Upload
mkeane
View
320
Download
0
Tags:
Embed Size (px)
DESCRIPTION
The american workplace is in a period of unprecedented change as the combination of mobile technology and social media is changing the "who, what, when and where" of work.
Citation preview
Translating the Trends:
Mobile Communications,
the Consumerization of IT,
Social Media, and the
Cloud Meet the Workforce
2
Margaret A. KeaneShareholder
Littler, San Francisco
Philip L. GordonShareholder
Littler, Denver
3
Program Agenda
When Worlds Collide: Tracking the Trends at the
Intersection of Social, Mobile and the Cloud
− The Explosion of Social/Mobile at Work and Play
− Social/Mobile Meets the Workplace: High Level Challenges
− Cloud Content and Mobile & Access Devices = New Applications and New Risks
− Enterprise Use of Social Media
− Managing the Social/Mobile Juggernaut (BYOD and Beyond)
− Wage and Hour Issues for the Perpetually Connected
− Employment Law Risks
− Privacy in a Transparent World
4
The Social / Mobile Explosion Is Driving Change
Who: Offsharing/outsourcing; freelancers; shifting expertise across teams; increased employee mobility
What: FLSA does not define work; Supreme Court: “physical or mental exertion . . . controlled or required by the employer
and . . . for the benefit of employer.”
Where: Decreasing reliance on “work” as a fixed physical space
When: Knowledge workers have more autonomy over when to work; constant connectivity; and
How: New tools, ex. enterprise microblogging and other collaborative tools; internal apps developed for enterpriseand customers; workflows
5
Translating the Trends:What to Expect in 2013
The Explosion of Social/Mobile At Work and Play
6
The Drivers: Going Mobile. . .
7
The Drivers:How Are We Using Our Mobile Devices?
Always Connected, IDC Study, Sponsored by Facebook, March 2013
8
What Do You Do When You First Wake Up?
Always Connected, IDC Study,Sponsored by Facebook, March 2013
9
Blurring The Lines: Work vs. Personal
90% of full-time employees use a personal smartphone for work purposes• 62% of those use it every day• 39% don’t use password protection• 52% access unsecured wifi networks• 69% believe they are expected to access work
emails after hours 1 in 10 workers receive a stipend for their
smartphone
(Cisco, BYOD Insights in 2013: A Cisco Partner Network Survey, March 2013)
10
Translating the Trends:What to Expect in 2013
Social/Mobile Meets the Workplace: Challenges and Opportunities
11
Blurring The Lines:Work vs. Personal
• Do You View Your Tablet Device As Primarily A Work Or Personal Device?
Source: iPass Q1 2013 Mobile Workforce Report
12
The Consumerization of IT is Here
55% of IT managers have made exceptions for “specialized members,” i.e., top executives to use their choice of devices and software (2013 iPass MobileIron study)
55% of IT directors will actively accommodate and encourage the use of personal devices (Citrix Study 2012)
81% of respondents accommodate personal devices in the workplace (2013 iPass MobileIron study)
54% of respondents had a formalized BYOD policy (2013 iPass MobileIron study)
13
How Are Different Sectors Responding?
Source: Good Technology, BYOD Customer Survey, December 2012
14
Mobile Is Here To Stay
Lowes purchased 42,000 iPhones for employees Employees can check inventory at nearby stores; share how-to
videos, check competitor prices, order status, and schedules; verify sale prices and better serve customers
Innovative apps include tools to calculate the amount of paint needed to paint a room
My Lowe’s can organize customer history Sales associates can use iPhones to ring up sales
Home Depot distributed 34,000 “First Phones” to employees Associates can continuously update and monitor inventory levels First Phones provide instant access to product info and speed
checkout
15
Customers & Social Media
An estimated 23M Americans discover new brands through social networks; up from 18M in 2010
64% of social media users stated that social networks influenced their buying decisions
80% of companies planned to use social media for customer service by the end of 2012
47% of social media users actively seek customer service through social media
(Click Software Study Dec. 2012)
16
The Social Intranet
“Creating a community in the workplace where employees can share and engage on a real-time platform makes everyday communication and collaboration easier and more effective, delivering tangible business results.”
(Social Business: 5 Trends To Watch For 2013 And Beyond, Forbes (Dec. 2012))
17
Internal Social Media Benefits
83% of respondents use at least
one social technology
73% of respondents use social
technologies internally; 74% use
with customers; and 48%
connect with external partners
9 of 10 respondents who use
social tools have tangible
business benefits, including
enhanced access to knowledge
and internal experts, increased
employee satisfaction and
reduced travel costs.
(McKinsey Quarterly, March 2013 Reporting on July 2012 survey of
3,542 executives) 18
Social Intranet vs. Mobile
Common barriers to mobile design entry for intranets:
Data security concerns
Difficulty of choosing a platform
Lack of resources to create and maintain the design
Uncertainty about whether to implement a full feature set with a good mobile user experience or an app for particular tasks
19
Some Risks Of Social/Mobile
• Loss of control over corporate data − Violation of regulatory compliance obligations, ex. SEC, HIPAA, GLBA− Security breaches− Misappropriation of trade secrets
• Public nature of social media− Too much information about applicants and employees − Damage to brand reputation− Expanded responsibility for regulating employees’ off-duty conduct?
• HR/Employment Risks− “Off the clock” wage and hour claims− Potential privacy-based claims− Workplace safety issues
• Records management and e-discovery challenges
20
What Are The Organizational Challenges?
• Social/mobile permeates the organization
− Branding and public image
− Relationships with customers, vendors and competitors
− Getting the work done
− Managing employees
• IT, HR & Legal may have different objectives
• Evolving communications standards− Five generations in the workplace, each with different
communication norms
• Risk of losing market share to more socially agile competitors
21
What Are The Legal Challenges?
Challenges of applying old laws and policies to new technology
− FLSA (1938); NLRA (1933); SCA (1986) Case law lags behind while rate of change accelerates Early legislation and regulation in the U.S.
− Social media password protection laws− Agency guidance on social media communications –
SEC, NLRA, FTC, FINRA The challenges of global legal
compliance
22
Some Solutions
1. Understand how your organization is using social/mobile
2. Create a multi-disciplinary information governance team
3. Identify key risk areas
4. Develop an enterprisewide strategy for managing social/mobile risks
5. Implement a governance platform and update existing policies
6. Continuously evaluate the impact of new mobile and social technologies on the workplace
7. Continuously evaluate the impact of new laws and court decisions on existing policies
23
Translating the Trends:What to Expect in 2013
Cloud Content & Mobile Access = New Applications and New Risk
24
What Is Cloud Computing?
The “cloud” is “the act of storing, accessing and sharing data, applications and computing power in cyberspace.” (Pew Research Center)
Types of information that can be, and are, stored and processed in the cloud: customer records, databases, email, health records, financial data, personnel records
Nature of the cloud = f(degree of control over the data)
− Personal cloud (retail to individuals)− Private cloud (corporate, limited access)− Public cloud (corporate equivalent of personal cloud)
25
Employees And The Cloud
Mobile devices send information to data storage, video, photography and social networking sites, and web-based email providers
− iCloud, YouTube, Flickr, Facebook, Gmail Cloud services also provide collaboration
capabilities – may be used to circumvent IT restriction on sharing information outside the enterprise
− Google Docs, Dropbox.com, Box.net An employer rarely has any control over
data stored by cloud service providers
26
Advantages Of Cloud Computing
1. Reduced costs and increased scalability
2. Increased security
• Cloud providers often have greater resources and sophistication
• Redundancy ensures business continuity and disaster recovery
3. Convenience: Users can access data from anywhere
over the Internet using any computer
4. Save computing space: Software does not have to be
installed on each hard drive
27
Legal Risks Of Cloud Computing
1. Loss of control of data to a third party
• Information can be stored anywhere in the world
2. Loss of control over infrastructure and information security
• CSP will control security incident response
3. Lower standard for government access
4. Inadequate protection of trade secrets
5. Electronic discovery challenges
6. Potential global data protection challenges
28
Practical Steps Towards Implementing
1. Interdisciplinary team (IT, HR, Legal, Business Unit leaders)
2. Understand applicable law, especially law related to cross-border data transfers
3. Determine which information to store in the cloud
• Think twice before storing these in the cloud: Regulated data (PHI, PII, NPPI), privileged communications, trade secrets, business critical information, EU personal data
4. Conduct due diligence on the cloud service provider
5. Negotiate contractual protections29
Practical Reality
CSPs will permit minimal to no due diligence
CSP Terms of Service often are non-negotiable
Cloud services can create operational riskso HHS obtained $100K settlement from a Phoenix surgery
center that posed patient appointment calendar to the cloud
CSPs can play hardball with your organization’s datao GlaxoSmithKline sues CSP, alleging $80K ransom demand
for return of critical documents
30
Translating the Trends:What to Expect in 2013
Enterprise Use of Social Media
31
Enterprise-Oriented Social Media
Key steps to success:1. Define your organization’s objectives
2. Get leadership buy-in
3. Create an information governance committee
4. Tailor for corporate culture/employee or customer needs
5. Determine who is authorized to post
6. Establish guidelines
7. Provide training
32
Think Before You Post
Summary judgment denied to Coyote Ugly on retaliation claim where company’s president and co-founder referenced on “Lil Spills” blog a former employee’s lawsuit and commented, “F**k that b**ch” Stewart v. Coyote Ugly Saloon Nashville, LLC, (M.D. Tenn. 2013)
NetFlix CEO posts to 200K Facebook followers that users have watched more than 1B hours of content on the Company’s streaming service• stock price jumps 6%• SEC issues Wells notice and investigates failure to use
public means of communication
33
Key Guidelines For Social Speakers
1. Identify yourself
2. Protect confidential information
3. Speak for the organization only when authorized
4. Respect intellectual property rights
5. Get the message right and admit mistakes
6. Think global
34
Key Guidelines For Social Speakers
7. Company will monitor employees’ social media content
8. Personal accounts are not for business purposes
9. Beware of lurking wage & hour issues for non-exempt employees
10. Remember your other job duties: Social media can be addictive
35
Additional Issues:Customer-Facing Social Media
1. Compliance with sector-specific regulations
2. Protection of corporate accounts• Covered in detail during afternoon presentation
3. Monitoring and responding to customer complaints
Service Level Agreements
(SLA)
36
Translating the Trends:What to Expect in 2013
Managing the Social/Mobile Juggernaut: BYOD and Beyond
37
Lingo: Dual Use Mobile Devices And BYOD
BYOD = Bring Your Own Device Dual Use Mobile Device: Mobile device
used to create, store and transmit both
personal and work-related data COPE: Corporate Owned, Personally
Enabled Some Other Terms:
BYOC: Bring Your Own Computer.
Programs that add laptops to the
covered devices BYOA: Bring Your Own App.
38
Two Perspectives of BYOD
BYOD can improve employee productivity, engagement and satisfaction; help recruit new employees, and solve the “two pocket problem”
vs.
BYOD can pose tremendous compliance and security risks, can undermine litigation, as well as create exposure under wage and hour, privacy and related laws
39
Another Perspective:Does It Really Reduce Costs?
All tallied, it is not clear whether BYOD saves money. A typical mobile BYOD environment costs 33 percent more than a well-managed wireless deployment where the company owns the devices ***.”
− Loss of bulk purchasing power− Higher help desk/support costs− Security issues
Expenses may be offset by enhanced productivity – Intel estimates that BYOD employees save 57 minutes daily through use of personal devices
IBM says the trend toward employee-owned devices isn’t saving it money.
(MIT Technology Review, Monday, May 21, 2012)
40
Setting Up A BYOD Program:Overview
A BYOD program includes:
1. User Policies that govern ownership and use
2. Information Security Policies that attempt to manage risk
3. HR Policies to address impact of mobile devices on
workplace behavior
4. Selection, installation and deployment of mobile device
management software
5. Applicable disciplinary procedures for non-compliance
6. Updates to BYOD Guidelines and policies as needed
7. Training re: all of the above
41
Security Risks Of Mobile Devices
• BYOD a “significant” security risk for 78% of respondents (Global Information Security Workforce Study 2013)
• Loss or theft of devices− 47% of IT managers reported dealing with lost or stolen phones (2013
Pass MobileIron study)
− 39% of respondents stated that they have the necessary security controls to address the risks created by mobile devices (Ponemon Study Feb. 2012)
• Malware− 69% of respondents ranked application vulnerabilities as the highest
security concern, with malware and mobile devices a close second at 67% and 66% respectively (Global Information Security Workforce Study 2013)
• Friends and family− 27.5% of FINCEN suspicious activity reports involving identity theft
implicate friends, family, employee in home
42
Security Risks of Mobile Devices
Mobile Devices As Gateway to the Cloud:
− Employee ownership of the account with the service provider will limit company access to its data
− No contract with company = no right to access data− Obligation to “vet” security controls of vendors− Data may be more available to law enforcement or
others
43
Implications Of A Security Breach
Violation of statutory or regulatory requirements to secure personal information: HIPAA, GLBA, and state laws (MA, OR, OK, NV)
− Statutes apply to service providers of covered entities− Enforcement: HHS and MA have recently obtained
penalties Security breach notification laws: 46 states, DC, PR,
USVI, and Guam− Encryption safe harbor− Encryption requirements: MA, NV, HIPAA
Avg. cost of a breach is $194/lost record or $5.5M
(Ponemon Study 2011)
44
Recommendation: Control Eligibility
Control eligibility to participate in BYOD and other remote access programs
• The more people with BYOD, the greater the risk Limit to employees with a business need for remote
access NOT employees with regular access to sensitive
information• Legal, HR• Access to highly valuable trade secrets, e.g., product
engineers• Access to highly sensitive, non-public financial info, e.g.,
CFO’s group
45
Recommendation: Install MDM Software
Mobile Device Management Software: Allows corporate IT to manage use of mobile devices (BYOD and corporate issued). Available features include:
• Encryption• Lock down end user’s ability to use specific device features or
apps, such as cameras or iCloud• Enable remote locking or wipe of device• Enforce use of strong passwords• Prevent users from jailbreaking device or
disabling or altering security settings on devices• Device locator
Consider the use of “container” technology
46
Additional Recommendations
1. Limit the types of devices that can participate in the program
2. Limit the business applications on the device
3. Limit use of cloud-based apps, cloud-based backup, or synchronizing with home PCs
4. Require employees to protect the physical security of the device• No sharing of device or password with household
members or friends• Require password protection
47
Translating the Trends:What to Expect in 2013
Wage & Hour Issues for the Perpetually Connected:Challenges of a Mobile Workplace
48
Who Will Pay And What DevicesAre Included?
Who pays for/owns device? Is participation optional?
Who pays for service plan – employer selected options or reimbursement?
Options include technology allowances, reimbursement, standard devices issued by employer.
49
Who Pays For Mobile Devices And Use Fees?
Expense Reimbursement• Federal law – expenses can’t reduce pay below minimum wage• Eleven states have express or implied expense reimbursement
requirements California, Montana, North Dakota, South Dakota, New Hampshire,
Alaska, Minnesota, Arkansas, Iowa, Kentucky, Michigan
California Labor Code § 2802 – Employer must reimburse Employee for “necessary expenditures or losses incurred by the employee... as a consequence of the discharge of his/her duties”
Reimbursement must meet certain criteria in order to be tax exempt
50
Who Pays In California?
• Employer can reimburse for actual expenses or make a lump sum payment to fully reimburse employees for actual expenses necessarily incurred (Gattuso v. Harte-Hanks Shoppers, Inc., 42 Cal 4th 554 (2007)
• Deleon v. Airtouch Cellular, unpublished opinion, (Ct. App. 2nd Dist. February 4, 2013) alleged violation of California Labor Code Section 2802 where employer stipend did not cover full cost of required cellular phone and equipment.
− Employee allowances did not cover taxes, data plans, 411 calls and overages− Lump sum program with mechanism to seek approval for expenses in excess of the lump
sum satisfies 2802 if it provides full reimbursement for actual expenses necessarily incurred
− Take away: Court found fact issues with the operation of excess program, but did not question that employer is responsible for cell phone charges IF NECESSARILY INCURRED.
51
Who Pays For BYOD Devices?
52
The 24/7 Workplace And The FLSA
• Wage & Hour – Is after-hours use of mobile devices compensable time?
− When does “de minimis” time becomecompensable?
− Emails themselves may be evidence of time spent and notice to employer
− Time spent dealing with IT issues related to devices− Work by non-exempt or exempt employees during
weeks off or leaves of absence
53
The 24/7 Workplace And The FLSA
Managing W&H Concerns• Prohibit non-exempt employees from accessing email or making
work-related calls outside of scheduled hours• Limit access/program participation to employees who are exempt
from OT• Create process for reporting work performed outside of working
hours• Training
– Employees– Managers– Compliant policy requiring pay for all hours worked– Must pay for all time worked, approved or not– Can treat time worked without authorization as a disciplinary issue
54
Lessons From Recent Case Law
Allen v. City of Chicago, (N.D. ILL 2013) collective action alleging failure to pay overtime for off-duty time reading and responding to email on city-issued BlackberriesLessons:
− Employer has a risk if managers are sending messages via company-provided devices, and the messages call for off-shift response
− If you provide mobile devices to exempt employees, consider written policy that employees do not need to review and respond to email while off-shift
Brown v. Scriptpro, LLC, (10th Cir. Nov. 27, 2012), Employee’s failure to use remote timekeeping system resulted in victory for employerLessons:
− Provide automated timekeeping system with easy remote access and train employees to use it− Make sure policy aligns with operational reality− Conduct compliance audits
55
Translating the Trends:What to Expect in 2013
Employment Law Risks
56
Can Trash Talk on a Blog be an Adverse Employment Action?
Post by President of Defendant/Employer“By the way Lil, you should be getting served with a lawsuit. No worries just sign for it”. This particular case will end up pissing me off cause it is coming from someone we terminated for theft… I have been reading the basics of Buddhism and am going to a class on Monday. The Buddhist way would be to find beauty in the situation… Obviously, I am still a very new Buddhist cause my thoughts are “#$%! that @#$*#. Let me do my breathing exercises and see if any of my thoughts change. Lol
Court ruling on retaliation claim: A reasonable jury could find that the posting of this blog entry constituted an adverse action, since it falsely stated that she engaged in theft, . . . and could find that this [conduct] would have likely dissuaded a reasonable worker from making . . . an FLSA claim.
Stewart v. Coyote Ugly Saloon Development Corp., et al., 2013 WL 456482 (M.D. Tenn. Feb. 6, 2013)
57
Recruiting and Hiring
Performance Management
Harassment, Discrimination &
EEO
Workplace Safety
Time Recording and Overtime
All Policies Governing Use of
Electronic Resources
Social Media Policies, including
policies governing external
communications and internal
company social networks
Compliance and Ethics,
Including SEC Disclosure Rules
Advertising and Marketing
Records Management and
Retention
Data Privacy & Security
Litigation Holds
Confidentiality &
Trade Secret Protection
Termination Practices
Potentially Outdated Policies
58
Other Issues
E-Discovery Challenges− Identification of BYOD devices/information− Practical challenges of data collection− Does the employee “control” data on the devices?− Will employees be required to produce mobile for e-discovery
purposes?
Records Management: FINRA retention requirements
Protection of trade secretso Gateway to the cloudo Review exit interview process
59
Translating the Trends:What to Expect in 2013
Employee Privacy in a Transparent World
60
Employee Privacy Rights
Issuing a remote wipe command• Employees have a reasonable expectation of privacy in their
personal device• All 50 states have computer trespass laws• Potential liability under the Computer Fraud & Abuse Act if the
unauthorized access causes damages > $5,000
Accessing an employee’s personal e-mail or cloud account• Federal Stored Communications Act, e.g., Pure Power Boot Camp,
Inc. v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548 (S.D.N.Y. 2008)
Access to private information: GINA
61
Geolocation Tracking And Telematics
FTC: Geographic location is sensitive information
CA Penal Code 637.7(a). No person . . . shall use an electronic tracking device to determine the location or movement of a person.
CA Penal Code 637.7(d). Electronic tracking device is “any device attached to a vehicle or other movable thing that reveals its location or movement by the transmission of electronic signals.”
Tread carefully.
62
International Data Protection Issues
The number of countries with broad data protection laws has increased dramatically in the past three years
Ability to roll out program globally can vary substantially by country
− France, Mexico, Spain: Yes− Brazil, Czech Republic: No− Singapore: Yes with adjustments
63
The Dual-Use Device Agreement
Critical Terms: Protection against computer trespass, invasion of privacy and other claims
1. Agree to Company’s use of remote wipe
2. Agree to Company’s monitoring of personal device
3. Agree to produce the personal device for inspection and copying in response to a legitimate requests
4. Release Company from any liability for destruction or incidental viewing of personal information
Expect Pushback
64
The Dual-Use Device Agreement
Additional Terms:
1. Will install corporate security package
2. Will not modify corporate security package
3. Will immediately report loss or theft of device
4. Will limit storage of corporate information
5. Acknowledge that all company policies apply to the dual-use device
65
66
© 2013 Littler Mendelson, P.C.