Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Jason C. Gavejian, Esq., CIPPJackson Lewis P.C.
Kim Colbert, Esq.Daymon Worldwide
Teresa J. Hutson, Esq.Microsoft
Jenny Ortiz-Schaffer, Esq.UPS
Manuel Cuevas-Trisán, Esq.Motorola Solutions, Inc.
Education history
Work history
Career interests
Hobbies
Favorite music
Favorite movies
Medical information
Disabilities
2
What Are You Likely to Find on a Social Networking Site?
Vacation photos
Party photos
Family information
Links to profiles of friends
Links to blogs
Political views
Family medical history
2
Employers may seek to monitor personal social media activity ofapplicants or employees for a number of reasons:• Recruitment/vetting of candidates• Social listening• Compliance, investigationsMany laws restrict an employer’s ability to seek access topersonal social media accounts:
Stored Communication ActState social media laws (At least 16 states…)
o provide the employee’s user name or password to social media accounts
o “friend” a supervisor or employer representative
o inspect the personal social media in the employee’s presence
Data protection laws in other countries
3
Can a manager decide not to hire (promote or discipline) a candidate (or employee) based on a review of social networking sites?
Yes! But….
4
3
Negligent hiring/supervision:
o Doe v. XYC.
Legal constraints on employee discipline:
o NLRA-SM & E-Comm.; Whistleblowers; Lawful Off-Duty.
Discrimination/Harassment/Retaliation:
o Info otherwise might not have – GINA, Medical Info., Disability; Company Sponsored.
Reputational harm to employees:
o Defamation; Apparent Authority.
Reputational harm to employers:
o Video/Photographs.
Personal privacy pitfalls.
Information, trade secrets or proprietary information.
5
6
4
7
Procedure for investigating complaints of discrimination/harassment from posts on social networking/blogs
Policy on whether HR/Hiring Managers can access social networking sites for job applicants/employees
Training for HR/IT personnel responsible for monitoring/using electronic information (improper access, screen out information that can not be lawfully considered )
Consider limiting access to social networking sites to HR/IT employees who need access for business related reasons. Do not allow third party to “friend” an applicant to gain access to site
Ensure all employment decisions are made based on lawful verified information
Implement a social networking/blogging policy which explains diminished right to privacy
Incorporate social media into existing policies.
8
5
Communications, Location and Actions of Employees and Others:
o E-mail, text messages, keylogging, GPS
o Call recording/monitoring
o Physical searches
o Video monitoring
o Audio recording
oExpectation of privacy generally.
• Balance privacy v. security
9
Required by law, complianceo SEC/FINRAo FTC endorsemento HIPAA privacy
Contract requirementsFacility securityEnhance productivity, trainingProtect business assets o trade secrets, intellectual property, confidential informationo prevent fraud, theft and embezzlement
Detect, dissuade improper behavioro Harassment, discrimination, etc.
10
6
Monitoring work email = usually o.k.
o Stengart v. Loving Care (N.J. Supreme Ct.)
o Purple Communications (NLRB)
Using work computer to obtain employee’s password to personal, cloud-based email account = usually not o.k.
o Pure Power Boot Camp v. Warrior Fitness Boot Camp (S.D.N.Y)
11
Call recording—Use of audio recordings in workplace.
Governed by Wiretap Act—State law equivalents:
o Federal: One party consent;
o All party consent states (12);
• California, Connecticut, Florida, Hawaii (in general a one-party state, but requires two-party consent if the recording device is installed in a private place), Illinois (debated-not if public), Maryland, Massachusetts, Montana (requires notification only), Nevada, New Hampshire, Pennsylvania, and Washington.
Employee monitoring and customer recording.
Issues: W&H, creating evidence, union issues.
12
7
GPS: Employers often faced with the difficult decision of just how much information they may obtain about an employee’s whereabouts:
o Vehicle/Phone/Computer/iPad;
o Case law varies by jurisdiction;
o Need to know? Business related;
o Other issue: Wage & Hour, creating evidence, employee morale.
13
Common law intrusion upon seclusion
Notice requirements in CT, DE (electronic monitoring)
Social media access restrictions
National Labor Relations Act
o General Rule: surveillance of EEs’ Section 7 activity is unlawful, or even creating impression of such surveillance
14
8
Is monitoring allowed? Did the employee have a reasonable expectation of privacy in the electronic communication? “The Whos”
Other consideration: Employers should ensure monitoring is based on legitimate needs and limited in scope to achieve those needs.
Courts will be inclined to rule in favor of employer if:o Employer owns the “System” (computer or email)o Employee voluntarily uses employer’s networko Employee consented to be monitored (written policy)
Quon v. City of Ontario, CA
15
Develop a specific, written policy:
o Establish information systems are the property of the employer
o Reserve the right to monitor
o Prohibit inappropriate use
o Include penalties for policy violations
Train/educate employees and others
Keep the monitoring work-related
Permit reasonable personal use
Consider additional steps – desktop statement, posting in common area, written consent/acknowledgement
16
9
Businesses are always looking for an edge
o A competitive advantage can boost the profit margin
Often, data is the edge
o Market understanding
o Customer demand
• Sooner known, sooner pursued/exploited
o Efficiencies
• Production, distribution, marketing.
17
Data is already being gathered, but what is it being used for?
o Unmined data is a missed opportunity
Data analytics allow existing sources of information to be gleaned for patterns, trends, etc.
o If two competitors gather similar data, but one utilizes better then a competitive advantage is gained
o It worked for the Oakland Athletics in baseball.
Cannot ignore
o Remember when the internet/social media was a fad?
18
10
Think of your business – where does technology generate data?
o Software
o Hardware
o Communications
• Phone, Email, Text
If your company is generating it and keeping it, why not harness it?
o What might it show?
19
Biometric time clocks, security systems
o Fingerprints, retinal scans, hand geometry, facial geometry
Legal risks:
o State fingerprinting laws
o State biometrics laws
o Strict restrictions on biometrics data in other countries
o Data security
20
11
Google glass, Hololens
FitBit, Jawbone, etc.
Cocktail dress with Bluetooth technology that lights up when you get a call
Hoodie that sends pre-programmed text messages triggered by gesture movements.
RFID Inserts
Do you REALLY want to know?
21
Bring Your Own Device (BYOD)
Corporately Owned Personally Enabled (COPE)
Rapid increase in the use of mobile devices by employees:o iPhones, iPads, Android devices, etc.
Employees utilize these devices to perform work for you:
o Whether company provided or employee’s personal device.
o Balancing personal versus business use
• Apps, music, photos, videos, contacts, internet use
22
12
Result: “Dual-Use” Device:o Both personal and company data and activity;
o Handling personal matters while at work – more difficult to monitor.
o Preserving confidential business information
Why allow it? Companies may not have a choice:
o Advantages for both employer and employees.
23
Employers do not have the same rights to access and monitor personally owned devices as company-issued devices.
o Computer Fraud and Abuse Act, federal and state wiretapping laws
o California constitutional and common-law privacy rights
o Stricter limits in other countries
24
13
BYOD/COPE software solutions vary significantly
MDM (Mobile Device Management)
o Is company data segregated and encrypted?
o How are back-ups protected?
o Does remote wipe remove all data or just company data?
o Real-time monitoring?
o Location tracking?
25
Recognize differences in local laws
o Wage payment and expense reimbursement
o Monitoring (location data, device usage)
o Remote wipe
o Role of works councils, unions
U.S.-style BYOD/COPE agreement may not necessarily pass muster in other countries
Consider phased implementation
26
14
Have a strategy, Coordinate Internally (IT,HR), Implement Policyo Proxy Servers to control access to file-sharing web sites
o Data encryption
o Anti-virus and spyware protection
o MDM (Mobile Device Management) software and enforcement
o Put employees on notice of BYOD requirements & conditions
• Monitoring
o Clearly state company ownership of information, and ability to access and control that information.
27
It’s important to develop an appropriate BYOD policy/agreement describing your BYOD solution, including:
o Requirement to download software on device
o Monitoring (including any location tracking functionality)
o Remote wipe capability, etc.
Beware of overly generic BYOD/COPE policies/agreements
28
15
Make BYOD voluntary
Obtain informed written consent from each participant
Limit access to BYOD data on a need-to-know basis, especially location data and other sensitive data
Ensure you remove company data from personal devices when the employee leaves, discards, or gives away the device, etc.
Require reporting of lost or stolen personal devices
Don’t assume that a U.S. BYOD approach will pass muster in other countries; address local requirements
29
Lost or stolen devices
Employee use of document sharing sites (dropbox.com, etc.)
Sales teams copying customer lists to their USB other device before they leave the company
Copying/downloading material prior to exit from company
Employees upgrading to a new mobile device (discarding of the old)
DATA BREACH
30
16
What business are you in (company risk/target profile)?
What kind of information do you maintain?
Where are you located – states, territories, cities and countries?
Who are your customers?
Are you a government contractor? (Federal? State & Local?)
Do you record or monitor communications, movement, or actions of employees or customers?
What kind of plans do you sponsor for employees?
31
There is currently no broadly applicable federal law in the U.S. — we follow a piecemeal approach:
o HIPAA, GLBA, FCRA, ECPA, SCA, CFAA, ADA/GINA/FMLA, FISMA, COPPA, FERPA…
States generally have one or more of the following:
o Affirmative obligations to safeguard (e.g., CA, CT, IL (biometric information), MA, MI, TX, others);
o Data breach notification (47 states plus some cities);
o Various Social Security number protections;
o Data destruction requirements.
32
17
33
Plan and gather data
Identify risks and
vulnerabilities
Consider existing
safeguards and evaluate
risk
Select and implement
safeguards to address risks
Re-Evaluate
Risk Assessment-What should we be doing?
o “How” and “What” of Information/Data.
o Strong IT group/support.
o Assess: 1. Standards for handling credit card or payment data; 2. Safeguards for other customer personal information;3. Safeguards for employee/relative personal information.
o Review vendor agreements - What data/information/protections.
o Assess with WISP in mind: (i) documented risk assessment, (ii) administrative physical and technical safeguards/policies, (iii) data breach response plan, (iv) employee training.
34
18
Administrative safeguards.
o Responsibility, access restrictions, training, contingency plans, sanctions
Physical safeguards.
o Facility access, workstation use/security, device and media controls
Technical safeguards.
o Firewalls, encryption, passwords, termination procedure, audit controls, integrity of data
Organizational safeguards.
o Vendors, business units
35
The answer is not always black or white
Did the incident result in
o unauthorized ACCESS?
o Unauthorized DISCLOSURE?
o Unauthorized USE?
The challenges with “authorized access”, but “suspected”, but unconfirmed disclosure or misuse
36
19
Unauthorized use of, or access to, records or data containing personal information.
o Personal Information (PI) typically includes:
• First name (or first initial) and last name in combination with;
– Social Security Number;
– Drivers license or state identification number;
– Account number or credit or debit card number in combination with access or security code;
– Biometric information;
– Medical information;
– Broader view taken by FTC.
o PI typically maintained about?
– Employees;
– Customers;
– Vendors.
37
The lost laptop/bag.
Inadvertent access.
Data inadvertently put in the “garbage.”
Theft/intentional acts, hacking, phishing attacks other intrusions.
Inadvertent email attachment(s).
Stressed software applications.
Rogue employees.
Remote access.
Wireless networks.
Peer to peer networks.
Vendors.
38
20
3 critical phases:
1. Discovery
-What happened? Who was affected? What states/territories?
2. Notification and response process (if needed);
-Content? State agencies & Individuals? Risk of harm.
3. Review and evaluate to avoid future incidents.
*TIME MATTERS.*
39
Physical security still counts!
• Access controls; electronic badges & credentials
Protect your electronic perimeter!
• Firewalls
• Passive monitoring tools
• Employees as “the new perimeter”
Deal with the Insider Threat throughout the entire “life-cycle”
• Background checks
• Educate on policies and procedures; good electronic prophylaxis; good password practices
Don’t lose sight of vendor agreements and relationships (they are Insiders, too!)
Tests and drills!!!! (e.g., “phishing” and “whaling” exercises; table exercises)
40
21
Jason C. Gavejian, Esq., CIPPJackson Lewis P.C.
Kim Colbert, Esq.Daymon Worldwide
Teresa J. Hutson, Esq.Microsoft
Jenny Ortiz-Schaffer, Esq.UPS
Manuel Cuevas-Trisán, Esq.Motorola Solutions, Inc.
41
?