BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace MCHRMA Spring Conference April 4, 2014
PRESENTED BY: Sonya Guggemos MCIT Staff Counsel for Risk Control sguggemos@mcit.org The information contained in this document is intended for general information purposes only and does not constitute legal or coverage advice on any specific matter.
Use of Personal Devices for Work BYOD: Bring Your Own Device Trend for employees to use their own smartphone for work purposes Dual-use device used for personal and professional tasks 3
How Are Employees Using Their Personal Devices? Phone calls and voice mail Text messaging E-mail Document review Drafting documents Access to computer servers or databases 4
Why BYOD? Employee Convenience and flexibility Increased productivity Employer has limited resources Employer Believed to be costefficient Increased employee productivity and engagement 5
Risks to Employer and Employee Data retention, preservation and retrieval Data privacy and security Wage and hour concerns: Fair Labor Standards Act 6
Bring Your Own Device DATA RETENTION, PRESERVATION AND RETRIEVAL 7
Data Retention, Preservation and Retrieval Both government entity and employee may have an obligation to retain, preserve or produce data and/or device Minnesota Government Data Practices Act (MGDPA) Litigation hold or discovery Investigation 8
Minnesota Government Data Practices Act Imposes obligation to produce government data and an obligation to make data easily accessible for convenient use Includes all data collected, created, received, maintained or disseminated by any government entity Government data is not defined by where it is stored, in what format or how it is used Responsive government data stored on employee s dual-use device must be produced 9
Minnesota Government Data Practices Act Government entity: Failure to produce data may be a violation of MGDPA Employee Failure to cooperate with employer could be grounds for disciplinary action Willful violation of MGDPA may be just cause for disciplinary sanctions 10
Litigation Holds and Discovery Litigation hold: A means by which relevant documents, data and other information is identified and preserved for potential use in a lawsuit Discovery: Requires production of documents, electronically stored information or things in a lawsuit 11
Litigation Holds and Discovery Employers are responsible for maintaining or producing documents or items in possession, custody or control Failure to comply could lead to court sanctions against the employer, employee or both, depending on circumstances 12
Investigation Government entity may need to access sources of data on employee s personal device in the course of an investigation Internal complaint Responding to outside investigations Investigating a data breach 13
The Problem Government entity owns the data Employee owns the device Work and personal data are likely intermingled on the device 14
The Bottom Line Employee May be required to provide employer or third-party access to the device or the device itself to avoid discipline or sanctions This may include access to personal data Employer May have limited ability to preserve the data Employee may have reasonable expectation of privacy in devices and personal data on the device 15
Bring Your Own Device DATA PRIVACY AND SECURITY 16
Data Privacy and Security Government entities and employees are obligated to keep certain government data private, confidential and secure Minnesota Government Data Practices Act Requires that government entity establishes and implements appropriate safeguards Restricts access to data classified as private or confidential 17
Data Privacy and Security Health Insurance Portability and Accountability Act (HIPAA) Requires covered entity or business associate to implement policies and procedures that restrict unauthorized access to electronic protected health information Includes individually identifiable health information Other privacy or security requirements in law or agreement 18
The Problem Government entity is legally responsible for data privacy and security Employee is responsible for physically securing device and data 19
Inadvertent Release of Data Lost or stolen device Access by friends and family Malware or computer viruses Employee upgrades device End of employment relationship Remote backup and storage 20
The Bottom Line Employer May be responsible for its employee s inadvertent release of the data and violation of data privacy laws Employee May be subject to discipline for violating personnel, data privacy and security or records retention policies Both Other causes of action, such as invasion of privacy, could apply 21
Bring Your Own Device WAGE AND HOUR CONCERNS 22
Fair Labor Standards Act (FLSA) Classifies employees as exempt or nonexempt Nonexempt employees generally have the right to overtime or comp time for time worked beyond 40 hours Includes all time suffered or permitted to work Applies if employer knows or has reason to know employee performed work 23
FLSA and BYOD Checking and answering e-mail, phone calls and voice mail during nonwork hours may constitute compensable time for nonexempt employees Possible FLSA violations Failing to compensate employee properly for hours worked Failing to keep accurate time records Could subject employer to fines and entitle employee to back wages and damages, including attorney fees 24
Bring Your Own Device MANAGING THE RISK 25
Complex Issue Risks to BYOD apply to both employer and employee No one-size-fits-all solution Depends on the needs and resources of government entity and employees May differ between departments and positions Multidisciplinary approach may yield best results 26
Conduct a Risk Assessment of Current BYOD Use Who is using a personal mobile device for work purposes? Exempt vs. nonexempt employees How often is the device used for work purposes? Why is the employee using his or her personal device? How is government data being accessed or stored on the device? What data or information is being accessed or stored? How is the data or information classified under the MGDPA? What security measures are in place on device? 27
Consider Ongoing and Future BYOD Use Do the benefits of BYOD outweigh the risks posed and the potential cost of managing those risks? What is the organization s comfort level with BYOD? Are there certain positions or certain uses that are not acceptable risks for BYOD? 28
The IT Component Analyze technological capabilities and capacity Review capacity of IT staff to support employee personal devices and any BYOD requirements Assess the feasibility of implementing technological strategies for BYOD 29
Technological Strategies Password/passcode protection Encryption Virtual or remote access Mobile device management software 30
Mobile Device Management Software Placed on employee s personal device but controlled by employer Features can include Password protection and encryption Remote locking of device Remote wipe of the device Tracking lost or stolen device through GPS Restricting application installation 31
Mobile Device Management Software Disadvantage: Improper use could raise issues under Fourth Amendment or federal and state laws Remote wipe of device may delete entire device Unauthorized tracking of employees after hours Best practice: Written informed consent 32
Educate Employees Employees must also weigh benefits of BYOD against the risks and responsibilities Employees have a crucial role in managing and mitigating any risks 33
Mitigating the Risks Password/passcode to protect personal devices Encrypt any workrelated data to the extent possible Use the device s screen lock function Do not download or store private government data on the device unless necessary Keep work and personal information separate to the extent possible 34
Mitigating the Risks Report a lost or stolen device immediately Be selective about the applications downloaded Avoid using cloud-based backup or synchronizing with home computers for work-related data Do not let friends and family use the device unless access to work data is segregated or password protected 35
Mitigating the Risks Comply with data privacy policies and any other retention requirements, such as litigation holds Inform the government entity if no longer using the device for work purposes Remove or protect any work-related data prior to receiving technical support or repair 36
Consider Developing a BYOD Policy Set forth conditions for BYOD use Detail expectations and responsibilities for employee using his or her own device for work Policy should be consistent with federal and state laws and collective bargaining agreements 37
Other Considerations Incorporate BYOD into the exit interview procedure Develop procedures for preserving data that may be needed after the employee s departure Require that all work-related data be wiped off of employee s personal devices when terminating employment Revise related policies as necessary to include work-related data stored on dual-use devices 38
Implement the Program/Policy Train employees on the policy requirements Educate staff implementing the policy regarding the risks and legal restrictions Be prepared for some employees to end BYOD 39
Avoid FLSA Violations If permitting nonexempt employees to BYOD, consider policy or guidelines outlining appropriate use Require all nonexempt employees to keep accurate records of hours worked whether on or off duty, including time reviewing and responding to e-mails or telephone calls Remind exempt and nonexempt employees on leave not to read or respond to work-related e- mail (other than for reasons directly concerning their leave) Educate employees and supervisors about the policy and consistently enforce it 40
Ask Questions and Share Experiences DISCUSSION 41
You re Invited: MCIT s 2014 Regional Risk Management Workshops Plan Now to Attend Rochester: Sept. 4 Marshall: Sept. 10 Mankato: Sept. 11 Crookston: Sept. 17 Grand Rapids: Sept. 18 St. Cloud: Sept. 24 Fergus Falls: Sept. 25 It s for You! Commissioners Department heads Supervisors Human resources professionals Risk managers/safety coordinators Sessions cover: issues related to claims/coverage, human resources, risk control and governance. Registration begins May 1. Check MCIT.org/training.aspx for details. 42