the byod workplace and the - employment law alliance...apr 17, 2014  · 4th amendment...

The BYOD Workplace and the

24/7 Employee: Managing Legal

Risks for Employers

Thursday, April 17, 2014

Moderator

Molly M. DiBianca, Associate,

Young Conaway Stargatt and Taylor

Wilmington, DE

mdibianca@ycst.com

2

Speakers

Adam S. Forman, Principal, Miller, Canfield,

Paddock and Stone, Detroit, MI

forman@millercanfield.com

Michael S. Glassman, Partner,

Dinsmore & Shohl, Cincinnati, OH

michael.glassman@dinsmore.com

3

Speakers

4

Melanie V. Pate, Partner,

Lewis Roca Rothgerber, Phoenix, AZ

mpate@lrrlaw.com

J. E. Jess Sweere, Director, Cross, Gunter,

Witherspoon & Galchus, Little Rock, AR

jsweere@cgwg.com

Introduction

Molly DiBianca

Young Conaway Stargatt & Taylor

5

The Current Landscape

• Key Statistics

– Use of mobile technology

– BYOD policies

• What’s an employer to do?

– Manage risk

– Be a realist

6

Webinar Agenda

• Legal Risks

• Best Practices

• Policy Pointers

7

Legal Risks

Adam S. Forman

Miller, Canfield, Paddock & Stone

J.E. Jesse Sweere

Cross, Gunter, Witherspoon & Galchus

8

CONSTITUTIONAL

PROTECTIONS

9

10

4th Amendment

• Unreasonable searches and seizures

– Murphy v. Spring (N.D. Okla. 2013)

– Chaney v. Fayette Cnty. Pub. Sch.

Dist. (N.D. Ga. 2013)

11

12

“Once It’s There – It’s There To Stay”

9th and 14th Amendments

• Penumbra of “implied constitutional

rights of privacy”

– NASA v. Nelson (U.S. 2011)

– People v. Holmes (Colo. Dist. Ct.

2013)

13

STATUTORY

PROTECTIONS

14

Electronic Communications Privacy Act

• Title 1 – Federal Wire Tap

– No “intercepting” electronic

communications without authorization of 1

party

• Title 2 – Stored Communications Act

− No accessing, without authorization, a

“facility” through which electronic

communication service is provided and

thereby access to an electronic

communication while it is “electronic

storage”

15

Electronic Communications Privacy Act

• Title 2 – Stored Communications Act

– Disputes over “stored”

• Cheng v. Romo (D. Mass. 2013)

– Disputes over “facility”

• Garcia v. City of Laredo (5th Cir. 2012)

– BYOD

• Lazette v. Kulmatycki (N.D. Ohio 2013)

16

NATIONAL LABOR

RELATIONS ACT

17

National Labor Relations Act

• Protects employees who discuss

terms and conditions of employment

• Social media is the today’s workplace

“water cooler”

• For unionized employers – social

media and BYOD policies are a

mandatory subject of bargaining

• Use of monitoring software has

surveillance implications

18

National Labor Relations Board

• Enforces the NLRA

• The Board has taken a very strong

stance on any employer action or

policy designed to restrict employee

communication via social media

• Must be careful not to draft “overly

broad” BYOD policies

19

Fair Labor Standards Act

• Statute that requires the payment of

a minimum wage for all hours

worked, and overtime for all hours

worked in excess of 40 in a work

week

20

Wage and Hour Issues

21

When non-exempt

employees use their own

devices, there is a risk

that employees will raise

wage & hour claims for

time worked “off the

clock.”

Wage and Hour Issues

• Employees have to be paid for “off

the clock” work even when the

employer did not request it.

• Usual situation: making work-related

calls, reading and replying to emails

during off-work hours.

22

Easy Solution?

23

No email or

work-related

calls outside

of working

hours

Not Necessarily

• While this certainly is an option, it

might not always be the best one:

− There is an advantage to having a flexible

staff that can be accessed outside of work

that may outweigh the extra pay

− A blanket prohibition also must be clearly

communicated and employees must be

consistently disciplined for disregarding the

policy

− Enforcing such a bright-line policy is often

unrealistic in practice

24

Password Protection Statutes

• Many states have passed statutes

prohibiting employers from requiring

employees to provide usernames

and passwords to social media

accounts.

• Arkansas’s statute could be

interpreted to prohibit a supervisor

from “friending” or “following” an

employee 25

Password Protection Statutes

• Review your state’s statute carefully

• Train supervisors and managers to

refrain from seeking social medial

credentials of employees and

applicants

26

COMMON LAW

PROTECTIONS

27

Four Common Law Torts

1. Intrusion upon seclusion

2. False Light

3. Appropriation of Likeness

4. Public disclosure of embarrassing

private facts

28

Intrusion upon Seclusion

• Most commonly asserted common

law claim

– Ehling v. Monmouth-Ocean Hosp. Serv.

(D.N.J. 2013)

29

PRACTICAL

CONSIDERATIONS

30

Control of Employer Data

• Increased risk of theft/loss

• Personal v. work device

• Facilitate employee theft

• Greater exposure

• Malware, viruses and hacking

• Consequences for loss

31

Legal Compliance

• EEO laws

• Labor laws

• OSHA

• Privilege issues

• E-discovery

32

BYOD and Harassment

33

The blurring of personal and work-

related use on one device can be

conducive for increased hostile work

environments.

BYOD and Harassment

• The employer has a duty to stop co-

employee harassment when the

employer knows or has reason to

know that such harassment is part of

a pattern of harassment that is taking

place in the workplace and in

settings that are related to the

workplace.

34

OSHA-Related Issues

• Blackberry thumb” & neck problems

− Repetitive motion of texting can

cause injury to the hand

− Cradling small phone between head

and shoulder

• What to do:

− Educate employees regarding

ergonomic use of their device 35

OSHA-Related Issues

• Distracted driving

− Study shows that texting driver takes

twice as long to react than a legally

intoxicated driver

− A company culture of texting while

driving can create liability

• What to do:

− Implement policy prohibiting texting

& possibly talking while driving 36

Litigation Holds – E-Discovery

• When an employer has notice that

litigation is possible, it has a duty to

identify and preserve relevant

sources of data

• Rules of Civil Procedure require a

party to produce documents and

electronically stored information that

are in its “possession, custody or

control” 37

Best BYOD Practices

Melanie V. Pate

Lewis Roca Rothgerber

38

Three Keys to BYOD Success

• Analyze scope of issues and risks

for your particular company

• Create a comprehensive written

policy

• Communicate the policy to

employees

39

Analyze Scope of Issues and Risks for

Your Particular Company

• Do you want to permit employees to

use their own devices for work

purposes?

• Can your in-house IT department

appropriately address BYOD issues

and challenges?

• Do you have “buy-in” from top

officials/leaders in your company?

40

Create a Comprehensive Written Policy

• Benefits of having a specific written

policy

• Risks of not having a specific written

policy

• Develop agreement on policy

components

• Solicit feedback from key employees

41

Communicate the Policy to Employees

• Determine how the policy can and

will be communicated effectively

• Train employees on policy

• Carefully explain what is and what is

not acceptable under policy

• Have employees sign written

acknowledgment

42

Other BYOD Best Practices

• Ensure top executives are covered

by and adhere to BYOD policies

• Allow employees broad device

choice and consider covering part of

device cost

• Require employees to buy devices

through normal consumer channels

to maintain clear lines of ownership 43

Other BYOD Best Practices

• Require contractors to use their own

devices and include them in your

policies

• Provide support and guidance to

employees and help them

understand the responsibilities that

come with BYOD

44

Other BYOD Best Practices

• Keep business data strictly

segregated to support e-discovery

requirements and data retention

policies

• Determine how various IT support

and maintenance tasks will be

addressed

45

Other BYOD Best Practices

• Choose security solutions that allow

employees to self-audit their devices

and quickly report potential security

risks (aka: BYOD for Dummies)

• Monitor data usage to verify that only

authorized use is occurring if costs

are reimbursed

46

BYOD Policy Points

Michael S. Glassman Dinsmore and Shohl

47

What Does a BYOD Policy

Need to Include?

• Determine whether a BYOD policy is

right for your company

48

Policy Development

• What should a BYOD policy

include?

– No “one-size-fits-all” policy exists

– Review and analyze existing policies

to see how they relate to employee

use of personal devices for business

purposes.

49

Policy Development

• Which employees should be eligible

to use their own devices?

• Company provided devices vs.

personal devices

• Network security controls

• Employee consent form

• Lost or stolen devices

• Access by others 50

Acceptable Use

• Define what constitutes acceptable

personal use of personal device on

company time

• Consider whether there are any

apps/software that may not be

installed on a personal device

• Address the need to obtain

authorization to work remotely and

outside of normal working hours 51

Devices and Support

• Specify what devices company will

permit and support

• Require that devices be presented to

IT for approval and configuration

before use on company network

52

Ownership of Information

• Address that the company owns

records, data, work product on

personal device that was created

within scope of employment

• Include non-disclosure

language/reference existing policies

53

Security Controls

• Address security measures for

personal devices

• Require password protection

• Autolocking

• No jailbreaking, rooting, modding

• Encryption

• Limit use to employee 54

Security Controls

• Prohibit transfer of data

• Ability for employer to wipe device

• Consult with IT

55

Company Access to Device

• Employee must relinquish

possession and control of personal

device to company upon request

• Specify that employer can inspect

and take control of device, and

monitor communications, location

and activity

• Company allowed to copy or image

personal device 56

Device Monitoring and Management

• Implement Mobile Device

Management (MDM) software and

inform employee of MDM controls

• Specify that device may be wiped if

lost, employment terminates, or a

data breach

• Specify that employees have no

expectation of privacy with respect to

personal device 57

Please Complete Our Survey

Please take a few minutes to complete the survey that will

appear on your computer screen immediately following

the webinar.

To listen to this webinar again or to any past ELA

webinars, please visit our website at:

www.employmentlawalliance.com.

The ELA is not authorized to give CLE/HRCI/SHRM credit

for its webinars; however, a Certificate of Attendance and

supporting materials are now posted on the ELA website

(click this webinar’s title and scroll down to the link).

Attendees seeking HRCI or SHRM credit should submit

the materials directly to HRCI at www.hrci.org or to SHRM

at www.shrm.org. 58