The BYOD Workplace and the 24/7 Employee: Managing Legal Risks for Employers

Transcription

1

2 The BYOD Workplace and the 24/7 Employee: Managing Legal Risks for Employers Thursday, April 17, 2014

3 Moderator Molly M. DiBianca, Associate, Young Conaway Stargatt and Taylor Wilmington, DE 2

4 Speakers Adam S. Forman, Principal, Miller, Canfield, Paddock and Stone, Detroit, MI Michael S. Glassman, Partner, Dinsmore & Shohl, Cincinnati, OH 3

5 Speakers Melanie V. Pate, Partner, Lewis Roca Rothgerber, Phoenix, AZ J. E. Jess Sweere, Director, Cross, Gunter, Witherspoon & Galchus, Little Rock, AR 4

6 Introduction Molly DiBianca Young Conaway Stargatt & Taylor 5

7 The Current Landscape Key Statistics Use of mobile technology BYOD policies What s an employer to do? Manage risk Be a realist 6

8 Webinar Agenda Legal Risks Best Practices Policy Pointers 7

9 Legal Risks Adam S. Forman Miller, Canfield, Paddock & Stone J.E. Jesse Sweere Cross, Gunter, Witherspoon & Galchus 8

10 CONSTITUTIONAL PROTECTIONS 9

11 10

12 4th Amendment Unreasonable searches and seizures Murphy v. Spring (N.D. Okla. 2013) Chaney v. Fayette Cnty. Pub. Sch. Dist. (N.D. Ga. 2013) 11

13 Once It s There It s There To Stay 12

14 9th and 14th Amendments Penumbra of implied constitutional rights of privacy NASA v. Nelson (U.S. 2011) People v. Holmes (Colo. Dist. Ct. 2013) 13

15 STATUTORY PROTECTIONS 14

16 Electronic Communications Privacy Act Title 1 Federal Wire Tap No intercepting electronic communications without authorization of 1 party Title 2 Stored Communications Act No accessing, without authorization, a facility through which electronic communication service is provided and thereby access to an electronic communication while it is electronic storage 15

17 Electronic Communications Privacy Act Title 2 Stored Communications Act Disputes over stored Cheng v. Romo (D. Mass. 2013) Disputes over facility Garcia v. City of Laredo (5th Cir. 2012) BYOD Lazette v. Kulmatycki (N.D. Ohio 2013) 16

18 NATIONAL LABOR RELATIONS ACT 17

19 National Labor Relations Act Protects employees who discuss terms and conditions of employment Social media is the today s workplace water cooler For unionized employers social media and BYOD policies are a mandatory subject of bargaining Use of monitoring software has surveillance implications 18

20 National Labor Relations Board Enforces the NLRA The Board has taken a very strong stance on any employer action or policy designed to restrict employee communication via social media Must be careful not to draft overly broad BYOD policies 19

21 Fair Labor Standards Act Statute that requires the payment of a minimum wage for all hours worked, and overtime for all hours worked in excess of 40 in a work week 20

22 Wage and Hour Issues When non-exempt employees use their own devices, there is a risk that employees will raise wage & hour claims for time worked off the clock. 21

23 Wage and Hour Issues Employees have to be paid for off the clock work even when the employer did not request it. Usual situation: making work-related calls, reading and replying to s during off-work hours. 22

24 Easy Solution? No or work-related calls outside of working hours 23

25 Not Necessarily While this certainly is an option, it might not always be the best one: There is an advantage to having a flexible staff that can be accessed outside of work that may outweigh the extra pay A blanket prohibition also must be clearly communicated and employees must be consistently disciplined for disregarding the policy Enforcing such a bright-line policy is often unrealistic in practice 24

26 Password Protection Statutes Many states have passed statutes prohibiting employers from requiring employees to provide usernames and passwords to social media accounts. Arkansas s statute could be interpreted to prohibit a supervisor from friending or following an employee 25

27 Password Protection Statutes Review your state s statute carefully Train supervisors and managers to refrain from seeking social medial credentials of employees and applicants 26

28 COMMON LAW PROTECTIONS 27

29 Four Common Law Torts 1. Intrusion upon seclusion 2. False Light 3. Appropriation of Likeness 4. Public disclosure of embarrassing private facts 28

30 Intrusion upon Seclusion Most commonly asserted common law claim Ehling v. Monmouth-Ocean Hosp. Serv. (D.N.J. 2013) 29

31 PRACTICAL CONSIDERATIONS 30

32 Control of Employer Data Increased risk of theft/loss Personal v. work device Facilitate employee theft Greater exposure Malware, viruses and hacking Consequences for loss 31

33 Legal Compliance EEO laws Labor laws OSHA Privilege issues E-discovery 32

34 BYOD and Harassment The blurring of personal and workrelated use on one device can be conducive for increased hostile work environments. 33

35 BYOD and Harassment The employer has a duty to stop coemployee harassment when the employer knows or has reason to know that such harassment is part of a pattern of harassment that is taking place in the workplace and in settings that are related to the workplace. 34

36 OSHA-Related Issues Blackberry thumb & neck problems Repetitive motion of texting can cause injury to the hand Cradling small phone between head and shoulder What to do: Educate employees regarding ergonomic use of their device 35

37 OSHA-Related Issues Distracted driving Study shows that texting driver takes twice as long to react than a legally intoxicated driver A company culture of texting while driving can create liability What to do: Implement policy prohibiting texting & possibly talking while driving 36

38 Litigation Holds E-Discovery When an employer has notice that litigation is possible, it has a duty to identify and preserve relevant sources of data Rules of Civil Procedure require a party to produce documents and electronically stored information that are in its possession, custody or control 37

39 Best BYOD Practices Melanie V. Pate Lewis Roca Rothgerber 38

40 Three Keys to BYOD Success Analyze scope of issues and risks for your particular company Create a comprehensive written policy Communicate the policy to employees 39

41 Analyze Scope of Issues and Risks for Your Particular Company Do you want to permit employees to use their own devices for work purposes? Can your in-house IT department appropriately address BYOD issues and challenges? Do you have buy-in from top officials/leaders in your company? 40

42 Create a Comprehensive Written Policy Benefits of having a specific written policy Risks of not having a specific written policy Develop agreement on policy components Solicit feedback from key employees 41

43 Communicate the Policy to Employees Determine how the policy can and will be communicated effectively Train employees on policy Carefully explain what is and what is not acceptable under policy Have employees sign written acknowledgment 42

44 Other BYOD Best Practices Ensure top executives are covered by and adhere to BYOD policies Allow employees broad device choice and consider covering part of device cost Require employees to buy devices through normal consumer channels to maintain clear lines of ownership 43

45 Other BYOD Best Practices Require contractors to use their own devices and include them in your policies Provide support and guidance to employees and help them understand the responsibilities that come with BYOD 44

46 Other BYOD Best Practices Keep business data strictly segregated to support e-discovery requirements and data retention policies Determine how various IT support and maintenance tasks will be addressed 45

47 Other BYOD Best Practices Choose security solutions that allow employees to self-audit their devices and quickly report potential security risks (aka: BYOD for Dummies) Monitor data usage to verify that only authorized use is occurring if costs are reimbursed 46

48 BYOD Policy Points Michael S. Glassman Dinsmore and Shohl 47

49 What Does a BYOD Policy Need to Include? Determine whether a BYOD policy is right for your company 48

50 Policy Development What should a BYOD policy include? No one-size-fits-all policy exists Review and analyze existing policies to see how they relate to employee use of personal devices for business purposes. 49

51 Policy Development Which employees should be eligible to use their own devices? Company provided devices vs. personal devices Network security controls Employee consent form Lost or stolen devices Access by others 50

52 Acceptable Use Define what constitutes acceptable personal use of personal device on company time Consider whether there are any apps/software that may not be installed on a personal device Address the need to obtain authorization to work remotely and outside of normal working hours 51

53 Devices and Support Specify what devices company will permit and support Require that devices be presented to IT for approval and configuration before use on company network 52

54 Ownership of Information Address that the company owns records, data, work product on personal device that was created within scope of employment Include non-disclosure language/reference existing policies 53

55 Security Controls Address security measures for personal devices Require password protection Autolocking No jailbreaking, rooting, modding Encryption Limit use to employee 54

56 Security Controls Prohibit transfer of data Ability for employer to wipe device Consult with IT 55

57 Company Access to Device Employee must relinquish possession and control of personal device to company upon request Specify that employer can inspect and take control of device, and monitor communications, location and activity Company allowed to copy or image personal device 56

58 Device Monitoring and Management Implement Mobile Device Management (MDM) software and inform employee of MDM controls Specify that device may be wiped if lost, employment terminates, or a data breach Specify that employees have no expectation of privacy with respect to personal device 57

59 Please Complete Our Survey Please take a few minutes to complete the survey that will appear on your computer screen immediately following the webinar. To listen to this webinar again or to any past ELA webinars, please visit our website at: The ELA is not authorized to give CLE/HRCI/SHRM credit for its webinars; however, a Certificate of Attendance and supporting materials are now posted on the ELA website (click this webinar s title and scroll down to the link). Attendees seeking HRCI or SHRM credit should submit the materials directly to HRCI at or to SHRM at 58