Bring Your Own Device in the Workplace: Minimizing Legal ...media.straffordpub.com/.../presentation.pdf · 9/18/2013 · ©2013 Foley & Lardner LLP • Attorney Advertising • Prior

Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs Protecting Employers' Proprietary Information by Developing and Enforcing Effective Policies and Procedures

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

WEDNESDAY, SEPTEMBER 18, 2013

Presenting a live 90-minute webinar with interactive Q&A

Eric Schlissel, CEO, GeekTek IT Services, Los Angeles

Aaron K. Tantleff, Senior Counsel, Foley & Lardner, Chicago

Michael N. Westheimer, Shareholder, Buchalter Nemer, San Francisco

Tips for Optimal Quality

Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-888-601-3873 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:

• In the chat box, type (1) your company name and (2) the number of attendees at your location

• Click the word balloon button to send

FOR LIVE EVENT ONLY

Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs

Eric Schlissel CEO, GeekTek IT Services

Bring Your Own Device • Employees are bringing their own tools to the workplace, accessing

company intellectual property and data

• Drivers behind the Bring Your Own Device (BYOD) momentum

– Employee Demand

– Consumerization of IT

– Improved Mobility

– Increased Productivity

– Perceived Cost Savings

40% of workers are using their personal devices to access business applications & resources. (Source: AirWatch Whitepaper)

5

Current State • The BYOD adoption rate is accelerating even if company policies aren’t in

place and outpacing security strategies

• Half of employers will require employees to supply their own work devices by 2017 (Source: Gartner)

• Many major corporations have a BYOD policy, such as IBM, Colgate-Palmolive

• Industries adopting Mobility: Banking, Entertainment, Healthcare, Financial Services, Education, Manufacturing, Education, Retail, Automotive. (Source: [x]cube labs)

71 million BYOD devices in use in America today, expected to grow to 108 million by 2016 (Source: Cisco Survey)

6

BYOD Support

Source: ZDNet / Tech Republic

7

Risks of BYOD • IT has limited or partial control of devices • Company data mingling with personal data • Lost and stolen devices • Shared devices • Unauthorized access to devices • Improper disposal of old devices • Data recovery post employment separation

“35% of IT leaders and 25 percent of IT professionals are not confident their organization’s BYOD policy is compliant with data and privacy protection acts, HIPAA, Dodd-Frank or other government-mandated regulations.” (Source: Teksystems’ Survey)

8

Shadow IT • Company provided tools are not as easy to use as consumer grade

tools • Employees use the tools that work for them, not necessarily those

provided by IT, creating Shadow IT • Shadow IT creates problems with compliance • When employees use their own software, company trade secrets are

not under IT management • Creates data silos between employees, vendors and partners

Of the office workers surveyed, 42% would use "unapproved" cloud services to get a job done, and 36% already have done. (Source: Imperial College Business School Survey)

9

Mobile Attack Methods • Outdated Operating Systems • Jailbroken Devices • Lax Device Security • SMS Attacks • Marketplace Vulnerabilities • Malware • Fake Apps • Hardware Hacks

At the end of this quarter (Q3 2013), the total number of samples in our mobile malware “zoo” reached 50,926, with 28 percent of that arriving in 2013. (Source: McAfee)

10

Android Malware

New Android Malware

Source: Symantec

11

Mobile Device Management • Centralized policy and configuration management for mobile devices • Secure, monitor, manage and support mobile devices and tablets

• Simplifies support of mobile devices • Automatically configures email, access other settings • Supports most Android, Windows and iOS devices

• Over-the-air hardware software and network inventory • Similar to PC life cycle management tools • Over 100 Key Players in market estimated at over $500 million (Source:

Gartner Paper-Critical Capabilities for Mobile Device Management

"33% of IT leaders & 46% of IT pros said their organizations lack the ability to remotely wipe data from employee devices if necessary.“(Source: Computerworld)

12

Mobile Management Methods • Containerization • App Wrapping • MAM – Mobile Application Management • MCM – Mobile Content Management (aka MIM) • Mobile Virtualization

"73% of IT leaders and IT professionals said poor BYOD policies put sensitive corporate data at risk by potentially exposing it on personal mobile devices.“ (Source: Computerworld)

13

Eric Schlissel CEO, GeekTek IT Services 4344 Laurel Canyon Blvd., Suite 6 Studio City, CA 91604 [email protected] Direct: 323-518-1200 www.geektek.com Twitter: @geektek

14

©2013 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500


Aaron Tantleff September 18, 2013

©2013 Foley & Lardner LLP 16

BYOD is Uncharted Territory • Who owns the device?

– BYOD versus CYOD

• Who owns the data? – Does it matter, personal versus corporate data?

• Courts have not addressed unique aspects of BYOD

• No laws specific to BYOD


What is a Trade Secret? • Defined State-by-State • Uniform Trade Secret Act (UTSA)

– Trade secret means information, including a formula, pattern, compilation, program, device, method, technique or process, that:

• derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and

• is the subject of efforts that are reasonable under the circumstance to maintain its secrecy.”


Preserving Trade Secrets • Failure to take reasonable measures to

protection trade secrets may result in the loss of such trade secrets – Also true for intellectual property


Preserving Trade Secrets • Disallow personally owned devices • Limit nature of information on personally

owned devices • Consider purchasing devices for employees

– CYOD

• Use of BYOD Policies


Preserving Trade Secrets • Written BYOD policy

– Demonstrates company has undertaken reasonable measures to protect its trade secrets

– Courts look to what measures a company took • Without a written BYOD policy, did the company take

adequate precaution?


BYOD Effect on Trade Secrets • Trade Secrets exist in electronic form

– Instantaneous email, transfer or posting online • Uncontrollable, widespread dissemination

– Inadvertent disclosure by sharing device or using in an unsecure location


BYOD Effect on Trade Secrets • Company data stored and transmitted by

devices and over networks not controlled by the company

• How to allow BYOD and Trade Secrets co-exist


Information Leakage • Lost, stolen, hacked or exposed to malware • The “friends and family plan” • Poof – its in the cloud • Location, location, location… you took the

device where?!?!


Protecting Trade Secrets • What are reasonable efforts?

– Case-by-case – State-by-state – Courts review measures taken by employer to

maintain secrecy of information

• Policy considerations – Written agreements – Limiting access and copies – State “confidential,” “proprietary,” “trade secret”


Confidentiality Agreements • Most recognized way to protect trade secrets • Must be also be enforceable after employee

leaves company – Policies generally are not applicable to departed

employees


Malware – Threats • Drains battery life

• Renders device non-functional

• Could infect company systems

• Deletes information from device

• Snoopware - records and transmits information


Malware – Policy • Policies must account for third party

applications – Consider whether one can defeat a claim that a

company has taken adequate steps to protect confidential information or trade secrets

• Policies must address whether and how such third party applications can be downloaded and installed


Information Security • Extending the corporate security policy to BYOD • Enforcing security policies on BYOD • BYOD security software • Remote wipe • Tracking • Regular audit of information/data security

policies to ensure they provide adequate protection


Information Security • Malware on mobile devices • Mobile device management (“MDM”) solution

– Consider employee work arounds or exporting data outside of corporate environment / MDM solution

• Data transferred over both secured and unsecured networks


Information Security • BYOD devices use of cloud networks

– Information is pushed and pulled from devices to cloud providing an additional outlet for theft of trade secrets

– Many cloud services make theft easier than breaking into company’s servers

– Information resident on cloud services is not inventoried


Shared Use of Device • Friends, family, neighbors, etc. • A risk that cannot be completely controlled

– Impossible to obtain consent – Policy coverage

• Security implications • Company proprietary and confidential

information at risk • Privacy and other issues


Employee Disposal • EOL of BYOD • The eBay threat, garage sales, Craig’s list

– Army hardware being sold on streets of Afghanistan – Broker-dealer Blackberry on eBay

• Company notice of sale or transfer – Policy issue

• Terminated employees likely to be reluctant


Misappropriation of Trade Secrets • UTSA imposes liability for misappropriation of

trade secrets – Use or disclosure of trade secret, or – Acquisition by improper means

• Problem - Employee already has right to store company information on personal device

• Collecting evidence – Company owned device versus personally owned

device


Selected Regulations


Healthcare • Health Insurance Portability and Accountability

Act of 1996 (HIPAA) • Health Information Technology for Economic

and Clinical Health (HITECH) Act – expanded HIPAA security standards to encompass

business associates (i.e., vendors, contractors, and subcontractors that access, use, disclose, or create PHI on covered entities’ behalf)


Healthcare • Information Security Regulations (“Security

Rule”) pursuant to HIPAA – Required implementation of technical, physical and

administrative safeguards for protected health information (PHI) in electronic form

– 45 CFR Parts 160, 162 and 164


Healthcare • The HIPAA Privacy Rule

– Protects PHI – Applies to health plans, health care clearinghouses,

and those health care providers that conduct certain health care transactions electronically

– Requires appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization

– 45 CFR Part 160 and Subparts A and E of Part 164


Healthcare • American Recovery and Reinvestment Act

(ARRA) & HITECH Act – Prohibit storage of unencrypted personally

identifiable information and protected health information on any computing device


Financial • Consider rules requiring that internal

communications regarding a company’s business and those with its customers be maintained, retrievable and reviewed – SEC Rules 17a-3 and 17a-4 – NASD Rules 2210, 3010, 3110 & 31101 – NYSE & NASD “Joint Guidance” regarding capture

of communications between broker/dealers and customers


Financial • Gramm-Leach-Bliley Act (GLBA)

– Covers information created or received by a “financial institution” as part of a customer relationship

• 15 U.S.C. ßß 6801 – 6809

– Financial institutions must protect an individual’s personal information


Contact Info

Aaron K. Tantleff, Esq. Senior Counsel IP / IT & Outsourcing Foley & Lardner LLP Tel: 312.832.4367 [email protected]

mailto:[email protected]

Michael N. Westheimer Buchalter Nemer PC 55 Second Street, Suite 1700 San Francisco, California 94105 Direct: (415) 227-3530 Fax: (415) 904-3111 Email: [email protected]


Presenter

Presentation Notes

Agenda

• Proliferation of BYOD in the workplace • Dual objectives of a BYOD policy

Protection of confidential business information and trade secrets

Compliance with employment laws / HR best practices

• Strategic implementation

43

Proliferation of BYOD

Gartner Study (April 2013)

• By 2017, half of employers will require employees to supply their own device for work purposes

Reasons for Proliferation of BYOD

• More mobile workforce • Increased productivity • Cost savings • Employees want it

44

Protecting Trade Secrets

“Trade Secret” - Uniform Trade Secrets Act

• Not generally known to other persons, and not readily ascertainable by proper means by other persons

• Is the subject of reasonable efforts to maintain its secrecy

Apple v. Psystar (N.D. Cal. 1/3/12) – Public disclosure is fatal to existence of trade secret – No protection if information is discovered by fair and honest

means, including accidental disclosure

45


Reasonable Efforts - Restatement (Third) of Unfair Competition § 39, cmt (g)

• Physical security designed to prevent unauthorized access • Procedures to limit disclosure based on “need to know” • Measures to emphasize to recipients the confidential

nature of the information

Art of Living Foundation v. Does (N.D. Cal. 5/1/12) – Reasonable efforts can include:

1. Advising employees of existence of trade secret 2. Limiting access to information on a need to know basis 3. Requiring employees to sign confidentiality agreements 4. Keeping secret documents under lock

46


FormFactor v. Micro-Probe (N.D. Cal. 6/7/12) • No confidentiality agreement • Employee was allowed to use personal email and personal

home computer for company business, and to back up data onto external hard drives

• No request to return company data when employee resigned

• Company lacked evidence that documents had never been publicly disclosed or placed in public domain

47

Company-Provided Devices

Company-Owned Device Usage Policy • Device is company property • Device is to be used for business purposes • Company reserves right to inspect device • Company is monitoring employee’s use of device • Employee’s use of device is being recorded • Employee has no right of privacy • Device and all data must be returned at end of

employment

48

Privacy Rights

Computer Fraud and Abuse Act (CFAA) • Prohibits intentionally accessing and obtaining

information from a protected computer without authorization or exceeding authorized access

Stored Communications Act (SCA) • Protects electronic communications transmitted via an

electronic communication service that are in electronic storage and not public

• Prohibits intentionally accessing the communication without authorization or exceeding authorized access and obtaining, altering or preventing authorized access to it

49

Privacy Rights

Ehling v. Monmouth-Ocean Hosp. Service (D. N.J. 8/20/13) • Non-public Facebook wall posts are protected

communications under SCA • Here no violation because a co-worker that employee

“friended” had authorized access to her wall, voluntarily took screenshots and gave them to employee’s manager

Pure Power Boot Camp v. Warrior Fitness Boot Camp (S.D. N.Y. 8/23/08, 12/22/10)

• Company violated SCA by accessing former employee’s personal emails from Hotmail and Gmail accounts

• Court rejected argument that authorization was implied because employee had logged in from work computer 50

Privacy Rights

Social Media Privacy Statutes • A growing number of states have these: Arkansas, California, Colorado,

Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, Washington

California Labor Code § 980 (effective 1/1/13) • Employer shall not require or request employee or applicant to:

1. Disclose username or password for the purpose of accessing personal social media

2. Access personal social media in employer’s presence 3. Divulge any personal social media

• Exception: personal social media reasonably believed to be relevant to investigation of allegations of employee misconduct or violation of law

• OK to get username / password to access employer-issued device

51

Privacy Rights

Personal privacy • Financial • Sexual matters / sexual orientation • Medical condition / records • Genetic information

HR Best Practices • Employment decisions based on job-related criteria • Restricting information about protected status – age,

ethnicity, national origin, disability, marital status, etc.

52

Strategic Implementation

BYOD Policy • Addresses onboarding, use during employment,

termination of employment • Sets protocols for appropriate use and data protection • Establishes confidentiality, nondisclosure • Creates consent to access and obtain information • Curtails privacy expectations

Mobile Device Management (MDM) • Reasonable efforts to protect trade secrets • Prevention of intentional misappropriation and

inadvertent disclosure

53

Strategic Implementation

Considerations • Finding the right balance • Functionality vs. preserving confidentiality • Keeping trade secrets under lock • Scope of consent / authorization to access • Voluntary consent • Segregating work use and personal use • Reimbursement • On-the-clock / salary test issues

54

Michael N. Westheimer Buchalter Nemer PC 55 Second Street, Suite 1700 San Francisco, California 94105 Direct: (415) 227-3530 Fax: (415) 904-3111 Email: [email protected]

Questions?

55

Presenter

Presentation Notes

Documents

Bring Your Own Device in the Workplace: Minimizing Legal ...media.straffordpub.com/.../presentation.pdf · 9/18/2013 · ©2013 Foley & Lardner LLP • Attorney Advertising • Prior