managing retailer's challenges of bring your own device...
TRANSCRIPT
![Page 1: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/1.jpg)
Presented by: Philip Gordon, Esq.
Margaret Keane, Esq. Michael McGuire, Esq.
March 19, 2013
Managing Retailer's Challenges of
Bring Your Own Device (BYOD) Programs
![Page 2: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/2.jpg)
Philip Gordon, Esq. Littler Mendelson, P.C. Denver Office [email protected]
Margaret Keane, Esq. Littler Mendelson, P.C. San Francisco Office [email protected]
Michael McGuire, Esq. Littler Mendelson, P.C. Minneapolis Office [email protected]
Presented by:
![Page 3: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/3.jpg)
Lingo: Dual Use Mobile Devices and BYOD
• BYOD = Bring Your Own Device
• Dual Use Mobile Device: Mobile device used to create, store and transmit both personal and work-related data
• Some Other Terms: – BYOC: Bring Your Own Computer. Programs
that add laptops to the covered devices
– BYOA: Bring Your Own App. Per Gartner Group, 145 new mobile apps were downloaded per second in Q4 2012
3
![Page 4: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/4.jpg)
What Are Employers Doing?
• 55% of IT managers have made exceptions for “specialized members,” i.e., top executives to use their choice of devices and software (2013 iPass MobileIron study)
• 55% of IT directors will actively accommodate and encourage the use of personal devices (Citrix Study 2012)
• 81% of respondents accommodate personal devices in the workplace (2013 iPass MobileIron study)
• 54% of respondents had a formalized BYOD policy (2013 iPass MobileIron study)
4
![Page 5: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/5.jpg)
• IBM – 80,000 employees – IBM CIO: “If we didn’t support them, we figured [employees] would figure out
how to support [the devices] themselves. • Intel
– Started program in 2008 – Now encompasses 24,000 devices, about 90% of these are smartphones – Uses multiple security levels for access to different categories of documents
• Sybase – 20 different phone options – Employees buy and own the phones, but Sybase pays for the monthly service
contract • Citrix
– $2,100 stipend to purchase a laptop of their choice and a 3-year warranty. – Company owned cost was $2,600. – Adoption rate of about 20%.
Tech Companies Taking The Lead
5
![Page 6: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/6.jpg)
What Are Retailers Doing? December 11, 2011, Good Technology, BYOD customer survey
6
![Page 7: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/7.jpg)
What’s Happening in the Retail Sector?
7
![Page 8: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/8.jpg)
Retail: Mobile is Here to Stay (But is BYOD?)
• Lowes purchased 42,000 iPhones for employees – Smartphones enable employees to check inventory at nearby stores, share
how-to videos, check competitor prices, check order status, check schedules, verify sale prices and better respond to customers
– Developing applications include tools to calculate the amount of paint needed to paint a room
– My Lowe’s can organize info about projects and past purchases – Devices include spare battery and credit card reader to enable sales
associates to ring up sales http://www.bloomberg.com/news/2011-09-08/lowe-s-upgrades-website-to-spur-sales-at-iphone-
equipped-stores.html
• Home Depot distributed 34,000 “First Phones” to employees – Devices permit associates to continuously update and monitor inventory
levels system – First Phones provide instant access to product information and improve
checkout times http://blogs.wsj.com/cio/2012/06/21/home-depot-rolls-out-new-mobile-devices-for-workers/
8
![Page 9: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/9.jpg)
What Are Employees Doing?
Consumerization of IT • 62% of full-time workers
own smartphone • 33% of full-time workers
own tablet • Time spent on a mobile device
each day by U.S. adult has quadrupled from 2009 (22 minutes) to 2012 (88 minutes)
(USA Today 3/7/13)
9
![Page 10: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/10.jpg)
What Are Employees Doing?
How do you use your smartphone?
Source: The iPass Global Mobile Workforce Report, http://mobile-workforce-project.ipass.com/cpwp/wp-content/files_mf/ipass_mobileworkforcereport_q3_2011.pdf
10
![Page 11: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/11.jpg)
What Are Employees Doing? Do you use your tablet primarily as a
personal or work device?
11
![Page 12: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/12.jpg)
Corporate Rationales
• Reducing expenses for employers • Improving employee productivity
– Intel estimates that its BYOD employees save an average of 57 minutes per day by being able to access work materials from personal devices based on three years of employee estimates
• Improving employee engagement • Aiding in the recruitment of new employees • Solving the “two pocket problem”
12
![Page 13: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/13.jpg)
• All tallied, BYOD doesn’t look pretty from a cost perspective. A typical mobile BYOD environment costs 33 percent more than a well-managed wireless deployment where the company owns the devices ***.” – Loss of bulk purchasing power – Higher help desk/support costs – Security issues
• The trend toward employee-owned devices isn’t saving IBM any money. (MIT Technology Review, Monday, May 21, 2012)
Does It Really Reduce Costs?
13
![Page 14: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/14.jpg)
What Are The Risks?
1. Loss of control over your company’s data
• Compliance with Information security laws and contractual obligations to protect or destroy data
• Trade secret protection
2. Loss of control over the device • Conducting internal investigations • E-Discovery
3. HR/Employment Law Issues • Wage & hour • Managing leave • Employee privacy rights
14
![Page 15: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/15.jpg)
Other Challenges
1. Records management requirements 2. Preserving and collecting data from personal
devices for litigation holds and investigations 3. International legal challenges 4. Workplace safety issues 5. Performance management and EEO issues 6. Deploying BYOD in a unionized workplace
15
![Page 16: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/16.jpg)
COPE
• Corporate Owned, Personally Enabled • Emerging as alternative to BYOD • Addresses many of the corporate goals • Minimizes some of the risks • Makes other risks easier to manage
![Page 17: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/17.jpg)
Setting Up a BYOD Program: Overview
A BYOD program includes: • Policies that govern use of personal devices to
access corporate services and conduct company business
• Policies attempt to manage risk, associated with storage and transmittal of data, using devices that may be outside of the employers control
• Policies to address impact of mobile devices on existing workplace behavior
• New processes and capabilities in IT, HR, and business units to implement the policies
17
![Page 18: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/18.jpg)
HR AND EMPLOYMENT LAW ISSUES
![Page 19: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/19.jpg)
Policies Affected by BYOD: Mobile devices have impact on policies
throughout your business
• Data Privacy & Security
• Harassment, Discrimination & EEO
• Workplace Safety
• Time Recording and Overtime
• Acceptable Use of Technology
• Compliance and Ethics
• Records Management
• Litigation Holds
• Confidentiality & Trade Secret Protection 19
![Page 20: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/20.jpg)
Policies Affected by BYOD: Mobile devices have impact on policies
throughout your business
• Labor – Mandatory bargaining – Labor issues
• International considerations • Data protection • Border searches • Espionage
20
![Page 21: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/21.jpg)
Are You at Work? Mobile Technology, BYOD or not,
Blurs the Line Between Home and Work
• By one estimate, 72% of Americans check their email on weekends and vacations and 42% check email while home sick.
– Source: www.kikabink.com/news/most-workers-addicted-to-email-2-out-of-3-u-s-and-u-k-workers-check-mail-outside-business-hours/ (citing Harris Interactive research)
• iPass Mobile Employee Definition: Employee using a mobile device who accesses networks (other than corporate LAN or WLAN) for work purposes
• Average mobile worker works 240 hours per year longer than work force in general
• 43% of mobile workers keep smart phone at arm’s reach when they sleep • 96% of mobile workers under 45 have smart phones • 35% of mobile workers check email first thing upon awakening
– Source: The iPass Global Mobile Workforce Report, August 2011 www.mobile-workforce-project.ipass.com/cpwp/wp-content/files_mf/ipass_mobileworkforcereport-q-3_2011.pdf
21
![Page 22: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/22.jpg)
The 24/7 workplace and the FLSA
• Wage & Hour – Off-the-clock work by non-exempt employees – “Suffered or permitted to work” – De minimis? – Emails may be evidence of time spent and notice
to employer – Time spent dealing with IT issues related to devices – Work by non-exempt or exempt employees during
weeks off or leaves of absence
22
![Page 23: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/23.jpg)
The 24/7 workplace and the FLSA
• Address W&H Concerns − Prohibit non-exempt
employees from accessing email or making work-related calls outside of work
− Limit access/program participation to employees who are exempt from OT
− Create process for reporting work performed outside of working hours
– Training • Employees • Managers
– Compliant policy requiring pay for all hours worked
23
![Page 24: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/24.jpg)
Who pays for BYOD devices
24
![Page 25: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/25.jpg)
Who Will Pay and What Devices
are Included? • Who pays for/owns device?
• Who pays for service plan – employer selected options or reimbursement?
• Options include technology allowances, reimbursement, standard devices issued by employer.
25
![Page 26: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/26.jpg)
Who Picks up the Tab?
• Expense Reimbursement – Federal law – expenses
can’t reduce pay below minimum wage
– Eleven states have express or implied expense reimbursement requirements
• California, Montana, North Dakota, South Dakota, New Hampshire, Alaska, Minnesota, Arkansas, Iowa, Kentucky, Michigan
– California – must reimburse for “necessary expenditures or losses incurred ... as a consequence of the discharge of his/her duties”
– Reimbursement must meet certain criteria in order to be tax exempt
26
![Page 27: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/27.jpg)
PRIVACY & SECURITY ISSUES
![Page 28: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/28.jpg)
78% of respondents cited BYOD as a “significant” security risk (Global Information Security Workforce Study 2013) • Loss or theft of devices
– 47% of IT managers reported dealing with lost or stolen phones (2013 Pass MobileIron study)
– 39% of respondents stated that they have the necessary security controls to address the risks created by mobile devices (Ponemon Study Feb. 2012)
• Malware – 69% of respondents ranked application vulnerabilities as the highest security
concern, with malware and mobile devices a close second at 67% and 66% respectively (Global Information Security Workforce Study 2013)
• Friends and family – 27.5% of FINCEN suspicious activity reports involving identity theft involved
friends, family, employee in home
Security For Company Data
28
![Page 29: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/29.jpg)
Implications Of A Security Breach
• Violation of statutory or regulatory requirements to secure personal information: HIPAA, GLBA, and state laws (MA, OR, OK, NV) – Statutes apply to service providers of covered entities
– Enforcement: HHS and MA have recently obtained penalties
• Security breach notification laws: 46 states, DC, PR, USVI, and Guam – Encryption safe harbor
– Encryption requirements: MA, NV, HIPAA
• Avg. cost of a breach in 2011 was $194/lost record or $5.5M (Ponemon Study 2012)
29
![Page 30: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/30.jpg)
• Gateway to the Cloud – Employee ownership of the account with the
service provider will limit company access to its data
– No contract with company – Obligation to “vet” security
controls of vendors – Data may be more available
to law enforcement or others
Security For Company Data
30
![Page 31: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/31.jpg)
• 50% of responding employees who left or lost their job in the preceding 12 months kept confidential corporate information, and 40% planned to use it in their new job (Symantec Survey 2013)
• Misappropriation may be harder to prove • Use or disclosure will be the focus • Access to the devices will be a challenge • Confidential information sent “to the cloud”
Trade Secret Protection
31
![Page 32: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/32.jpg)
Can Data in the Cloud Undermine Your Trade Secret Protection?
Trade Secrets Must Be: 1. Maintained in confidence 2. Have commercial value from not being generally known 3. Must not be readily ascertainable by proper means
Risk Areas: 1. LinkedIn – Customer lists in the public domain? 2. Sasqua Group, Inc. v. Cartney, No. CV 10-528, 2010 WL 36138855 (EDNY, August 2,
2010) – Customer information not a trade secret where publicly available information “exceeded the
amount and level of detail contained in the Sasqua database.” – Sasqua did not have password protected computers; did not require employee to sign
confidentiality or non-solicitation agreement
3. LinkedIn contacts may violate non-solicit and non-compete restrictions (TEK Systems v. Hammernick, Civ. No. 10-CV-00819 (D. Minn. Mar. 16, 2010)
32
![Page 33: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/33.jpg)
Employee Privacy Rights
Issuing a remote wipe command • Employees have a reasonable expectation of privacy in their personal
device
• All 50 states have computer trespass laws
• Computer Fraud & Abuse Act if the unauthorized access causes damages exceeding $5,000
Accessing an employee’s personal e-mail or cloud account • Stored Communications Act
– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp
Access to private information • GINA
33
![Page 34: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/34.jpg)
Beware of Computer Trespass
• Key facts: – Sitton used his personal computer to conduct
business for PDI and for a competing business – Sitton used the computer on PDI’s premises and
connected it to PDI’s network – When PDI caught wind of Sitton’s disloyalty, a
senior manager entered his office, clicked on an e-mail list, and printed incriminating e-mail
Sitton v. Print Direction, Inc., 2011 Ga. App. LEXIS 849 (Sept. 28, 2011)
34
![Page 35: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/35.jpg)
Beware of Computer Trespass
• Ruling: Affirms dismissal of Sitton’s claims for computer trespass, computer theft, and computer invasion of privacy
• Reasoning: Lack of authority is an element of each claim, and PDI’s computer use policy established the manager’s authority
• Key Policy Provisions: – Policy was not limited to company-owned equipment – Informed employees that PDI would “inspect the content of
computers … in the course of an investigation triggered by indications of unacceptable behavior.”
35
![Page 36: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/36.jpg)
Federal Stored Communications Act
• Prohibits unauthorized access to an electronic communication in electronic storage at an electronic communications service provider
-- 18 USC §2701(a) • Criminal statute with civil remedies
– Minimum monetary damages of $1,000 – Punitive damages and attorneys fees
• Consent of the account holder is a defense
36
![Page 37: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/37.jpg)
Access to Personal E-Mail
Key Facts: • Pure Power Boot Camp fired Fell • Fell started a competing business • PPBC’s owner (Brenner) accessed three of Fell’s personal
e-mail accounts – Hotmail: Fell had accessed the account using PPBC’s
computers, leaving username and password behind – Gmail: username and password found in the Hotmail
account – Warrior Fitness Boot Camp: “lucky guess” same
password and username • PPBC used Fell’s personal e-mail for non-compete action
against Fell 37
![Page 38: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/38.jpg)
Access to Personal E-Mail
• Claim: PPBC violated the SCA • Defense:
– Electronic resources policy defeated any expectation of privacy – Fell implicitly consented by leaving username and password on
PPBC computers • Court: summary judgment for Fell
– The policy addressed only company equipment used during the employment relationship
– The e-mail in question were not created on, sent through, or received from PPBC’s e-mail system
– At most, Fell consented to Brenner seeing his password for one account, but not to her using it for any of them
Pure Power Boot Camp v. Warrior Fitness Boot Camp, 587 F. Supp.2d 548 (S.D.N.Y. 2008)
38
![Page 39: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/39.jpg)
International Data Protection Issues
• The number of countries with broad data protection laws has increased dramatically in the past three years
• Ability to roll out program globally can vary substantially by country
− France, Mexico, Spain: Yes
− Brazil, Czech Republic: No
− Singapore: Yes with adjustments
39
![Page 40: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/40.jpg)
• Locating the data • Access to the device • Collection challenges • Increased costs
eDiscovery Challenges
40
![Page 41: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/41.jpg)
TOP TEN RECOMMENDATIONS
![Page 42: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/42.jpg)
• Decide whether all employees should be permitted to participate in a BYOD program or whether certain groups, such as non-exempt employees, should be excluded.
42
Recommendation #1:
![Page 43: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/43.jpg)
Who Should Be Eligible?
• Important to control eligibility – The more people with BYOD, the greater the risk
• Limit to employees with a business need • NOT employees with regular access to sensitive
information – Legal, HR – Access to highly valuable trade secrets, e.g., product
engineers – Access to highly sensitive, non-public financial info, e.g.,
CFO’s group
• Non-exempt employees raise off-the-clock issues
43
![Page 44: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/44.jpg)
Recommendation #2:
• Install mobile device management software on dual-use devices.
44
![Page 45: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/45.jpg)
Sandbox Approach
45
![Page 46: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/46.jpg)
What is MDM – Mobile Device Management?
Mobile Device Management: • Software that allows corporate IT to manage use of mobile devices.
Component of BYOD programs. Features may allow an employee to: – Require users to install software as condition of storing company data
on device and connecting to company network – Lock down end user’s ability to use specific device features or apps,
such as cameras or iCloud – Enable remote locking or wipe of device – Enforce use of strong passwords – Prevent users from jailbreaking device or
disabling or altering security settings on devices
46
![Page 47: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/47.jpg)
Key Security Controls
1. Encryption 2. Passcodes 3. Remote wipe capability 4. Lockdown after short period of inactivity 5. Wipe device after a set number of unsuccessful
passcode attempts 6. Anti-malware protection (limited availability) 7. Device locator (Geolocation features may require
employee consent)
47
![Page 48: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/48.jpg)
BYOD is NOT a Best Practice for Processing Credit Card Transactions
• On February 13, 2013, PCI issued Mobile Payment Acceptance Security Guidelines to Merchants and End-Users
• “Since the BYOD scenario does not provide the merchant with control over the content and configuration of the device, it is not recommended as a Best Practice.”
48
![Page 49: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/49.jpg)
• Implement policies tailored to your program, culture, and risks – COPE – BYOD
49
Recommendation #3:
![Page 50: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/50.jpg)
Key Provisions
1. Eligible users and eligible devices 2. Technical and physical security controls 3. Application of corporate policies 4. Restrictions on uses of a dual-use device 5. Corporate access, monitoring, and deletion
of data 6. Reporting loss of theft 7. Responsibility for maintenance 8. Responsibility for payment
50
![Page 51: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/51.jpg)
Recommendation #4:
• Require employees to consent to all company activities involving the personal device
51
![Page 52: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/52.jpg)
The Dual-Use Device Agreement
Critical Terms: Protection against computer trespass, invasion of privacy and other claims 1. Agree to Company’s use of remote wipe 2. Agree to Company’s monitoring of personal
device 3. Agree to produce the personal device for
inspection and copying in response to a legitimate requests
4. Release Company from any liability for destruction or incidental viewing of personal information
• Expect Pushback 52
![Page 53: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/53.jpg)
The Dual-Use Device Agreement
Additional Terms 5. Will install corporate security package
6. Will not modify corporate security package
7. Will immediately report loss or theft of device
8. Will limit storage of corporate information
9. Acknowledge that all company policies apply to the dual-use device
53
![Page 54: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/54.jpg)
• Restrict employees from using cloud-based apps, cloud-based backup, or synchronizing with home PCs
54
Recommendation #5:
![Page 55: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/55.jpg)
Protection of Trade Secret Information in the Cloud
• Take Reasonable Measures to Protect Trade Secrets in a BYOD Environment
• Use Confidentiality Agreements/Proprietary Information Assignment Agreements (“PIAA”)
55
![Page 56: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/56.jpg)
• Ensure that use complies with wage and hour obligations by prohibiting off-the-clock work and ensuring pay for all hours worked
56
Recommendation #6:
![Page 57: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/57.jpg)
• Evaluate payment options: How much to contribute to payment for the personal device? For the personal plan?
57
Recommendation #7:
![Page 58: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/58.jpg)
• No use by friends and family members
58
Recommendation #8:
![Page 59: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/59.jpg)
Recommendation #9
• Training for managers, HR, and IT staff as well.
59
![Page 60: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/60.jpg)
Security Incident Response
1. Confirm that dual-use device is encrypted
2. Confirm that remote wipe was activated promptly
3. Confirm that unauthorized acquirer had to unlock a password-protected screensaver
4. Depending on responses, may need to: – collect e-mail on corporate email server from date the loss/theft
occurred and search for trigger PII
– Interview employee concerning contents of local storage on dual-use device
60
![Page 61: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/61.jpg)
• Revise exit interview processes
61
Recommendation #10:
![Page 62: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/62.jpg)
Go to: www.workplaceprivacycounsel.com Search: “BYOD”
Littler BYOD White Paper
![Page 63: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/63.jpg)
Social Media Summit
Littler’s Social Media Summit
April 10, 2013 San Francisco, CA
http://www.littler.com/events
![Page 64: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/64.jpg)
Questions?
![Page 65: Managing Retailer's Challenges of Bring Your Own Device ...shared.littler.com/tikit/2013/13_Webinars/PDF/Presentation_3-19-13.… · confidential corporate information, and 40% planned](https://reader033.vdocuments.net/reader033/viewer/2022042305/5ed05f403850d57a7f0fea9a/html5/thumbnails/65.jpg)
Philip Gordon, Esq. Littler Mendelson, P.C.
Denver Office [email protected]
Margaret Keane, Esq.
Littler Mendelson, P.C. San Francisco Office [email protected]
Michael McGuire, Esq.
Littler Mendelson, P.C. Minneapolis Office