have elevated security risks. Yet efforts to implement mobile security programs do not show significant gains over last year, and continue to trail the proliferating use of mobile devices.

Initiatives launched to address mobile security risks

19% 30% 35% 37% 39% 42% N/A 33% 31% 36% 38% 40%

Use of geolocation controls Ban of user-owned devices in the workplace/network access Strong authentication on devices Protect corporate e-mail and calendaring on

employee- and user-owned devices Mobile device-management software

Mobile security strategy

2012 2013

PwC Global State of Information Security Survey 2014, Question 16: “What initiatives has your organization launched to address mobile security risks?” (Not all factors shown.)

Company software

– Which applications?

– What do the licenses say?

Employee personal software

– Ex. Microsoft Office Home

35

BYOD are fair game in litigation

– Employees must understand

Litigation hold

Cost of responding to discovery

Beware at the border

– Data and devices can be copied or seized – Increased risk of data theft

Some information resides only on device, despite potential

data flow through the company’s server

Not all devices are created equal, requiring different software

and tools, depending on the device

Forensics utilizes both "physical" and "logical" acquisition of

data - advanced analysis requires obtaining operating system

files, device memory and other technical information, plus

personal email or documents or phone data

Can't just “remove the hard drive”

Non-iOS devices may contain an extra memory card – needs

to be imaged separately from the phone

37

Data is volatile – over-the-air device wiping is a risk

Lack of employer control over right to access personal

information and data stored on employee-owned devices /

services

Need cooperation and passcode from employee to access the

device

– May need to crack passwords, which is time-consuming

“Jailbreaking” is typically easier on Android products than

Apple

Some devices do not indicate data volume size, may make

scoping of the collection difficult

Different information (text, GIS, photos, etc) can be obtained,

depending on the device, however it may not be all

appropriate for collection, and may require planning and

consent

Repetitive stress and other work related injuries can arise

from BYODs.

Disclaim liability

Urge employees to follow vendor recommendations

Check insurance coverages

39

Friends, family, neighbors, etc.

A risk that cannot be completely controlled

– Impossible to obtain consent – Policy coverage

Security implications

Company proprietary and confidential information at risk

Privacy and other issues

EOL of BYOD

The eBay threat, garage sales, Craig’s list

– Army hardware being sold on streets of Afghanistan – Broker-dealer Blackberry on eBay

Company notice of sale or transfer

– Policy issue

41

Provide Control and Visibility to Mobile Devices

Simplify User Setup and Enrollment

Enable Rich Policy Controls

Support All Your Mobile Devices

BUT…

43

BYOD is here to stay

Develop workable policies that support the business case

Train employees to ensure they understand their

obligations; Follow-up

Develop and institute enforcement procedures

Understand the key risks

45

Health Insurance Portability and Accountability Act of

1996 (HIPAA)

Health Information Technology for Economic and Clinical

Health (HITECH) Act

– expanded HIPAA security standards to encompass business associates (i.e., vendors, contractors, and subcontractors that access, use, disclose, or create PHI on covered entities’

47

Information Security Regulations (“Security Rule”)

pursuant to HIPAA

– Required implementation of technical, physical and

administrative safeguards for protected health information (PHI) in electronic form

The HIPAA Privacy Rule

– Protects PHI

– Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care

transactions electronically

– Requires appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization

49

American Recovery and Reinvestment Act (ARRA) &

HITECH Act

– Prohibit storage of unencrypted personally identifiable

information and protected health information on any computing device

Consider rules requiring that internal communications

regarding a company’s business and those with its

customers be maintained, retrievable and reviewed

– SEC Rules 17a-3 and 17a-4

– NASD Rules 2210, 3010, 3110 & 31101

– NYSE & NASD “Joint Guidance” regarding capture of communications between broker/dealers and customers

51

Gramm-Leach-Bliley Act (GLBA)

– Covers information created or received by a “financial institution” as part of a customer relationship

• 15 U.S.C. ßß 6801 – 6809

– Financial institutions must protect an individual’s personal information

Aaron K. Tantleff Partner

Foley & Lardner LLP

321 North Clark Street, Suite 2800 Chicago, Illinois 60654

(312) 832-4367

Michael N. Westheimer

Buchalter Nemer

55 Second Street, Suite 1700 San Francisco, California 94105

(415) 227-3530

[email protected] June 3, 2015

Bring Your Own Device in the Workplace:

Agenda

• Proliferation of BYOD in the workplace

• Objectives of a BYOD policy

» Protection of confidential business information and trade secrets

» Mobile Device Management

» Compliance with employment laws / HR best practices

Proliferation of BYOD

Gartner Studies

• Survey: approximately 40% of US consumers who work for large

enterprises said they use their personally owned smartphone, desktop or laptop daily for some work purposes (October 2014 report)

• By 2017, half of employers will require employees to supply their own device for work purposes (April 2013 report)

Reasons for Proliferation of BYOD

• Increased productivity • Cost savings

• Employees want it

Protecting Trade Secrets

“Trade Secret” -

• Not generally known to other persons, and not readily ascertainable by proper means by other persons

• Is the subject of reasonable efforts to maintain its secrecy

Apple v. Psystar (N.D. Cal. Jan. 3, 2012)

• Public disclosure is fatal to existence of trade secret

• No protection if information is discovered by fair and honest means, including accidental disclosure

Protecting Trade Secrets

Reasonable Efforts -

• Physical security designed to prevent unauthorized access

• Procedures to limit disclosure based on “need to know”

• Measures to emphasize to recipients the confidential nature of the

information

Art of Living Foundation v. Does (N.D. Cal. May 1, 2012)

Reasonable efforts can include:

1. Advising employees of existence of trade secret

2. Limiting access to information on a need to know basis 3. Requiring employees to sign confidentiality agreements 4. Keeping secret documents under lock

Protecting Trade Secrets

FormFactor v. Micro-Probe (N.D. Cal. June 7, 2012)

• No confidentiality agreement

• Employee was allowed to use personal email and personal home

computer for company business, and to back up company data onto external hard drives and thumb drives

• No request to return company data when employee resigned

• Company lacked evidence that trade secrets at issue had never

Using Device for Business Purposes

Company-Owned

Device Usage Policy

• Device is company property

• Device is to be used solely for business purposes

• Company reserves right to inspect device

• Company monitors employee’s use of device

• Employee’s use of device is being recorded

• Employee has no expectation of privacy in using the device

• Device and all data must be returned at end of employment

Using Device for Business Purposes

BYOD vs. CYOD

• Bring Your Own Device: employees are given access to company

systems and data on employee-owned devices

• Choose Your Own Device: employees are given a choice between a

limited number of approved devices for accessing company systems and data

Who owns / pays?

• Purchase of equipment

• Provision of voice / text / data plan

Using Device for Business Purposes

Reimbursement of Business Expenses

•

Cal. Labor Code § 2802: Employee shall be reimbursed for all

necessary expenditures or losses incurred by the employee

in direct consequence of the discharge of his or her duties,

or of his or her obedience to the directions of the employer

•

Cochran v. Schwan’s Home Service, 228 Cal.App.4th 1137

(Aug. 12, 2014)

» When employees must use personal cell phones for work-related calls, the employer must reimburse them

» Whether the employees have cell phone plans with unlimited minutes or limited minutes, the reimbursement owed is a reasonable percentage of their cell phone bills

Privacy Rights

Computer Fraud and Abuse Act (CFAA)

• Prohibits intentionally accessing and obtaining information from a

protected computer either without authorization or exceeding authorized access

Stored Communications Act (SCA)

• Protects electronic communications transmitted via an electronic

communication service that are in electronic storage and not public

• Prohibits intentionally accessing the communication either without

authorization or exceeding authorized access, and obtaining, altering or preventing authorized access to the communication

Privacy Rights

Ehling v. Monmouth-Ocean Hosp. Service

(D. N.J. Aug. 20, 2013)

• Non-public Facebook wall posts were found to be protected

communications under the Stored Communications Act

• Here no violation because a co-worker that employee “friended” had

authorized co-worker’s access to her wall, who voluntarily took screenshots of posts and gave them to the employee’s manager

Pure Power Boot Camp v. Warrior Fitness Boot Camp

(S.D. N.Y. Aug. 23, 2008, Dec. 22, 2010)

• Company violated Stored Communications Act by accessing former employee’s personal emails from Hotmail and Gmail accounts

• Court rejected argument that authorization was implied because employee had logged in from work computer

Privacy Rights

Social Media Privacy Statutes

• Arkansas, California, Colorado, Illinois, Louisiana, Maryland, Michigan, Montana, Nevada, New Hampshire, New Mexico, New Jersey, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Virginia, Washington, Wisconsin

California Labor Code § 980 (effective Jan. 1, 2013)

• Employer shall not require or request that an employee or applicant:

1. disclose username or password for the purpose of accessing

personal social media;

2. access personal social media in the employer’s presence; or

3. divulge any personal social media

Privacy Rights

Personal privacy

• Financial

• Sexual matters / sexual orientation

• Medical condition / records

• Genetic information

HR Best Practices

• Protocols for ensuring that employment decisions are made based on job-related criteria

• Restrictions on collecting and providing access to information about employee protected status – age, race, ethnicity, national origin, disability, etc.

Off-the-Clock Issues (Non-exempts)

Compensability of non-exempt employees’ after-hours

use of BYOD devices

•

Portal-to-Portal Act

» Commute time

» Preliminary and postliminary activities

•

De minimus time

•

Continuous workday rule

Off-the-Clock Issues (Non-exempts)

White v. Baptist Memorial Health Care Corp., 699 F.3d 869

(6

_{Cir. 2012)}

• Auto-deduct for meal breaks, company had override procedures

where employees could get paid by reporting missed meal breaks in an exception log or reporting payroll errors for correction

• Employee sued for unpaid missed meal breaks, but did not report

them in exception log and did not utilize payroll correction procedure

• Court held that under the circumstances, the time was not

compensable under the FLSA:

» “Under the FLSA, if an employer establishes a reasonable process for an employee to report uncompensated work time the employer is not liable for non-payment if the employee fails to follow the established process.”

» When the employee fails to follow reasonable time reporting procedures she prevents the employer from knowing its obligation to compensate the employee and thwarts the employer’s ability to comply with the FLSA.”

Off-the-Clock Issues (Non-exempts)

Prescott v. Prudential Insurance Co., 729 F.Supp.2d 357

(D. Maine 2010)

• Employee presented evidence at class certification stage that:

» Employees understood that the company, with some exceptions, would not approve OT and did not pay employees for OT work they performed

» The company, by instituting company-wide metrics for performance, knowingly created a situation where employees likely would work extra hours and that the employees in fact did so

• Court found the employee’s evidence was sufficient to meet the

“modest” factual showing required for conditional certification of FLSA collective action, subject to possible decertification at a later stage in the proceedings

Strategic Implementation

BYOD Policy

• Addresses onboarding, use during employment, termination of

employment

• Sets protocols for appropriate use of device and data protection

• Establishes confidentiality, nondisclosure

• Creates consent to access and obtain information

• Curtails privacy expectations

Mobile Device Management (MDM)

• Reasonable efforts to protect trade secrets

• Prevention of both intentional misappropriation and inadvertent

disclosure

Strategic Implementation

Wage & Hour

•

Reasonable, established procedures for:

» Tracking compensable work time

» Reporting additional compensable work time that is not

captured with regular procedures

» Prohibiting off-the-clock work

» Reimbursing for business expenses where required

•

Dissemination of procedures to employees

Strategic Implementation

Takeaways

• Finding the right balance

• Functionality vs. preserving confidentiality

• Keeping trade secrets under lock

• Scope of consent / authorization to access

• Voluntary consent

• Segregating work use and personal use

• Expense reimbursement

• On-the-clock / wage & hour issues

Michael N. Westheimer

Buchalter Nemer PC 55 Second Street, Suite 1700 San Francisco, California 94105