Translating the Trends:

Mobile Communications,

the Consumerization of IT,

Social Media, and the

Cloud Meet the Workforce

2

Margaret A. KeaneShareholder

Littler, San Francisco

Philip L. GordonShareholder

Littler, Denver

3

Program Agenda

When Worlds Collide: Tracking the Trends at the

Intersection of Social, Mobile and the Cloud

− The Explosion of Social/Mobile at Work and Play

− Social/Mobile Meets the Workplace: High Level Challenges

− Cloud Content and Mobile & Access Devices = New Applications and New Risks

− Enterprise Use of Social Media

− Managing the Social/Mobile Juggernaut (BYOD and Beyond)

− Wage and Hour Issues for the Perpetually Connected

− Employment Law Risks

− Privacy in a Transparent World

4

The Social / Mobile Explosion Is Driving Change

Who: Offsharing/outsourcing; freelancers; shifting expertise across teams; increased employee mobility

What: FLSA does not define work; Supreme Court: “physical or mental exertion . . . controlled or required by the employer

and . . . for the benefit of employer.”

Where: Decreasing reliance on “work” as a fixed physical space

When: Knowledge workers have more autonomy over when to work; constant connectivity; and

How: New tools, ex. enterprise microblogging and other collaborative tools; internal apps developed for enterpriseand customers; workflows

5

Translating the Trends:What to Expect in 2013

The Explosion of Social/Mobile At Work and Play

6

The Drivers: Going Mobile. . .

7

The Drivers:How Are We Using Our Mobile Devices?

Always Connected, IDC Study, Sponsored by Facebook, March 2013

8

What Do You Do When You First Wake Up?

Always Connected, IDC Study,Sponsored by Facebook, March 2013

9

Blurring The Lines: Work vs. Personal

90% of full-time employees use a personal smartphone for work purposes• 62% of those use it every day• 39% don’t use password protection• 52% access unsecured wifi networks• 69% believe they are expected to access work

emails after hours 1 in 10 workers receive a stipend for their

smartphone

(Cisco, BYOD Insights in 2013: A Cisco Partner Network Survey, March 2013)

10

Translating the Trends:What to Expect in 2013

Social/Mobile Meets the Workplace: Challenges and Opportunities

11

Blurring The Lines:Work vs. Personal

• Do You View Your Tablet Device As Primarily A Work Or Personal Device?

Source: iPass Q1 2013 Mobile Workforce Report

12

The Consumerization of IT is Here

55% of IT managers have made exceptions for “specialized members,” i.e., top executives to use their choice of devices and software (2013 iPass MobileIron study)

55% of IT directors will actively accommodate and encourage the use of personal devices (Citrix Study 2012)

81% of respondents accommodate personal devices in the workplace (2013 iPass MobileIron study)

54% of respondents had a formalized BYOD policy (2013 iPass MobileIron study)

13

How Are Different Sectors Responding?

Source: Good Technology, BYOD Customer Survey, December 2012

14

Mobile Is Here To Stay

Lowes purchased 42,000 iPhones for employees Employees can check inventory at nearby stores; share how-to

videos, check competitor prices, order status, and schedules; verify sale prices and better serve customers

Innovative apps include tools to calculate the amount of paint needed to paint a room

My Lowe’s can organize customer history Sales associates can use iPhones to ring up sales

Home Depot distributed 34,000 “First Phones” to employees Associates can continuously update and monitor inventory levels First Phones provide instant access to product info and speed

checkout

15

Customers & Social Media

An estimated 23M Americans discover new brands through social networks; up from 18M in 2010

64% of social media users stated that social networks influenced their buying decisions

80% of companies planned to use social media for customer service by the end of 2012

47% of social media users actively seek customer service through social media

(Click Software Study Dec. 2012)

16

The Social Intranet

“Creating a community in the workplace where employees can share and engage on a real-time platform makes everyday communication and collaboration easier and more effective, delivering tangible business results.”

(Social Business: 5 Trends To Watch For 2013 And Beyond, Forbes (Dec. 2012))

17

Internal Social Media Benefits

83% of respondents use at least

one social technology

73% of respondents use social

technologies internally; 74% use

with customers; and 48%

connect with external partners

9 of 10 respondents who use

social tools have tangible

business benefits, including

enhanced access to knowledge

and internal experts, increased

employee satisfaction and

reduced travel costs.

(McKinsey Quarterly, March 2013 Reporting on July 2012 survey of

3,542 executives) 18

Social Intranet vs. Mobile

Common barriers to mobile design entry for intranets:

Data security concerns

Difficulty of choosing a platform

Lack of resources to create and maintain the design

Uncertainty about whether to implement a full feature set with a good mobile user experience or an app for particular tasks

19

Some Risks Of Social/Mobile

• Loss of control over corporate data − Violation of regulatory compliance obligations, ex. SEC, HIPAA, GLBA− Security breaches− Misappropriation of trade secrets

• Public nature of social media− Too much information about applicants and employees − Damage to brand reputation− Expanded responsibility for regulating employees’ off-duty conduct?

• HR/Employment Risks− “Off the clock” wage and hour claims− Potential privacy-based claims− Workplace safety issues

• Records management and e-discovery challenges

20

What Are The Organizational Challenges?

• Social/mobile permeates the organization

− Branding and public image

− Relationships with customers, vendors and competitors

− Getting the work done

− Managing employees

• IT, HR & Legal may have different objectives

• Evolving communications standards− Five generations in the workplace, each with different

communication norms

• Risk of losing market share to more socially agile competitors

21

What Are The Legal Challenges?

Challenges of applying old laws and policies to new technology

− FLSA (1938); NLRA (1933); SCA (1986) Case law lags behind while rate of change accelerates Early legislation and regulation in the U.S.

− Social media password protection laws− Agency guidance on social media communications –

SEC, NLRA, FTC, FINRA The challenges of global legal

compliance

22

Some Solutions

1. Understand how your organization is using social/mobile

2. Create a multi-disciplinary information governance team

3. Identify key risk areas

4. Develop an enterprisewide strategy for managing social/mobile risks

5. Implement a governance platform and update existing policies

6. Continuously evaluate the impact of new mobile and social technologies on the workplace

7. Continuously evaluate the impact of new laws and court decisions on existing policies

23

Translating the Trends:What to Expect in 2013

Cloud Content & Mobile Access = New Applications and New Risk

24

What Is Cloud Computing?

The “cloud” is “the act of storing, accessing and sharing data, applications and computing power in cyberspace.” (Pew Research Center)

Types of information that can be, and are, stored and processed in the cloud: customer records, databases, email, health records, financial data, personnel records

Nature of the cloud = f(degree of control over the data)

− Personal cloud (retail to individuals)− Private cloud (corporate, limited access)− Public cloud (corporate equivalent of personal cloud)

25

Employees And The Cloud

Mobile devices send information to data storage, video, photography and social networking sites, and web-based email providers

− iCloud, YouTube, Flickr, Facebook, Gmail Cloud services also provide collaboration

capabilities – may be used to circumvent IT restriction on sharing information outside the enterprise

− Google Docs, Dropbox.com, Box.net An employer rarely has any control over

data stored by cloud service providers

26

Advantages Of Cloud Computing

1. Reduced costs and increased scalability

2. Increased security

• Cloud providers often have greater resources and sophistication

• Redundancy ensures business continuity and disaster recovery

3. Convenience: Users can access data from anywhere

over the Internet using any computer

4. Save computing space: Software does not have to be

installed on each hard drive

27

Legal Risks Of Cloud Computing

1. Loss of control of data to a third party

• Information can be stored anywhere in the world

2. Loss of control over infrastructure and information security

• CSP will control security incident response

3. Lower standard for government access

4. Inadequate protection of trade secrets

5. Electronic discovery challenges

6. Potential global data protection challenges

28

Practical Steps Towards Implementing

1. Interdisciplinary team (IT, HR, Legal, Business Unit leaders)

2. Understand applicable law, especially law related to cross-border data transfers

3. Determine which information to store in the cloud

• Think twice before storing these in the cloud: Regulated data (PHI, PII, NPPI), privileged communications, trade secrets, business critical information, EU personal data

4. Conduct due diligence on the cloud service provider

5. Negotiate contractual protections29

Practical Reality

CSPs will permit minimal to no due diligence

CSP Terms of Service often are non-negotiable

Cloud services can create operational riskso HHS obtained $100K settlement from a Phoenix surgery

center that posed patient appointment calendar to the cloud

CSPs can play hardball with your organization’s datao GlaxoSmithKline sues CSP, alleging $80K ransom demand

for return of critical documents

30

Translating the Trends:What to Expect in 2013

Enterprise Use of Social Media

31

Enterprise-Oriented Social Media

Key steps to success:1. Define your organization’s objectives

2. Get leadership buy-in

3. Create an information governance committee

4. Tailor for corporate culture/employee or customer needs

5. Determine who is authorized to post

6. Establish guidelines

7. Provide training

32

Think Before You Post

Summary judgment denied to Coyote Ugly on retaliation claim where company’s president and co-founder referenced on “Lil Spills” blog a former employee’s lawsuit and commented, “F**k that b**ch” Stewart v. Coyote Ugly Saloon Nashville, LLC, (M.D. Tenn. 2013)

NetFlix CEO posts to 200K Facebook followers that users have watched more than 1B hours of content on the Company’s streaming service• stock price jumps 6%• SEC issues Wells notice and investigates failure to use

public means of communication

33

Key Guidelines For Social Speakers

1. Identify yourself

2. Protect confidential information

3. Speak for the organization only when authorized

4. Respect intellectual property rights

5. Get the message right and admit mistakes

6. Think global

34

Key Guidelines For Social Speakers

7. Company will monitor employees’ social media content

8. Personal accounts are not for business purposes

9. Beware of lurking wage & hour issues for non-exempt employees

10. Remember your other job duties: Social media can be addictive

35

Additional Issues:Customer-Facing Social Media

1. Compliance with sector-specific regulations

2. Protection of corporate accounts• Covered in detail during afternoon presentation

3. Monitoring and responding to customer complaints

Service Level Agreements

(SLA)

36

Translating the Trends:What to Expect in 2013

Managing the Social/Mobile Juggernaut: BYOD and Beyond

37

Lingo: Dual Use Mobile Devices And BYOD

BYOD = Bring Your Own Device Dual Use Mobile Device: Mobile device

used to create, store and transmit both

personal and work-related data COPE: Corporate Owned, Personally

Enabled Some Other Terms:

BYOC: Bring Your Own Computer.

Programs that add laptops to the

covered devices BYOA: Bring Your Own App.

38

Two Perspectives of BYOD

BYOD can improve employee productivity, engagement and satisfaction; help recruit new employees, and solve the “two pocket problem”

vs.

BYOD can pose tremendous compliance and security risks, can undermine litigation, as well as create exposure under wage and hour, privacy and related laws

39

Another Perspective:Does It Really Reduce Costs?

All tallied, it is not clear whether BYOD saves money. A typical mobile BYOD environment costs 33 percent more than a well-managed wireless deployment where the company owns the devices ***.”

− Loss of bulk purchasing power− Higher help desk/support costs− Security issues

Expenses may be offset by enhanced productivity – Intel estimates that BYOD employees save 57 minutes daily through use of personal devices

IBM says the trend toward employee-owned devices isn’t saving it money.

(MIT Technology Review, Monday, May 21, 2012)

40

Setting Up A BYOD Program:Overview

A BYOD program includes:

1. User Policies that govern ownership and use

2. Information Security Policies that attempt to manage risk

3. HR Policies to address impact of mobile devices on

workplace behavior

4. Selection, installation and deployment of mobile device

management software

5. Applicable disciplinary procedures for non-compliance

6. Updates to BYOD Guidelines and policies as needed

7. Training re: all of the above

41

Security Risks Of Mobile Devices

• BYOD a “significant” security risk for 78% of respondents (Global Information Security Workforce Study 2013)

• Loss or theft of devices− 47% of IT managers reported dealing with lost or stolen phones (2013

Pass MobileIron study)

− 39% of respondents stated that they have the necessary security controls to address the risks created by mobile devices (Ponemon Study Feb. 2012)

• Malware− 69% of respondents ranked application vulnerabilities as the highest

security concern, with malware and mobile devices a close second at 67% and 66% respectively (Global Information Security Workforce Study 2013)

• Friends and family− 27.5% of FINCEN suspicious activity reports involving identity theft

implicate friends, family, employee in home

42

Security Risks of Mobile Devices

Mobile Devices As Gateway to the Cloud:

− Employee ownership of the account with the service provider will limit company access to its data

− No contract with company = no right to access data− Obligation to “vet” security controls of vendors− Data may be more available to law enforcement or

others

43

Implications Of A Security Breach

Violation of statutory or regulatory requirements to secure personal information: HIPAA, GLBA, and state laws (MA, OR, OK, NV)

− Statutes apply to service providers of covered entities− Enforcement: HHS and MA have recently obtained

penalties Security breach notification laws: 46 states, DC, PR,

USVI, and Guam− Encryption safe harbor− Encryption requirements: MA, NV, HIPAA

Avg. cost of a breach is $194/lost record or $5.5M

(Ponemon Study 2011)

44

Recommendation: Control Eligibility

Control eligibility to participate in BYOD and other remote access programs

• The more people with BYOD, the greater the risk Limit to employees with a business need for remote

access NOT employees with regular access to sensitive

information• Legal, HR• Access to highly valuable trade secrets, e.g., product

engineers• Access to highly sensitive, non-public financial info, e.g.,

CFO’s group

45

Recommendation: Install MDM Software

Mobile Device Management Software: Allows corporate IT to manage use of mobile devices (BYOD and corporate issued). Available features include:

• Encryption• Lock down end user’s ability to use specific device features or

apps, such as cameras or iCloud• Enable remote locking or wipe of device• Enforce use of strong passwords• Prevent users from jailbreaking device or

disabling or altering security settings on devices• Device locator

Consider the use of “container” technology

46

Additional Recommendations

1. Limit the types of devices that can participate in the program

2. Limit the business applications on the device

3. Limit use of cloud-based apps, cloud-based backup, or synchronizing with home PCs

4. Require employees to protect the physical security of the device• No sharing of device or password with household

members or friends• Require password protection

47

Translating the Trends:What to Expect in 2013

Wage & Hour Issues for the Perpetually Connected:Challenges of a Mobile Workplace

48

Who Will Pay And What DevicesAre Included?

Who pays for/owns device? Is participation optional?

Who pays for service plan – employer selected options or reimbursement?

Options include technology allowances, reimbursement, standard devices issued by employer.

49

Who Pays For Mobile Devices And Use Fees?

Expense Reimbursement• Federal law – expenses can’t reduce pay below minimum wage• Eleven states have express or implied expense reimbursement

requirements California, Montana, North Dakota, South Dakota, New Hampshire,

Alaska, Minnesota, Arkansas, Iowa, Kentucky, Michigan

California Labor Code § 2802 – Employer must reimburse Employee for “necessary expenditures or losses incurred by the employee... as a consequence of the discharge of his/her duties”

Reimbursement must meet certain criteria in order to be tax exempt

50

Who Pays In California?

• Employer can reimburse for actual expenses or make a lump sum payment to fully reimburse employees for actual expenses necessarily incurred (Gattuso v. Harte-Hanks Shoppers, Inc., 42 Cal 4th 554 (2007)

• Deleon v. Airtouch Cellular, unpublished opinion, (Ct. App. 2nd Dist. February 4, 2013) alleged violation of California Labor Code Section 2802 where employer stipend did not cover full cost of required cellular phone and equipment.

− Employee allowances did not cover taxes, data plans, 411 calls and overages− Lump sum program with mechanism to seek approval for expenses in excess of the lump

sum satisfies 2802 if it provides full reimbursement for actual expenses necessarily incurred

− Take away: Court found fact issues with the operation of excess program, but did not question that employer is responsible for cell phone charges IF NECESSARILY INCURRED.

51

Who Pays For BYOD Devices?

52

The 24/7 Workplace And The FLSA

• Wage & Hour – Is after-hours use of mobile devices compensable time?

− When does “de minimis” time becomecompensable?

− Emails themselves may be evidence of time spent and notice to employer

− Time spent dealing with IT issues related to devices− Work by non-exempt or exempt employees during

weeks off or leaves of absence

53

The 24/7 Workplace And The FLSA

Managing W&H Concerns• Prohibit non-exempt employees from accessing email or making

work-related calls outside of scheduled hours• Limit access/program participation to employees who are exempt

from OT• Create process for reporting work performed outside of working

hours• Training

– Employees– Managers– Compliant policy requiring pay for all hours worked– Must pay for all time worked, approved or not– Can treat time worked without authorization as a disciplinary issue

54

Lessons From Recent Case Law

Allen v. City of Chicago, (N.D. ILL 2013) collective action alleging failure to pay overtime for off-duty time reading and responding to email on city-issued BlackberriesLessons:

− Employer has a risk if managers are sending messages via company-provided devices, and the messages call for off-shift response

− If you provide mobile devices to exempt employees, consider written policy that employees do not need to review and respond to email while off-shift

Brown v. Scriptpro, LLC, (10th Cir. Nov. 27, 2012), Employee’s failure to use remote timekeeping system resulted in victory for employerLessons:

− Provide automated timekeeping system with easy remote access and train employees to use it− Make sure policy aligns with operational reality− Conduct compliance audits

55

Translating the Trends:What to Expect in 2013

Employment Law Risks

56

Can Trash Talk on a Blog be an Adverse Employment Action?

Post by President of Defendant/Employer“By the way Lil, you should be getting served with a lawsuit. No worries just sign for it”. This particular case will end up pissing me off cause it is coming from someone we terminated for theft… I have been reading the basics of Buddhism and am going to a class on Monday. The Buddhist way would be to find beauty in the situation… Obviously, I am still a very new Buddhist cause my thoughts are “#$%! that @#$*#. Let me do my breathing exercises and see if any of my thoughts change. Lol

Court ruling on retaliation claim: A reasonable jury could find that the posting of this blog entry constituted an adverse action, since it falsely stated that she engaged in theft, . . . and could find that this [conduct] would have likely dissuaded a reasonable worker from making . . . an FLSA claim.

Stewart v. Coyote Ugly Saloon Development Corp., et al., 2013 WL 456482 (M.D. Tenn. Feb. 6, 2013)

57

Recruiting and Hiring

Performance Management

Harassment, Discrimination &

EEO

Workplace Safety

Time Recording and Overtime

All Policies Governing Use of

Electronic Resources

Social Media Policies, including

policies governing external

communications and internal

company social networks

Compliance and Ethics,

Including SEC Disclosure Rules

Advertising and Marketing

Records Management and

Retention

Data Privacy & Security

Litigation Holds

Confidentiality &

Trade Secret Protection

Termination Practices

Potentially Outdated Policies

58

Other Issues

E-Discovery Challenges− Identification of BYOD devices/information− Practical challenges of data collection− Does the employee “control” data on the devices?− Will employees be required to produce mobile for e-discovery

purposes?

Records Management: FINRA retention requirements

Protection of trade secretso Gateway to the cloudo Review exit interview process

59

Translating the Trends:What to Expect in 2013

Employee Privacy in a Transparent World

60

Employee Privacy Rights

Issuing a remote wipe command• Employees have a reasonable expectation of privacy in their

personal device• All 50 states have computer trespass laws• Potential liability under the Computer Fraud & Abuse Act if the

unauthorized access causes damages > $5,000

Accessing an employee’s personal e-mail or cloud account• Federal Stored Communications Act, e.g., Pure Power Boot Camp,

Inc. v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548 (S.D.N.Y. 2008)

Access to private information: GINA

61

Geolocation Tracking And Telematics

FTC: Geographic location is sensitive information

CA Penal Code 637.7(a). No person . . . shall use an electronic tracking device to determine the location or movement of a person.

CA Penal Code 637.7(d). Electronic tracking device is “any device attached to a vehicle or other movable thing that reveals its location or movement by the transmission of electronic signals.”

Tread carefully.

62

International Data Protection Issues

The number of countries with broad data protection laws has increased dramatically in the past three years

Ability to roll out program globally can vary substantially by country

− France, Mexico, Spain: Yes− Brazil, Czech Republic: No− Singapore: Yes with adjustments

63

The Dual-Use Device Agreement

Critical Terms: Protection against computer trespass, invasion of privacy and other claims

1. Agree to Company’s use of remote wipe

2. Agree to Company’s monitoring of personal device

3. Agree to produce the personal device for inspection and copying in response to a legitimate requests

4. Release Company from any liability for destruction or incidental viewing of personal information

Expect Pushback

64

The Dual-Use Device Agreement

Additional Terms:

1. Will install corporate security package

2. Will not modify corporate security package

3. Will immediately report loss or theft of device

4. Will limit storage of corporate information

5. Acknowledge that all company policies apply to the dual-use device

65

66

© 2013 Littler Mendelson, P.C.