BYOD: BRING YOUR OWN DEVICE PART 5 OF THE LAW PRACTICE MANAGEMENT SERIES Sarah Banola Cooper, White & Cooper LLP James Y. Wu Law Office of James Y. Wu
Bring Your Own Device (BYOD)Trend Increased use of smartphones and tablets Increased productivity and employee satisfaction versus higher security risks and less control over firm and client data Potential cost savings versus costs of maintaining, enforcing and supporting BYOD
BYOD Practice and Policy Audience Survey How many individuals use personal smartphones, tablets or laptops for work? How many law firms/companies have BYOD policies? Does the policy prohibit the use of any devices for connecting to the firm's system? Does the policy provide for mobile device tracking? How many law firms/companies assist with costs?
ILTA 2012 Technology Survey Results 94% of attorneys access email via wireless devices. 26% of attorneys use tablets/ipads. 85% of firms provide financial support for smartphones.
ILTA 2012 Technology Survey Results* 83% of firms require a password for wireless email devices. 39% of firms have laptop hard drive encryption, but only 26% have automatic content-based email encryption. 66% of firms do not use a third party system for mobile device management (MDM). Only 5% provide for theft-tracking (blackberry/iphone tracing. *http://www.iltanet.org/techsurvey
Pertinent Rules of Professional Conduct RPC as basis for discipline versus common law standard of care The California State Bar Board of Trustees recently approved proposed new Rules of Professional Conduct that are currently under consideration for adoption by the California Supreme Court.
Pertinent Rules of Professional Conduct In August 2012, the ABA approved recommendations by the Ethics 20/20 Commission to amend the ABA Model Rules to address lawyers use of new technology. California lawyers may also look to the Model Rules and ethics opinions for guidance on BYOD practices and policies. See CRPC 1-100(A); Vapnek, Tuft, Peck & Wiener, Cal. Prac. Guide: Professional Responsibility, 1:88-90 (The Rutter Group, a division of West, a Thomson Reuters business, 2012).
Duty of Competence California Rule of Professional Conduct (CRPC) 3-110 (Failing to Act Competently) ABA Model Rule 1.1 (Competence) Revised Comment [8] confirms that the duty of competence includes "keeping abreast of... the benefits and risks associated with relevant technology."
Duty to Supervise The duty of competence includes "the duty to supervise the work of subordinate attorney and non-attorney employees or agents." Discussion to CRPC 3-110. Model Rule 5.1 (Responsibilities of a Partner or Supervisory Lawyer) Model Rule 5.2 (Responsibilities of a Subordinate Lawyer) Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistance) New Comments [3]-[4] clarify a lawyer's duties when outsourcing legal work to non-lawyer service providers
Duty of Confidentiality-California Law California Business & Professions Code 6068(e)(1) (duty of attorney "[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.") CRPC 3-100 (Confidential Information of Client) Lawyers must take reasonable measures to safeguard confidential client information and may need to consult with someone who possesses the requisite technical knowledge. See Cal. State Bar Formal Opns. 2010-179 & 2012-184.
Duty of Confidentiality Amended Model Rule 1.6 New paragraph (c) requires lawyers to undertake reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or access to, confidential client information. New comment [18] addresses safeguarding confidential client information and includes the duty to prevent unauthorized disclosure by staff.
CRPC 3-500 Duty of Communication Duty to keep the client "reasonably informed about significant developments" and "to promptly respond to reasonable requests for information." Model Rule 1.4 Revised Comment [4] reflects changes in communication technology and requires a lawyer to promptly respond to or acknowledge client communications. Client instructions
Rule 1-400 Advertising and Solicitation Model Rules 7.1-7.3 Revisions to comments address a lawyer's use of technology for client development Model Rule 7.1, Comment [3], Model Rule 7.2, Comments [1]-[3], [5] and Model Rule 7.3, Comments [1], [3]. Duty of Candor Specialist Standard of Care. See Wright v. Williams, 47 Cal.App.3d 802, 810 (1975)
Multijurisdictional Practice CRPC 1-300 (Unauthorized Practice of Law) Model Rule 5.5 (Unauthorized Practice of Law; Multijurisdictional Practice of Law)
Multijurisdictional Practice Unauthorized practice of law as a misdemeanor. Bus. & Prof. C. 6126. Practice of law includes rendering legal advice and preparing legal instruments and contracts for California clients. See Birbrower, Montalbano, Condon & Frank, P.C. v. Sup. Ct., 17 Cal.4 th 119, 128-129 (1998); Estate of Condon, 65 Cal.App.4 th 1138, 1142-1143 (1998). Associating local counsel does not necessarily solve issue.
Security of Confidential Information Reasonable steps are required Factors to consider: Level of security offered by particular device Legal consequences for unauthorized use or access Sensitivity of information Potential impact to client of inadvertent disclosure of privileged or confidential information or work product Urgency of the situation Client directions and circumstances Cal. State Bar Formal Opn. 2012-184.
Suggested Practices Involvement of IT staff or consultants Inventory of devices Attorneys must manage the security policies and practices Training
Suggested Security Measures Password Protection Encryption Firewalls Firmware updates and antivirus software Virtual Private Network (VPN)
Suggested Security Measures Mobile Device Management Outside vendor agreements. For suggested terms, see state bar ethics opinions including Cal. State Bar Opn. 2010-179; Oregon State Bar Opn. 2011-188; North Carolina State Bar Opn. 2011-6 Data backup Employee departure procedures Regular audits and software updates
Internal Breach Notification Procedures Reporting lost or stolen devices Remote locking or wiping Enabling "find my phone" or similar applications External Duty of Communication "If lawyer's conduct of the matter gives the client a substantial malpractice claim against the lawyer, the lawyer must disclose that to the client." RESTATEMENT (THIRD) OF THE LAW GOVERNING LAWYERS 20, cmt. c (2000).
Prohibit wiping devices Litigation Holds Obtain written consent to copy data to meet litigation hold requirements Duty of good faith and reasonable inquiry in responding to discovery E-discovery obligations
BYOD Written Policies Policies must be realistic Evaluate enforcement and compliance costs versus employee mobility and productivity Establish ownership of firm and client data
BYOD Written Policies Require employees maintain confidentiality of firm and client data on personal devices Require password, anti-virus, firewall and encryption Prohibit highly confidential information and trade secrets from being copied and saved on devices Separate server and access controls for sensitive data
BYOD Written Policies Consent to monitoring to reduce reasonable expectation of privacy Segregation of personal and firm/client data Consent to remote locking or wiping in event of security breach, theft, loss of device, or employee departure
BYOD Written Policies Restrictions on downloading certain applications that pose security risks Specify any prohibited devices Cloud storage and security of firm data (e.g., Dropbox, icloud) Use of personal devices and connecting to public Wi-Fi network. See Cal State Bar Formal Opn. 2010-179
BYOD Written Policies Regular reviews and updates Written consent to terms of policy For additional suggested terms and conditions, see ACC Top 10 Tips. http://www.acc.com/legalresources/publications/topten/tttfm tbyodttwe.cfm
Summary Who: All law firms and attorneys What: Secure client information on personal devices Ensure firm has written BYOD policy Why: Comply with professional obligations Prevent lawsuits Protect client information Maintain clients When: ASAP
James Y. Wu Law Office of James Y. Wu
Why Have BYOD By adopting a BYOD policy, employers may: Reduce their technology expenses by reducing or eliminating their need to provide employees with devices and phone or data plans. Take advantage of new technology supplied by individual employees rather than wait for the budget to purchase new devices for the entire workforce. Accommodate an employee's wish to carry one device for all uses, instead of separate devices for work and personal use. Enable employees to more easily work in their preferred operating system. JamesWulaw.com
After-Hours Work When nonexempt employees use PDAs, laptops, smartphones, or ipads to check work email and voicemail or to send text messages after-hours, is the time compensable? Class actions filed: May 2010: Lawsuit filed against City of Chicago by nonexempt police sergeants contending they were not compensated for responding to and receiving after-hours e-mails, phone calls, and text messages. July 2009: Lawsuit filed against T-Mobile USA Inc. by employees claiming they were required to use company-issued smartphones to respond to work messages after hours without pay. JamesWulaw.com
Best Practices: After-Hours Work Do not issue PDAs, etc. to non-exempt employees. If you do issue these devices to non-exempt employees, or if employees BYOD, adopt a policy prohibiting non-exempt employees from performing work on company-issued PDAs, etc. after work hours, with disciplinary consequences. Educate managers that they should not require or expect nonexempt employees to check email, voice mail, etc. after work hours. Instruct managers to avoid unnecessary communication with nonexempt employees after-hours so that employees do not feel compelled to respond and/or work overtime. Pay for all hours worked, even if worked after hours. JamesWulaw.com
Employee Privacy and BYOD Employers can control and set no expectation of privacy for employees using employer-provided resources With BYOD, however, employees have a greater expectation of privacy Personal data stored on an employee's device including: Photos Videos Texts Email Personal contacts JamesWulaw.com
BYOD and Social Media Started out as emailing Now it includes so much more: Facebook, Google +, LinkedIn, MySpace Twitter Skype Blogs Texting Instant Messaging YouTube JamesWulaw.com
Some Words About Passwords Recently reported that some employers were requiring applicants to turn over login credentials to the prospective employer (or to allow the employer to view a personal social media account during an interview). Huge public backlash. Facebook s Chief Privacy Officer issued a statement titled Protecting Your Passwords and Your Privacy that warned employers to not require passwords from applicants and employees. JamesWulaw.com
Some Words About Passwords State legislators have also been quick to hop on this issue: On May 2, 2012, Maryland became the first state to pass a law specifically restricting employers from seeking login credentials from applicants and employees. California - Limitations on employers ability to request social media information AB 1844 Labor Code Section 980 Employers cannot request social media information unless needed for an investigation of employee misconduct Social media broadly defined (email and text accounts too) Exceptions for misconduct, crime, or investigations Retaliation is prohibited JamesWulaw.com
The NLRB Chimes In The National Labor Relations Board enforces the National Labor Relations Act (NLRA). Not just for unionized workplaces. Under Section 7 of the NLRA, employees have certain rights to participate in concerted activities to improve working conditions and/or terms of employment. The NLRB s General Counsel has focused attention on employee social media use under Section 7 of the NLRA. JamesWulaw.com
The NLRB Chimes In The NLRB s General Counsel has released three comprehensive reports regarding social media policies and employer practices. August 2011 Report: http://mynlrb.nlrb.gov/link/document.aspx/09031d458056e743 January 24, 2012 Report: http://mynlrb.nlrb.gov/link/document.aspx/09031d45807d6567 May 30, 2012 Report: http://mynlrb.nlrb.gov/link/document.aspx/09031d4580a375cd JamesWulaw.com
The NLRB Chimes In Best Practices for a BYOD and Social Media Policy: Have a clear policy, with a lot of examples, regarding approved and prohibited BYOD, internet, social media and email use. Routinely review your policy to ensure that it is current with latest legal developments. Train supervisors and managers on the policy, and to avoid acting too quickly. Require employees to sign an acknowledgment of receipt. Include an NLRA savings clause. Have separate and additional policies geared to those employees who do and who do not blog/use social media as part of their job duties. JamesWulaw.com
Additional Legal Issues Connected to BYOD Employers Discrimination/harassment/retaliation Workplace Violence Privacy monitoring employees Trade Secret/Confidential Information Cell phone use/texting while driving Telecommuting policies JamesWulaw.com
THANKS FOR YOUR ATTENTION! FOR ADDITIONAL INFORMATION: SARAH BANOLA 415.765.0308 sbanola@ www. http://www.linkedin.com/profile/sbanola JAMES Y. WU 925.658.0300 james@jameswulaw.com www.jameswulaw.com http://www.linkedin.com/in/jamesywu