The american workplace is in a period of unprecedented change as the combination of mobile technology and social media is changing the "who, what, when and where" of work.
4. Program Agenda
When Worlds Collide: Tracking the Trends at the Intersection of
Social, Mobile and the Cloud
− The Explosion of Social/Mobile at Work and Play
− Social/Mobile Meets the Workplace: High Level Challenges
− Cloud Content and Mobile & Access Devices = New Applications and
New Risks
− Enterprise Use of Social Media
− Managing the Social/Mobile Juggernaut (BYOD and Beyond)
− Wage and Hour Issues for the Perpetually Connected
− Employment Law Risks
− Privacy in a Transparent World
4
5. The Social / Mobile
Explosion Is Driving Change
Who: Offsharing/outsourcing; freelancers; shifting expertise
across teams; increased employee mobility
What: FLSA does not define work; Supreme Court: “physical or
mental exertion . . . controlled or required by the
employer and . . . for the benefit of employer.”
Where: Decreasing reliance on “work” as a fixed physical space
When: Knowledge workers have more autonomy over when to
work; constant connectivity; and
How: New tools, ex. enterprise microblogging and other
collaborative tools; internal apps developed for enterprise
and customers; workflows
5
8. The Drivers:
How Are We Using Our Mobile Devices?
Always Connected, IDC Study,
Sponsored by Facebook,
March 2013
8
9. What Do You Do When You
First Wake Up?
Always Connected, IDC Study,
Sponsored by
Facebook, March 2013
9
10. Blurring The Lines:
Work vs. Personal
90% of full-time employees use a personal
smartphone for work purposes
• 62% of those use it every day
• 39% don’t use password protection
• 52% access unsecured wifi networks
• 69% believe they are expected to access work
emails after hours
1 in 10 workers receive a stipend for their
smartphone
(Cisco, BYOD Insights in 2013: A Cisco Partner Network Survey, March 2013)
10
11. Translating the Trends:
What to Expect in 2013
Social/Mobile Meets the
Workplace: Challenges
and Opportunities
11
12. Blurring The Lines:
Work vs. Personal
• Do You View Your Tablet Device As Primarily A Work Or Personal Device?
Source: iPass Q1 2013 Mobile Workforce Report
12
13. The Consumerization of IT is Here
55% of IT managers have made exceptions for
“specialized members,” i.e., top executives to use
their choice of devices and software
(2013 iPass MobileIron study)
55% of IT directors will actively accommodate and
encourage the use of personal devices
(Citrix Study 2012)
81% of respondents accommodate personal devices
in the workplace (2013 iPass MobileIron study)
54% of respondents had a formalized BYOD policy
(2013 iPass MobileIron study)
13
14. How Are Different Sectors Responding?
Source: Good Technology, BYOD Customer Survey, December 2012
14
15. Mobile Is Here To Stay
Lowes purchased 42,000 iPhones for employees
Employees can check inventory at nearby stores; share how-to
videos, check competitor prices, order status, and schedules;
verify sale prices and better serve customers
Innovative apps include tools to calculate the amount of paint
needed to paint a room
My Lowe’s can organize customer history
Sales associates can use iPhones to ring up sales
Home Depot distributed 34,000 “First Phones” to employees
Associates can continuously update and monitor inventory levels
First Phones provide instant access to product info and speed
checkout
15
16. Customers & Social Media
An estimated 23M Americans discover new brands through
social networks; up from 18M in 2010
64% of social media users stated that social networks
influenced their buying decisions
80% of companies planned to use social media for customer
service by the end of 2012
47% of social media users actively seek
customer service through social media
(Click Software Study Dec. 2012)
16
17. The Social Intranet
“Creating a community in the workplace
where employees can share and engage
on a real-time platform makes everyday
communication and collaboration easier
and more effective, delivering tangible
business results.”
(Social Business: 5 Trends To Watch For 2013 And Beyond, Forbes (Dec. 2012))
17
18. Internal Social Media Benefits
83% of respondents use at
least one social technology
73% of respondents use social
technologies internally; 74%
use with customers; and 48%
connect with external partners
9 of 10 respondents who use
social tools have tangible
business benefits, including
enhanced access to knowledge
and internal experts, increased
employee satisfaction and
reduced travel costs.
(McKinsey Quarterly, March 2013 Reporting on July 2012 survey of
3,542 executives)
18
19. Social Intranet vs. Mobile
Common barriers to mobile design entry
for intranets:
Data security concerns
Difficulty of choosing a platform
Lack of resources to create and
maintain the design
Uncertainty about whether to implement a full
feature set with a good mobile user experience or an
app for particular tasks
19
20. Some Risks Of Social/Mobile
• Loss of control over corporate data
− Violation of regulatory compliance obligations, ex. SEC, HIPAA, GLBA
− Security breaches
− Misappropriation of trade secrets
• Public nature of social media
− Too much information about applicants and employees
− Damage to brand reputation
− Expanded responsibility for regulating employees’ off-duty conduct?
• HR/Employment Risks
− “Off the clock” wage and hour claims
− Potential privacy-based claims
− Workplace safety issues
• Records management and e-discovery challenges
20
21. What Are The Organizational
Challenges?
• Social/mobile permeates the organization
− Branding and public image
− Relationships with customers, vendors and competitors
− Getting the work done
− Managing employees
• IT, HR & Legal may have different objectives
• Evolving communications standards
− Five generations in the workplace, each with different
communication norms
• Risk of losing market share to more socially agile competitors
21
22. What Are The Legal Challenges?
Challenges of applying old laws and policies to new
technology
− FLSA (1938); NLRA (1933); SCA (1986)
Case law lags behind while rate of change accelerates
Early legislation and regulation in the U.S.
− Social media password protection laws
− Agency guidance on social media communications –
SEC, NLRA, FTC, FINRA
The challenges of global legal
compliance
22
23. Some Solutions
1. Understand how your organization is using social/mobile
2. Create a multi-disciplinary information governance team
3. Identify key risk areas
4. Develop an enterprisewide strategy for managing
social/mobile risks
5. Implement a governance platform and update existing
policies
6. Continuously evaluate the impact of new mobile and
social technologies on the workplace
7. Continuously evaluate the impact of new laws and court
decisions on existing policies
23
25. What Is Cloud Computing?
The “cloud” is “the act of storing, accessing and
sharing data, applications and computing power in
cyberspace.” (Pew Research Center)
Types of information that can be, and are, stored and
processed in the cloud: customer records, databases,
email, health records, financial data, personnel records
Nature of the cloud = f(degree of control over the
data)
− Personal cloud (retail to individuals)
− Private cloud (corporate, limited access)
− Public cloud (corporate equivalent of personal cloud)
25
26. Employees And The Cloud
Mobile devices send information to data
storage, video, photography and social
networking sites, and web-based email
providers
− iCloud, YouTube, Flickr, Facebook, Gmail
Cloud services also provide collaboration
capabilities – may be used to circumvent
IT restriction on sharing information
outside the enterprise
− Google Docs, Dropbox.com, Box.net
An employer rarely has any control over
data stored by cloud service providers
26
27. Advantages Of Cloud Computing
1. Reduced costs and increased scalability
2. Increased security
• Cloud providers often have greater resources and sophistication
• Redundancy ensures business continuity and disaster recovery
3. Convenience: Users can access data from anywhere
over the Internet using any computer
4. Save computing space: Software does not have to be
installed on each hard drive
27
28. Legal Risks Of Cloud Computing
1. Loss of control of data to a third party
• Information can be stored anywhere in the world
2. Loss of control over infrastructure and information
security
• CSP will control security incident response
3. Lower standard for government access
4. Inadequate protection of trade secrets
5. Electronic discovery challenges
6. Potential global data protection challenges
28
29. Practical Steps Towards Implementing
1. Interdisciplinary team (IT, HR, Legal, Business Unit
leaders)
2. Understand applicable law, especially law related to
cross-border data transfers
3. Determine which information to store in the cloud
• Think twice before storing these in the cloud:
Regulated data (PHI, PII, NPPI), privileged
communications, trade secrets, business critical
information, EU personal data
4. Conduct due diligence on the cloud service provider
5. Negotiate contractual protections
29
30. Practical Reality
CSPs will permit minimal to no due diligence
CSP Terms of Service often are non-negotiable
Cloud services can create operational risks
o HHS obtained $100K settlement from a Phoenix surgery
center that posed patient appointment calendar to the cloud
CSPs can play hardball with your
organization’s data
o GlaxoSmithKline sues CSP, alleging $80K ransom demand
for return of critical documents
30
32. Enterprise-Oriented Social Media
Key steps to success:
1. Define your organization’s objectives
2. Get leadership buy-in
3. Create an information governance committee
4. Tailor for corporate culture/employee or
customer needs
5. Determine who is authorized to post
6. Establish guidelines
7. Provide training
32
33. Think Before You Post
Summary judgment denied to Coyote Ugly on retaliation
claim where company’s president and co-founder referenced
on “Lil Spills” blog a former employee’s lawsuit and
commented, “F**k that b**ch” Stewart v. Coyote Ugly
Saloon Nashville, LLC, (M.D. Tenn. 2013)
NetFlix CEO posts to 200K Facebook followers that users
have watched more than 1B hours of content on the
Company’s streaming service
• stock price jumps 6%
• SEC issues Wells notice and investigates failure to use
public means of communication
33
34. Key Guidelines For Social Speakers
1. Identify yourself
2. Protect confidential information
3. Speak for the organization only when
authorized
4. Respect intellectual property rights
5. Get the message right and admit mistakes
6. Think global
34
35. Key Guidelines For Social Speakers
7. Company will monitor employees’ social media
content
8. Personal accounts are not for business purposes
9. Beware of lurking wage & hour issues for non-
exempt employees
10. Remember your other job duties:
Social media can be addictive
35
36. Additional Issues:
Customer-Facing Social Media
1. Compliance with sector-specific regulations
2. Protection of corporate accounts
• Covered in detail during afternoon presentation
3. Monitoring and responding to customer complaints
36
38. Lingo:
Dual Use Mobile Devices And BYOD
BYOD = Bring Your Own Device
Dual Use Mobile Device: Mobile device
used to create, store and transmit both
personal and work-related data
COPE: Corporate Owned, Personally
Enabled
Some Other Terms:
BYOC: Bring Your Own Computer.
Programs that add laptops to the
covered devices
BYOA: Bring Your Own App.
38
39. Two Perspectives of BYOD
BYOD can improve employee productivity,
engagement and satisfaction; help recruit new
employees, and solve the “two pocket problem”
vs.
BYOD can pose tremendous compliance and
security risks, can undermine litigation, as well as
create exposure under wage and hour, privacy and
related laws
39
40. Another Perspective:
Does It Really Reduce Costs?
All tallied, it is not clear whether BYOD saves money. A
typical mobile BYOD environment costs 33 percent more
than a well-managed wireless deployment where the
company owns the devices ***.”
− Loss of bulk purchasing power
− Higher help desk/support costs
− Security issues
Expenses may be offset by enhanced productivity – Intel
estimates that BYOD employees save 57 minutes daily
through use of personal devices
IBM says the trend toward employee-owned devices isn’t
saving it money.
(MIT Technology Review, Monday, May 21, 2012)
40
41. Setting Up A BYOD Program:
Overview
A BYOD program includes:
1. User Policies that govern ownership and use
2. Information Security Policies that attempt to manage risk
3. HR Policies to address impact of mobile devices on
workplace behavior
4. Selection, installation and deployment of mobile device
management software
5. Applicable disciplinary procedures for non-compliance
6. Updates to BYOD Guidelines and policies as needed
7. Training re: all of the above
41
42. Security Risks Of Mobile Devices
• BYOD a “significant” security risk for 78% of respondents
(Global Information Security Workforce Study 2013)
• Loss or theft of devices
− 47% of IT managers reported dealing with lost or stolen phones
(2013 Pass MobileIron study)
− 39% of respondents stated that they have the necessary security
controls to address the risks created by mobile devices
(Ponemon Study Feb. 2012)
• Malware
− 69% of respondents ranked application vulnerabilities as the highest
security concern, with malware and mobile devices a close second
at 67% and 66% respectively (Global Information Security Workforce Study 2013)
• Friends and family
− 27.5% of FINCEN suspicious activity reports involving identity theft
implicate friends, family, employee in home
42
43. Security Risks of Mobile Devices
Mobile Devices As Gateway to the Cloud:
− Employee ownership of the account with the
service provider will limit company access to its
data
− No contract with company = no right to access
data
− Obligation to “vet” security controls of vendors
− Data may be more available to law enforcement or
others
43
44. Implications Of A Security Breach
Violation of statutory or regulatory requirements to
secure personal information: HIPAA, GLBA, and
state laws (MA, OR, OK, NV)
− Statutes apply to service providers of covered entities
− Enforcement: HHS and MA have recently obtained
penalties
Security breach notification laws: 46 states, DC, PR,
USVI, and Guam
− Encryption safe harbor
− Encryption requirements: MA, NV, HIPAA
Avg. cost of a breach is $194/lost record or $5.5M
(Ponemon Study 2011)
44
45. Recommendation: Control Eligibility
Control eligibility to participate in BYOD and other
remote access programs
• The more people with BYOD, the greater the risk
Limit to employees with a business need for remote
access
NOT employees with regular access to sensitive
information
• Legal, HR
• Access to highly valuable trade secrets, e.g., product
engineers
• Access to highly sensitive, non-public financial info, e.g.,
CFO’s group
45
46. Recommendation:
Install MDM Software
Mobile Device Management Software: Allows corporate IT to
manage use of mobile devices (BYOD and corporate issued).
Available features include:
• Encryption
• Lock down end user’s ability to use specific device features or
apps, such as cameras or iCloud
• Enable remote locking or wipe of device
• Enforce use of strong passwords
• Prevent users from jailbreaking device or
disabling or altering security settings on devices
• Device locator
Consider the use of “container” technology
46
47. Additional Recommendations
1. Limit the types of devices that can participate in the
program
2. Limit the business applications on the device
3. Limit use of cloud-based apps, cloud-based
backup, or synchronizing with home PCs
4. Require employees to protect the physical security
of the device
• No sharing of device or password with household
members or friends
• Require password protection
47
48. Translating the Trends:
What to Expect in 2013
Wage & Hour Issues for
the Perpetually Connected:
Challenges of a Mobile
Workplace
48
49. Who Will Pay And What Devices
Are Included?
Who pays for/owns device? Is participation
optional?
Who pays for service plan – employer
selected options or reimbursement?
Options include technology allowances,
reimbursement, standard devices
issued by employer.
49
50. Who Pays For Mobile
Devices And Use Fees?
Expense Reimbursement
• Federal law – expenses can’t reduce pay below minimum wage
• Eleven states have express or implied expense reimbursement
requirements
California, Montana, North Dakota, South Dakota, New Hampshire,
Alaska, Minnesota, Arkansas, Iowa, Kentucky, Michigan
California Labor Code § 2802 – Employer must
reimburse Employee for “necessary expenditures or
losses incurred by the employee... as a consequence
of the discharge of his/her duties”
Reimbursement must meet certain criteria in order
to be tax exempt
50
51. Who Pays In California?
• Employer can reimburse for actual expenses or make a lump sum payment
to fully reimburse employees for actual expenses necessarily incurred
(Gattuso v. Harte-Hanks Shoppers, Inc., 42 Cal 4th 554 (2007)
• Deleon v. Airtouch Cellular, unpublished opinion, (Ct. App. 2nd Dist.
February 4, 2013) alleged violation of California Labor Code Section 2802
where employer stipend did not cover full cost of required cellular phone
and equipment.
− Employee allowances did not cover taxes, data plans, 411 calls and overages
− Lump sum program with mechanism to seek approval for expenses in excess of the lump
sum satisfies 2802 if it provides full reimbursement for actual expenses necessarily
incurred
− Take away: Court found fact issues with the operation of excess program, but did not
question that employer is responsible for cell phone charges IF NECESSARILY INCURRED.
51
53. The 24/7 Workplace And The FLSA
• Wage & Hour – Is after-hours use of
mobile devices compensable time?
− When does “de minimis” time become
compensable?
− Emails themselves may be evidence of time spent
and notice to employer
− Time spent dealing with IT issues related to devices
− Work by non-exempt or exempt employees during
weeks off or leaves of absence
53
54. The 24/7 Workplace And The FLSA
Managing W&H Concerns
• Prohibit non-exempt employees from accessing email or making
work-related calls outside of scheduled hours
• Limit access/program participation to employees who are exempt
from OT
• Create process for reporting work performed outside of working
hours
• Training
– Employees
– Managers
– Compliant policy requiring pay for all hours worked
– Must pay for all time worked, approved or not
– Can treat time worked without authorization as a disciplinary issue
54
55. Lessons From Recent Case Law
Allen v. City of Chicago, (N.D. ILL 2013) collective action alleging failure
to pay overtime for off-duty time reading and responding to email on city-
issued Blackberries
Lessons:
− Employer has a risk if managers are sending messages via company-provided devices, and the
messages call for off-shift response
− If you provide mobile devices to exempt employees, consider written policy that employees do
not need to review and respond to email while off-shift
Brown v. Scriptpro, LLC, (10th Cir. Nov. 27, 2012), Employee’s failure to
use remote timekeeping system resulted in victory for employer
Lessons:
− Provide automated timekeeping system with easy remote access and train employees to use it
− Make sure policy aligns with operational reality
− Conduct compliance audits
55
57. Can Trash Talk on a Blog be an Adverse
Employment Action?
Post by President of Defendant/Employer
“By the way Lil, you should be getting served with a lawsuit. No worries just sign for it”.
This particular case will end up pissing me off cause it is coming from someone we
terminated for theft…
I have been reading the basics of Buddhism and am going to a class on Monday. The
Buddhist way would be to find beauty in the situation… Obviously, I am still a very new
Buddhist cause my thoughts are “#$%! that @#$*#. Let me do my breathing exercises and
see if any of my thoughts change. Lol
Court ruling on retaliation claim: A reasonable jury could find that the posting of this blog
entry constituted an adverse action, since it falsely stated that she engaged in theft, . . . and could
find that this [conduct] would have likely dissuaded a reasonable worker from making . . . an FLSA
claim.
Stewart v. Coyote Ugly Saloon Development Corp., et al., 2013 WL 456482 (M.D. Tenn. Feb. 6,
2013)
57
58. Recruiting and Hiring
Performance Management
Harassment, Discrimination &
EEO
Workplace Safety
Time Recording and Overtime
All Policies Governing Use of
Electronic Resources
Social Media Policies, including
policies governing external
communications and internal
company social networks
Compliance and
Ethics, Including SEC
Disclosure Rules
Advertising and Marketing
Records Management and
Retention
Data Privacy & Security
Litigation Holds
Confidentiality &
Trade Secret Protection
Termination Practices
Potentially Outdated Policies
58
59. Other Issues
E-Discovery Challenges
− Identification of BYOD devices/information
− Practical challenges of data collection
− Does the employee “control” data on the devices?
− Will employees be required to produce mobile for e-discovery
purposes?
Records Management: FINRA retention
requirements
Protection of trade secrets
o Gateway to the cloud
o Review exit interview process
59
61. Employee Privacy Rights
Issuing a remote wipe command
• Employees have a reasonable expectation of privacy in their
personal device
• All 50 states have computer trespass laws
• Potential liability under the Computer Fraud & Abuse Act if the
unauthorized access causes damages > $5,000
Accessing an employee’s personal e-mail or cloud
account
• Federal Stored Communications Act, e.g., Pure Power Boot
Camp, Inc. v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548 (S.D.N.Y.
2008)
Access to private information: GINA
61
62. Geolocation Tracking And Telematics
FTC: Geographic location is sensitive
information
CA Penal Code 637.7(a). No person . . .
shall use an electronic tracking device to
determine the location or movement of a
person.
CA Penal Code 637.7(d). Electronic
tracking device is “any device attached to
a vehicle or other movable thing that
reveals its location or movement by the
transmission of electronic signals.”
Tread carefully.
62
63. International Data Protection Issues
The number of countries with broad data
protection laws has increased dramatically in
the past three years
Ability to roll out program globally can vary
substantially by country
− France, Mexico, Spain: Yes
− Brazil, Czech Republic: No
− Singapore: Yes with adjustments
63
64. The Dual-Use Device Agreement
Critical Terms: Protection against computer
trespass, invasion of privacy and other claims
1. Agree to Company’s use of remote wipe
2. Agree to Company’s monitoring of personal device
3. Agree to produce the personal device for inspection and
copying in response to a legitimate requests
4. Release Company from any liability for destruction or
incidental viewing of personal information
Expect Pushback
64
65. The Dual-Use Device Agreement
Additional Terms:
1. Will install corporate security package
2. Will not modify corporate security package
3. Will immediately report loss or theft of device
4. Will limit storage of corporate
information
5. Acknowledge that all company
policies apply to the dual-use device
65
And now, shifting gears, we will move on to mobile devices.
Different Rules for Regulated industries – FINRA, FIFIEC- federal Financial Institutions Examination Council (non-banks, mortgage brokers) Most recent FINRA guidance became effective on February 4, 2013 regarding preapproval and supervision of social media. Of course, the firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.. . . firms should have the ability to separate business and personal communications, such as by requiring that the associated persons use a separately identifiable [secure] application on the device for their business communications... If the firm has the ability to separate business and personal communications, and has adequate electronic communications policies and procedures regarding usage, then the firm is not required to supervise the personal emails made ·on these devices. Of course, firmsalso are free to treat all communications made through the personal communication device as business communications.
Ask Mass Eye and Ear Infirmary which paid a $1.5 million penalty arising out of the loss of a single laptop