Presented by: Jason C. Gavejian

Transcription

1 2014 Jackson Lewis P.C. Presented by: Jason C. Gavejian Shareholder, Morristown Office Jackson Lewis P.C.

2 Mobile phones Tablets ipads Laptops Non-company owned PCs USB sticks External hard drives Cloud-based storage (e.g., Drop Box) 2

3 Global Survey by International Data Group Global Solutions of mobile device users from March to May 2013: 41% use their private smartphone for business. 37% use their tablet. 47% of the respondents who did not currently have a tablet said they planned to purchase one in the next year. 3

4 Gartner predicts that 38% of companies will stop providing devices to workers by By 2017, half of employers will require employees to provide their own devices. Source: 4

5 Bring Your Own Device. Employees utilize these devices to perform work for you: Whether company provided or employee s personal device. Result: dual-use device: Both personal and company data and activity. Handling personal matters while at work more difficult to monitor. Why allow it? You may not have a choice! 5

6 Expected in today s fast paced and instant gratification environment: Tablets and smartphones are replacing traditional PCs & laptops. Cost savings: Is it really? Security; Reimbursement, Internal Service, & Risk of lost devices. Less bargaining power in cellular and data plans. Improves employee productivity and availability: Always reachable, employees are familiar with device functions and capabilities. 6

7 7

8 Mobility: Work remotely: Home and on the road. Work/life balance: Good Technology survey: 76% of enterprises support BYOD; 80% of people continue working when leave the office; 7 extra hours/week = 365 hours/year; 50% check work in bed; 38% at dinner table; 57% on family outings. Personalization/familiarity: Employees know their devices. Choice: Eliminate the need for two devices. Allow employees to choose own device. 8

9 9

10 10

11 What are the potential problems with allowing employees access to company on their personal mobile devices? What technical controls can I put in place to minimize those risks? What can I do to limit the company s liability? 11

12 Problems: Upgrades: Too fast for Company to keep up. Data stored on mobile/personal devices not owned by the Company: Corporate information and trade secrets; Personal information of employees and/or customers. Mixing of personal and corporate data. Malicious software attacks. Compliance risks: HIPAA; Encryption (MA & NV); Client demands; e-discovery. Data Loss 12

13 Lost or stolen devices. Consultants using their own PCs to access your internal network. Employees uploading sensitive data to document sharing sites (dropbox.com, etc.). Sales teams copying customer lists to their USB before they leave the company. Employees ing themselves, or others, company information. Accessing company on their own personal iphone or other mobile device. Employees accessing company webmail from their home PC (downloading attachments). Employees upgrading to a new mobile device (discarding of the old). 13

14 Information loss. Financial loss. Public relations. Negative publicity. Loss in customer confidence. A couple of statistics reported by Cisco Systems in their Whitepaper titled Data Leakage Worldwide: Common Risks and Mistakes Employees Make: 46 % of employees admitted to transferring files between work and personal computers when working from home. 13 % of those who work from home admit that they cannot connect to their corporate networks, so they send business to customers, partners, and co-workers via their personal . 43% of Employees have accessed sensitive corporate data on personal device while using an unsecured public network. Osterman Research

15 Compliance requirements Federal Trade Commission Section 5, Data disposal rule, etc. HIPAA (covered entities, business associates) State law data security compliance (e.g., CA, CT, FL, MA, MD, OR) New Florida law Sec : Each covered entity, governmental entity, or third-party agent shall take reasonable measures to protect and secure data in electronic form containing personal information. Encryption (MA & NV) e-discovery 15

16 Have a strategy. Limit BYOD To Certain Employees? Proxy Servers to control access to file-sharing web sites and personal accounts. Limit Types of Data Access, Stored, or Transmitted Data encryption. Anti-virus and spyware protection. MDM (Mobile Device Management) software and enforcement. Server access only. Segregated environment. 16

17 Legal Human Resources Finance Communication/Employee Relations Information Technology 17

18 Put employees on notice; consequences to employee should something happen. Make decisions about which devices, platforms, networks can be used. Clearly state company ownership of information. Company ability to access and control that information. Company ability to remove data from the device upon departure. Remote wipe/mdm (Mobile device management). 18

19 Eligibility: Eligibility requirements. Device support limitations. Risk and responsibilities. Access limitations: Role/Title/Geography. Applicability of other policies. 19

20 Conditions for reimbursement: Device purchase and/or replacement. Plans. Limitations (e.g. max amount). Substantiation of expenses. California requires reimbursement (Labor Code 2802) Cochran v. Schwan s Home Service, Inc., Court of Appeal of California, Second Appellate District, (August 12, 2014). employers always have to reimburse an employee for the reasonable expense (reasonable percentage of employee s cellphone bill) or the mandatory use of a personal cell phone 20

21 Security: Prohibit: Jail Breaking or Rooting. Modifications to device hardware or operating software beyond routine updates. Process and timing for reporting loss, theft, new device, unauthorized access, and cessation of employment: Breach Policy. Remote Wipe. Password and/or encryption requirements: Encryption required? Failed Login. 21

22 End-User (employee) support: Define what devices are supported. Define types of support provided: Applications, services, scenarios. Self-service. How to request support. 22

23 Data: Classify devices, users and data accessed. Clarify ownership of apps and data. Establish allowable apps and banned apps. Employee exit procedure. Monitoring: Balance the expectations of privacy: Reserve right to monitor. Voluntary acceptance of program. Explicit consent in writing. Notice postings (Walls, Login Screen, Homepage) (Required in Some States (CT & DE) City of Ontario v. Quon, 130 S.Ct (2010) 23

24 Policy Violations: Clear on consequences: Up to and including termination. May need to notify business partners. Guidelines on device configuration. Safety (e.g. vehicle use). Plan for breach. Develop process for litigation preservation, data deletion, device and security updates. Training. 24

25 Different throughout the world. EU most restrictive. Adapt for locations/countries. Encryption. Do you need to get possession of device? Storage card. Handling old devices destruction. Lowering expectation of privacy. Accessing truly personal information/content: Multiple accounts. GINA/Disability Information. Need to access device to update software; monitor up to date. Privileged communications. Stengart (N.J. Supreme Court) 25

26 E-Discovery Safety: Mobile device use and driving. Unions. Employee Conduct: Negligent hiring/supervision. Discrimination, harassment, retaliation. An employer may be held liable for an employee s wrongful acts if the employer knew or had reason to know of the risk the employment created. Doe v. XYC Corp., N.J. Super. 122 (2005) (Court found employer liable as it had duty to investigate and respond in case of alleged negligent supervision of employee who was criminally charged with child pornography using workplace computer.) e-discovery obligations: Preserving data in connection with litigations. 26

27 Tracking software/apps: Find My iphone: Features include tracking location, remote erase. Android Lost App: Features include viewing SMS messages, erasing SD card, taking remote pictures. mspy/webwatcher/keylogging/spyware: Monitor calls, track messages, read s, bugging, websites visited, keystrokes typed. 27

28 Tracking employees using GPS and/or phone tracking ability: Real-time updates. Streamline travel. Taking breaks? Tracking time? Generally, no expectation of privacy in employerowned phone, but what about BYOD phone? CT/DE Laws Ask yourself why are we doing this? What are the goals? 28

29 29

30 Tips: Create a GPS Tracking policy. No expectation of privacy in employer-owned property. Only monitor during work hours. Focus only on relevant information: Impacting job performance. Interferes with job performance. Ignore the visit to the AA meeting at lunch time 30

31 Cal. Penal Code Not limited to vehicles; requires employee consent Conn. Gen. Stat d Not limited to vehicles; must give written notice; must post notice of practice Del. Code Ann (a)(8) Limited to vehicles; cannot track without consent Minn St. 626a.35 Not limited to vehicles; requires consent Tex Penal Code Ann Limited to vehicles; cannot track without consent 31

32 Unauthorized use of, or access to, records or data containing personal information. Personal Information (PI) typically includes: First name or first initial and last name in combination with: Social Security Number Driver s Licenses or State identification number Account number or credit or debit card number in combination with access or security code Biometric Information (e.g. NC, NE, IA, WI) Medical Information (e.g. CA, VA) PI typically maintained where? Human Resources-Applications, FMLA, Disability, etc. Accounting-Payroll documents. Benefits-Health, Vision, Dental. 32

33 Loss, theft, improper access, inadvertent disclosure: The lost laptop/bag; Inadvertent access; Data inadvertently put in the garbage; Theft/intentional acts; Inadvertent attachment; Stressed software applications; Rogue employees; Remote access; Wireless networks; Peer to peer networks; Vendors. 33

34 Why does this matter? Fines, penalties, settlements: State Attorney Generals: Vary By State:» Multipliers: Michigan permits civil fines of not more than $250 per failure (each person), with a maximum of $750,000.» Length of notification delay: Florida imposes fines when notification is not provided within the statute s mandated time frame (30 days). Calculate the fine as $1,000 per day for the first 30 days, and $50,000 for each 30 day period thereafter with a maximum fine of $500,000. Health and Human Services: Penalties and settlements in the millions of dollars. Private cause of action: 14 states have some form of private action. 34

35 To defend cases: Wage and Hour cases: Determine worked time using data. Use data to identify meal and rest breaks taken. Could be used for credibility purposes. Harassment, discrimination and retaliation cases: Photographs, texts and call history to refute claims. 35

36 Possible sources of liability: Wage and Hour issues: Checking and texting outside of work hours. Compensable time? Invasion of privacy: Tracking employee whereabouts after hours. Apps that take pictures remotely. Destruction of data and/or evidence: Remote access to company s servers. Deletion of photos, texts or other evidence. 36

37 Google Glass Smart Watches Other Wearables Photo Credit: istock 37

38 Jason C. Gavejian (973)

39 39