Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs Protecting Employers' Proprietary Information by Developing and Enforcing Effective Policies and Procedures
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
WEDNESDAY, SEPTEMBER 18, 2013
Presenting a live 90-minute webinar with interactive Q&A
Eric Schlissel, CEO, GeekTek IT Services, Los Angeles
Aaron K. Tantleff, Senior Counsel, Foley & Lardner, Chicago
Michael N. Westheimer, Shareholder, Buchalter Nemer, San Francisco
Tips for Optimal Quality
Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial 1-888-601-3873 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail [email protected] immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps:
• In the chat box, type (1) your company name and (2) the number of attendees at your location
• Click the word balloon button to send
FOR LIVE EVENT ONLY
Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs
Eric Schlissel CEO, GeekTek IT Services
Bring Your Own Device • Employees are bringing their own tools to the workplace, accessing
company intellectual property and data
• Drivers behind the Bring Your Own Device (BYOD) momentum
– Employee Demand
– Consumerization of IT
– Improved Mobility
– Increased Productivity
– Perceived Cost Savings
40% of workers are using their personal devices to access business applications & resources. (Source: AirWatch Whitepaper)
5
Current State • The BYOD adoption rate is accelerating even if company policies aren’t in
place and outpacing security strategies
• Half of employers will require employees to supply their own work devices by 2017 (Source: Gartner)
• Many major corporations have a BYOD policy, such as IBM, Colgate-Palmolive
• Industries adopting Mobility: Banking, Entertainment, Healthcare, Financial Services, Education, Manufacturing, Education, Retail, Automotive. (Source: [x]cube labs)
71 million BYOD devices in use in America today, expected to grow to 108 million by 2016 (Source: Cisco Survey)
6
BYOD Support
Source: ZDNet / Tech Republic
7
Risks of BYOD • IT has limited or partial control of devices • Company data mingling with personal data • Lost and stolen devices • Shared devices • Unauthorized access to devices • Improper disposal of old devices • Data recovery post employment separation
“35% of IT leaders and 25 percent of IT professionals are not confident their organization’s BYOD policy is compliant with data and privacy protection acts, HIPAA, Dodd-Frank or other government-mandated regulations.” (Source: Teksystems’ Survey)
8
Shadow IT • Company provided tools are not as easy to use as consumer grade
tools • Employees use the tools that work for them, not necessarily those
provided by IT, creating Shadow IT • Shadow IT creates problems with compliance • When employees use their own software, company trade secrets are
not under IT management • Creates data silos between employees, vendors and partners
Of the office workers surveyed, 42% would use "unapproved" cloud services to get a job done, and 36% already have done. (Source: Imperial College Business School Survey)
9
Mobile Attack Methods • Outdated Operating Systems • Jailbroken Devices • Lax Device Security • SMS Attacks • Marketplace Vulnerabilities • Malware • Fake Apps • Hardware Hacks
At the end of this quarter (Q3 2013), the total number of samples in our mobile malware “zoo” reached 50,926, with 28 percent of that arriving in 2013. (Source: McAfee)
10
Android Malware
New Android Malware
Source: Symantec
11
Mobile Device Management • Centralized policy and configuration management for mobile devices • Secure, monitor, manage and support mobile devices and tablets
• Simplifies support of mobile devices • Automatically configures email, access other settings • Supports most Android, Windows and iOS devices
• Over-the-air hardware software and network inventory • Similar to PC life cycle management tools • Over 100 Key Players in market estimated at over $500 million (Source:
Gartner Paper-Critical Capabilities for Mobile Device Management
"33% of IT leaders & 46% of IT pros said their organizations lack the ability to remotely wipe data from employee devices if necessary.“(Source: Computerworld)
12
Mobile Management Methods • Containerization • App Wrapping • MAM – Mobile Application Management • MCM – Mobile Content Management (aka MIM) • Mobile Virtualization
"73% of IT leaders and IT professionals said poor BYOD policies put sensitive corporate data at risk by potentially exposing it on personal mobile devices.“ (Source: Computerworld)
13
Eric Schlissel CEO, GeekTek IT Services 4344 Laurel Canyon Blvd., Suite 6 Studio City, CA 91604 [email protected] Direct: 323-518-1200 www.geektek.com Twitter: @geektek
14
©2013 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs
Aaron Tantleff September 18, 2013
©2013 Foley & Lardner LLP 16
BYOD is Uncharted Territory • Who owns the device?
– BYOD versus CYOD
• Who owns the data? – Does it matter, personal versus corporate data?
• Courts have not addressed unique aspects of BYOD
• No laws specific to BYOD
©2013 Foley & Lardner LLP 17
What is a Trade Secret? • Defined State-by-State • Uniform Trade Secret Act (UTSA)
– Trade secret means information, including a formula, pattern, compilation, program, device, method, technique or process, that:
• derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and
• is the subject of efforts that are reasonable under the circumstance to maintain its secrecy.”
©2013 Foley & Lardner LLP 18
Preserving Trade Secrets • Failure to take reasonable measures to
protection trade secrets may result in the loss of such trade secrets – Also true for intellectual property
©2013 Foley & Lardner LLP 19
Preserving Trade Secrets • Disallow personally owned devices • Limit nature of information on personally
owned devices • Consider purchasing devices for employees
– CYOD
• Use of BYOD Policies
©2013 Foley & Lardner LLP 20
Preserving Trade Secrets • Written BYOD policy
– Demonstrates company has undertaken reasonable measures to protect its trade secrets
– Courts look to what measures a company took • Without a written BYOD policy, did the company take
adequate precaution?
©2013 Foley & Lardner LLP 21
BYOD Effect on Trade Secrets • Trade Secrets exist in electronic form
– Instantaneous email, transfer or posting online • Uncontrollable, widespread dissemination
– Inadvertent disclosure by sharing device or using in an unsecure location
©2013 Foley & Lardner LLP 22
BYOD Effect on Trade Secrets • Company data stored and transmitted by
devices and over networks not controlled by the company
• How to allow BYOD and Trade Secrets co-exist
©2013 Foley & Lardner LLP 23
Information Leakage • Lost, stolen, hacked or exposed to malware • The “friends and family plan” • Poof – its in the cloud • Location, location, location… you took the
device where?!?!
©2013 Foley & Lardner LLP 24
Protecting Trade Secrets • What are reasonable efforts?
– Case-by-case – State-by-state – Courts review measures taken by employer to
maintain secrecy of information
• Policy considerations – Written agreements – Limiting access and copies – State “confidential,” “proprietary,” “trade secret”
©2013 Foley & Lardner LLP 25
Confidentiality Agreements • Most recognized way to protect trade secrets • Must be also be enforceable after employee
leaves company – Policies generally are not applicable to departed
employees
©2013 Foley & Lardner LLP 26
Malware – Threats • Drains battery life
• Renders device non-functional
• Could infect company systems
• Deletes information from device
• Snoopware - records and transmits information
©2013 Foley & Lardner LLP 27
Malware – Policy • Policies must account for third party
applications – Consider whether one can defeat a claim that a
company has taken adequate steps to protect confidential information or trade secrets
• Policies must address whether and how such third party applications can be downloaded and installed
©2013 Foley & Lardner LLP 28
Information Security • Extending the corporate security policy to BYOD • Enforcing security policies on BYOD • BYOD security software • Remote wipe • Tracking • Regular audit of information/data security
policies to ensure they provide adequate protection
©2013 Foley & Lardner LLP 29
Information Security • Malware on mobile devices • Mobile device management (“MDM”) solution
– Consider employee work arounds or exporting data outside of corporate environment / MDM solution
• Data transferred over both secured and unsecured networks
©2013 Foley & Lardner LLP 30
Information Security • BYOD devices use of cloud networks
– Information is pushed and pulled from devices to cloud providing an additional outlet for theft of trade secrets
– Many cloud services make theft easier than breaking into company’s servers
– Information resident on cloud services is not inventoried
©2013 Foley & Lardner LLP 31
Shared Use of Device • Friends, family, neighbors, etc. • A risk that cannot be completely controlled
– Impossible to obtain consent – Policy coverage
• Security implications • Company proprietary and confidential
information at risk • Privacy and other issues
©2013 Foley & Lardner LLP 32
Employee Disposal • EOL of BYOD • The eBay threat, garage sales, Craig’s list
– Army hardware being sold on streets of Afghanistan – Broker-dealer Blackberry on eBay
• Company notice of sale or transfer – Policy issue
• Terminated employees likely to be reluctant
©2013 Foley & Lardner LLP 33
Misappropriation of Trade Secrets • UTSA imposes liability for misappropriation of
trade secrets – Use or disclosure of trade secret, or – Acquisition by improper means
• Problem - Employee already has right to store company information on personal device
• Collecting evidence – Company owned device versus personally owned
device
©2013 Foley & Lardner LLP 34
Selected Regulations
©2013 Foley & Lardner LLP 35
Healthcare • Health Insurance Portability and Accountability
Act of 1996 (HIPAA) • Health Information Technology for Economic
and Clinical Health (HITECH) Act – expanded HIPAA security standards to encompass
business associates (i.e., vendors, contractors, and subcontractors that access, use, disclose, or create PHI on covered entities’ behalf)
©2013 Foley & Lardner LLP 36
Healthcare • Information Security Regulations (“Security
Rule”) pursuant to HIPAA – Required implementation of technical, physical and
administrative safeguards for protected health information (PHI) in electronic form
– 45 CFR Parts 160, 162 and 164
©2013 Foley & Lardner LLP 37
Healthcare • The HIPAA Privacy Rule
– Protects PHI – Applies to health plans, health care clearinghouses,
and those health care providers that conduct certain health care transactions electronically
– Requires appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization
– 45 CFR Part 160 and Subparts A and E of Part 164
©2013 Foley & Lardner LLP 38
Healthcare • American Recovery and Reinvestment Act
(ARRA) & HITECH Act – Prohibit storage of unencrypted personally
identifiable information and protected health information on any computing device
©2013 Foley & Lardner LLP 39
Financial • Consider rules requiring that internal
communications regarding a company’s business and those with its customers be maintained, retrievable and reviewed – SEC Rules 17a-3 and 17a-4 – NASD Rules 2210, 3010, 3110 & 31101 – NYSE & NASD “Joint Guidance” regarding capture
of communications between broker/dealers and customers
©2013 Foley & Lardner LLP 40
Financial • Gramm-Leach-Bliley Act (GLBA)
– Covers information created or received by a “financial institution” as part of a customer relationship
• 15 U.S.C. ßß 6801 – 6809
– Financial institutions must protect an individual’s personal information
©2013 Foley & Lardner LLP 41
Contact Info
Aaron K. Tantleff, Esq. Senior Counsel IP / IT & Outsourcing Foley & Lardner LLP Tel: 312.832.4367 [email protected]
Michael N. Westheimer Buchalter Nemer PC 55 Second Street, Suite 1700 San Francisco, California 94105 Direct: (415) 227-3530 Fax: (415) 904-3111 Email: [email protected]
Bring Your Own Device in the Workplace: Minimizing Legal Risks of BYOD Programs
Agenda
• Proliferation of BYOD in the workplace • Dual objectives of a BYOD policy
Protection of confidential business information and trade secrets
Compliance with employment laws / HR best practices
• Strategic implementation
43
Proliferation of BYOD
Gartner Study (April 2013)
• By 2017, half of employers will require employees to supply their own device for work purposes
Reasons for Proliferation of BYOD
• More mobile workforce • Increased productivity • Cost savings • Employees want it
44
Protecting Trade Secrets
“Trade Secret” - Uniform Trade Secrets Act
• Not generally known to other persons, and not readily ascertainable by proper means by other persons
• Is the subject of reasonable efforts to maintain its secrecy
Apple v. Psystar (N.D. Cal. 1/3/12) – Public disclosure is fatal to existence of trade secret – No protection if information is discovered by fair and honest
means, including accidental disclosure
45
Protecting Trade Secrets
Reasonable Efforts - Restatement (Third) of Unfair Competition § 39, cmt (g)
• Physical security designed to prevent unauthorized access • Procedures to limit disclosure based on “need to know” • Measures to emphasize to recipients the confidential
nature of the information
Art of Living Foundation v. Does (N.D. Cal. 5/1/12) – Reasonable efforts can include:
1. Advising employees of existence of trade secret 2. Limiting access to information on a need to know basis 3. Requiring employees to sign confidentiality agreements 4. Keeping secret documents under lock
46
Protecting Trade Secrets
FormFactor v. Micro-Probe (N.D. Cal. 6/7/12) • No confidentiality agreement • Employee was allowed to use personal email and personal
home computer for company business, and to back up data onto external hard drives
• No request to return company data when employee resigned
• Company lacked evidence that documents had never been publicly disclosed or placed in public domain
47
Company-Provided Devices
Company-Owned Device Usage Policy • Device is company property • Device is to be used for business purposes • Company reserves right to inspect device • Company is monitoring employee’s use of device • Employee’s use of device is being recorded • Employee has no right of privacy • Device and all data must be returned at end of
employment
48
Privacy Rights
Computer Fraud and Abuse Act (CFAA) • Prohibits intentionally accessing and obtaining
information from a protected computer without authorization or exceeding authorized access
Stored Communications Act (SCA) • Protects electronic communications transmitted via an
electronic communication service that are in electronic storage and not public
• Prohibits intentionally accessing the communication without authorization or exceeding authorized access and obtaining, altering or preventing authorized access to it
49
Privacy Rights
Ehling v. Monmouth-Ocean Hosp. Service (D. N.J. 8/20/13) • Non-public Facebook wall posts are protected
communications under SCA • Here no violation because a co-worker that employee
“friended” had authorized access to her wall, voluntarily took screenshots and gave them to employee’s manager
Pure Power Boot Camp v. Warrior Fitness Boot Camp (S.D. N.Y. 8/23/08, 12/22/10)
• Company violated SCA by accessing former employee’s personal emails from Hotmail and Gmail accounts
• Court rejected argument that authorization was implied because employee had logged in from work computer 50
Privacy Rights
Social Media Privacy Statutes • A growing number of states have these: Arkansas, California, Colorado,
Illinois, Maryland, Michigan, Nevada, New Jersey, New Mexico, Oregon, Utah, Washington
California Labor Code § 980 (effective 1/1/13) • Employer shall not require or request employee or applicant to:
1. Disclose username or password for the purpose of accessing personal social media
2. Access personal social media in employer’s presence 3. Divulge any personal social media
• Exception: personal social media reasonably believed to be relevant to investigation of allegations of employee misconduct or violation of law
• OK to get username / password to access employer-issued device
51
Privacy Rights
Personal privacy • Financial • Sexual matters / sexual orientation • Medical condition / records • Genetic information
HR Best Practices • Employment decisions based on job-related criteria • Restricting information about protected status – age,
ethnicity, national origin, disability, marital status, etc.
52
Strategic Implementation
BYOD Policy • Addresses onboarding, use during employment,
termination of employment • Sets protocols for appropriate use and data protection • Establishes confidentiality, nondisclosure • Creates consent to access and obtain information • Curtails privacy expectations
Mobile Device Management (MDM) • Reasonable efforts to protect trade secrets • Prevention of intentional misappropriation and
inadvertent disclosure
53
Strategic Implementation
Considerations • Finding the right balance • Functionality vs. preserving confidentiality • Keeping trade secrets under lock • Scope of consent / authorization to access • Voluntary consent • Segregating work use and personal use • Reimbursement • On-the-clock / salary test issues
54
Michael N. Westheimer Buchalter Nemer PC 55 Second Street, Suite 1700 San Francisco, California 94105 Direct: (415) 227-3530 Fax: (415) 904-3111 Email: [email protected]
Questions?
55