Tech@Work: How Employers Can Thrive in the Digital Workplace


Published on

Training seminar for Hawaii Employers Council members on June 13, 2013
Presenters: Elijah Yip, Esq. (Cades Schutte LLP) and Michael Miranda, Esq. (Hawaiian Telcom)

Topics covered:
- Social media in the workplace
- Electronic signatures

Published in: Real Estate, Business, Career
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Tech@Work: How Employers Can Thrive in the Digital Workplace

  1. 1.  Litigation partner at Cades Schutte LLP Practices commercial litigation, media law Founder and chair of firm’s Digital Media andInternet Law practice group Twitter Handle: @LegalTXTS Hashtag for this training seminar - #hectechELIJAHYIP
  2. 2. SOCIAL MEDIA &EMPLOYMENTImage by David Saunders [CC-BY-SA-2.0] via Flickr
  3. 3. TOPICS COVEREDSocial media policiesSocial media in hiringDiscipline and investigation related to socialmedia conduct of employees#hectech@LegalTXTS
  4. 4. SM POLICIES – NLRB MemosIssued memos onAugust 18, 2011:January 24, 2012:May 30, 2012:Memos do not have force of law, but docreate risk for employers wanting to adoptcertain policies. Must weigh various risks.#hectech@LegalTXTS
  5. 5. SM POLICIES – NLRB MemosEmployers generally can’t have social mediapolicy that prohibits employees from:Harming employer’s reputation or criticizingemployer on social mediaUsing company information (includingtrademarks, logos) on personal social mediaprofilesDiscussing controversial topics on social media#hectech@LegalTXTS
  6. 6. SM POLICIES – NLRB MemosSpeaking to media about terms and conditionsof employmentAiring out work concerns on social mediainstead of using internal proceduresOn Sept. 7, 2012, NLRB published firstdecision re social media in which it followedthe logic of the Guidance Memos in strikingdown Costco’s social media policy#hectech@LegalTXTS
  7. 7. SM POLICIES – Guiding PrinciplesDeter high-risk social media behavior (i.e.,loss prevention for employer)Try to comply with employment and laborlawsCreate parameters for appropriate andbeneficial social media use#hectech@LegalTXTS
  8. 8. SM POLICIES – The EssentialsDefine what “social media” isState to whom policy applies; might needmore than one policyLimit when and how employees may usesocial mediaRemind employees of dangers andramifications of using social media#hectech@LegalTXTS
  9. 9. SM POLICIES – The EssentialsSet guidelines for when and how employeesmay (or may not) use social media on behalf ofemployerSet guidelines on interactions with, orstatements about, co-workersSet guidelines on interactions with, orstatements about, outsidersDescribe consequences of non-compliance#hectech@LegalTXTS
  10. 10. SM POLICIES – Suggested PointsLimit use of company equipment forpurposes of social media activityRemind employees to use good judgmentPermanency of online contentNo such thing as anonymityBlurring of work and personal lives#hectech@LegalTXTS
  11. 11. SM POLICIES – Suggested PointsEncourage courtesy and civilityProhibit discriminatory remarks, harassment,threats of violence, unlawful conductRemind employees to disclose affiliation withemployer when posting content thatpromotes company or its products/services#hectech@LegalTXTS
  12. 12. SM POLICIES – Suggested PointsProtect intellectual property and trade secretsClarify ownership and control over social mediaassetsLink to existing company policiesLink to applicable professional codes of conductSet guidelines on media relations#hectech@LegalTXTS
  13. 13. SM IN HIRING37% of companies are researching job candidatesusing social networking sites (Source: 2012 CareerBuildersurvey)Managers may be researching applicants on socialmedia already even if HR doesn’t know itNeed to implement policies to minimize riskGaskell v. University of Kentucky (E.D. Ky. 2010)#hectech@LegalTXTS
  14. 14. SM IN HIRING – Password Requests36 states are considering employer socialmedia password request lawsBills introduced at HI legislature this year didnot passPossible federal legislation#hectech@LegalTXTS
  15. 15. SM IN HIRING – Good Practices1. Be consistent2. Limit searches to publicly accessible sites3. Update hiring procedures/train managers4. Consider using HR specialist as a filter5. If using a third-party vendor, comply withFCRA requirements#hectech@LegalTXTS
  16. 16. SM DISCIPLINE – General RulesEmployees can be disciplined or terminated fortheir social media conduct, but…Beware of violating NLRA. Ask: Did employee inengage in “concerted, protected activity”? Did the employee discuss the terms and conditions ofemployment? Did the employee discuss the post or the subject matterwith other employees? Was the employee trying to bring a concern tomanagement’s attention?#hectech@LegalTXTS
  17. 17. SM DISCIPLINE – Example CasesHispanics United of Buffalo, Inc.: Employees postingFacebook messages about co-worker’s criticisms oftheir work habitsPier Sixty, LLC: Calling manager nasty names butending post with “VoteYES for the UNION.”DesignTechnology Group, LLC: Facebook messagescomplaining about manager’s denial of request toclose store earlier#hectech@LegalTXTS
  18. 18. SM INVESTIGATIONSEEOC: harassment via social media raises“same types of issues”Failure to investigate complaints aboutharassment and take corrective action couldexpose employers to liabilityEspinoza v. County of Orange (Cal. Ct.App. Feb.9, 2012)#hectech@LegalTXTS
  19. 19. Michael Miranda• Maryknoll 1990, UCF, Gonzaga, UH• Miranda Rights• Geek Passion• Coder at Heart• Cyber Security Spartan• HawaiianTelcom
  20. 20. HawaiianTelcom does not specifically endorseany of the companies mentioned in thispresentation.
  21. 21. SOCIAL NETWORKING SITESMichael Miranda, Sr. Manager, HawaiianTelcom
  22. 22. HR Considerations• “Eyeballs” are on SNS, it is the “norm”• Branding must extend and be consistent onsocial media sites• Opportunities to advertise (i.e. LinkedIn)• Open and public interactive communications
  23. 23. Risks and MitigationRisks• Informal communicationsmay become “business”communications• Critical reviews can hurt yourbusiness• Stolen user accountcredentials could be used tohurt your image and businessMitigation• Be formal with allcommunications• Do not conduct transactionson SNS• Monitor and respond tonegative reviews quickly• Strategize to protect youruser account credentials
  24. 24. Wired (12/2012)
  25. 25. • “hackers destroyed my entire digital life in the span of an hour”• Victim Account Info Needed:– Master EmailAddress (for recoveries)– BillingAddress– Last 4 Digits of a Credit Card– NoAdvanced Security Beyond Password• Social Engineered and Exploited Procedures to Gain Access to hisaccounts with: Apple, Gmail, Amazon andTwitter
  26. 26. Damage• Deleted 8 years worth of email on Gmail• Took overTwitter account to broadcastoffensive messages• Erased all data on iPhone, iPad and Macbook– Family photos– Work documents and email
  27. 27. User Account Strategy• Use a separate business email address forSNS and other business activity, includingbackground checks• Use an alias email address instead of a realemail address (even for recovery emailaddresses)
  28. 28. airjordan808@yahoo.comairjordan808@hotmail.comairjordan808@gmail.comairjordan808@me.comairjordan808@live.commiranda@university.eduMY alias for alltransactions) private!) private!)
  29. 29. .com• Commit to a an Online Presence onThe Popular Platforms• Treat as a Primary CommunicationChannel• Monitor/RespondTimely andProfessionally
  30. 30. SNS for Business…Securely• Only for informational business communications. DONOT:– Contract using SNS messaging– Transmit or receive sensitive information• Monitor and respond consistently• Segregate and protect business SNS accounts• Use two-factor authentication when available
  31. 31. BYODMichael Miranda, Sr. Manager, HawaiianTelcom
  32. 32. Why BYOD?1. Ease of working outside the office2. Staff have relevant equipment3. Attract and retain top talent (any age)4. Reduce device management costs5. Attract and retain younger workers• Source:
  33. 33. Expected Benefits of BYOD?1. Improved Employee Satisfaction2. Increased worker productivity3. Greater mobility for workers4. More flexible work environmentsfor employees5. Reduced IT costs• Source:
  34. 34. 49
  35. 35. LargeSMBsSMBs Represent 94% of All Hawaii Businesses5280% have 20Employees or Less
  36. 36. HawaiianTelcom KellyGreenTemplate 53
  37. 37. 54
  38. 38. HawaiianTelcom KellyGreenTemplate 55
  39. 39. 56
  40. 40. =
  41. 41. 90%ActedWithin24 HoursMobile Users94%Searched forLocal Info70%Called aBusinessAfterSearching66%Visited inPerson45%Use for In-StoreResearch722MSmartphonesShipped in2012
  42. 42. BYOD Risks• Costs – Cheaper for employees or employers?• Physical Security– Weak Passcodes– Lost or Stolen• Intellectual property theft after jobtermination
  43. 43. Mobile Devices Attacked“Like its 1999”• Phishing Scams, Malicious Web Sites/Advertisements,Malicious Apps• Zbot.ANQ– Reportedly installs as a trojan on aWindows computer– Social engineers user to install software on mobile phoneand to provide phone number to hacker– Hijacks SMS messages from banks to steal money
  44. 44. 0.00%10.00%20.00%30.00%40.00%50.00%60.00%70.00%80.00%Market ShareMalware2011Apple iOS• Data is not public• Isolated reports of malware• 775,000 Apps!
  45. 45. Top 5 Mobile ContentAssociated with Malware1. Pornography2. Known Spam Sites3. Computer/Internet4. Web Advertisements5. Entertainment
  46. 46. LEGALRISKS
  47. 47. LEGAL RISKS OF BYODEmployment lawsFair Labor Standards (FLSA)TitleVII (harassment and hostile work environment)Health Insurance Portability and AccountabilityAct (HIPAA)Gramm-Leach-Bliley Act (GLBA)Sarbanes-Oxley Act (SOX)#hectech@LegalTXTS
  48. 48. LEGAL RISKS OF BYODAmericans with Disabilities Act (ADA)Section 5 of the Federal Trade Commission ActData disposal laws (HRS § 487R-2)Security breach laws (HRS § 487N-2)Hawaii UniformTrade Secrets Act (HUTSA)Privacy lawsE-discovery laws#hectech@LegalTXTS
  49. 49. FLSA – Overtime RequirementsNon-exempt employees must receive overtime pay(at least 1.5x regular pay rate) for hours workedover 40 in a workweek.Employee doesn’t need to be asked to work beyonda 40-hour workweek to be entitled to overtime pay.He/she just needs to perform overtime work foremployer’s benefitEmployees could rack up overtime by using personaldevices for work w/o employee’s consent if no clearBYOD policy in place#hectech@LegalTXTS
  50. 50. FLSA – Allen v. City of Chicago Chicago police officer sued employer under FLSA forworking “off the clock” using department-issued PDAs orother electronic communication devices without receivingovertime pay. Officer alleged that PDAs required them to be on call 24/7 In March 2011, court denied motion to dismiss In January 2013, court granted conditional certification of acollective action for the case; 200 officers allowed to joinaction#hectech@LegalTXTS
  51. 51. FLSA – TipsBe careful of relying on de minimis exceptionTrack hours worked remotelyInstitute policy requiring prior writtenauthorization to work remotely via mobile device.Make sure to communicate policy.#hectech@LegalTXTS
  52. 52. HIPAA
  53. 53. 11101010101001001000111010111101010010010010011101010010100111010010011WHERE DOESYOURLIVE?
  54. 54. HIPAA – RequirementsThe issue is patient health information ending upon mobile devicesHIPAA mandates the “implementation of securitymeasures sufficient to reduce risks andvulnerabilities to a reasonable and appropriatelevel.” 45 C.F.R. § 164.308(a)(1)HIPAA also requires “physical safeguards for allworkstations that access ePHI, to restrict access toauthorized users.” 45 C.F.R. § 164.310(c)#hectech@LegalTXTS
  55. 55. HIPAA – Omnibus RuleHIPAA Omnibus Rule took effect on March 23,2013; compliance due date is September 23, 2013HIPAA compliance used to be limited to “coveredentities” and their “business associates”Under Omnibus Rule, all providers of services tohealth care providers, health insurers, HMOs andemployee health benefit plans must comply if theycreate, receive, or maintain protected healthinformation on behalf of a covered entity#hectech@LegalTXTS
  56. 56. HIPAA – Lost or Stolen Devices40% of large HIPAA rule violations involvedlost or stolen devices (per 2012 HHS study)HHS:“[H]ad these devices been encrypted,their data would have been secured.”Consider preventing local storage of patientdata on mobile devices#hectech@LegalTXTS
  57. 57. Gramm-Leach-BlileyAct
  58. 58. GLBA – “Financial Institutions”GLBA applies to “financial institutions.”Scope of “financial institutions” can be broad.mortgage brokersnonbank lendersreal estate appraiserseducational institutions#hectech@LegalTXTS
  59. 59. GLBA – Safeguards RuleEach covered institution must develop, implement,and maintain a “comprehensive informationsecurity program”Program must include “administrative, technical andphysical safeguards”#hectech@LegalTXTS
  60. 60. GLBA – Safeguards RuleProgram objectives are to:Insure the security and confidentiality of customerinformationProtect against any anticipated threats or hazardsto the security or integrity of such information; andProtect against unauthorized access to or use ofsuch information that could result in substantialharm or inconvenience to any customer.#hectech@LegalTXTS
  61. 61. GLBA – Information CoveredApplies to all “customer information” inpossession of financial institutionInformation does not have to pertain tocustomer of financial institutionCan be information of customer of otherfinancial institutions that provided theinformation#hectech@LegalTXTS
  62. 62. GLBA – “Customer Information”“Customer Information” is any information:a consumer provides to obtain a financial productor service from the institutionabout a consumer resulting from any transactionwith the institution involving a financial product orservice; orotherwise obtained about a consumer in connectionwith providing a financial product or service to thatconsumer#hectech@LegalTXTS
  63. 63. GLBA – RisksInadvertent disclosure of customer informationMalwareResidual storage of customer information#hectech@LegalTXTS
  64. 64. HUTSA – What’s a “Trade Secret”?HUTSA allows claim for misappropriation of atrade secretDefinition of “trade secret” requires thatreasonable efforts were taken to maintainsecrecy of the alleged trade secretAllowing employees to store proprietary dataon personal device can destroy reasonablenessof efforts to maintain secrecy#hectech@LegalTXTS
  65. 65. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)One of the defendants (Mitchell) used to work forthe Plaintiff cryogenics company (Kendall)While working for Kendall, Mitchell maintainedbackup set of proprietary shop drawings at hishome (paper & electronic) with Kendall’s permissionAfter Mitchell stopped working for Kendall, he wasnot asked to return drawings#hectech@LegalTXTS
  66. 66. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)Mitchell then started working for a competingcompany, who used shop drawings to develop itsproduct lineIn lawsuit that followed, trial court grantedsummary judgment to defendants on trade secretmisappropriation claimOn appeal, defendants argued that shop drawingswere not “trade secrets” because Kendall didn’ttake reasonable efforts to protect their secrecy
  67. 67. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)Plaintiff took these precautions:Stamped shop drawings with legend barringdisclosure or transmission to unauthorized partiesIncluded confidentiality provision in Mitchell’semployment contractMaintained policies “that attest to the company’sdesire to protect confidentiality and safeguardproprietary information”#hectech@LegalTXTS
  68. 68. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)Sixth Circuit held that the shop drawings couldqualify as “trade secrets” based on those effortsat preserving their secrecyReversed trial court#hectech@LegalTXTS
  69. 69. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)Key takeaways:Be careful of letting employees store proprietaryinformation at homeHave employees sign confidentiality agreementsKeep inventory of all info stored at employee’shomeHave separating employees sign acknowledgementthat he/she no longer possesses proprietary info#hectech@LegalTXTS
  71. 71. PRIVACY – UH Data BreachRetired UH professor posted personal data of over90,000 faculty, students, alumni on public web serverHackers gained access to private records of 53,000students and employees on Mānoa campusFormer student files class action against UH forviolation of constitutional right of privacyLawsuit settled in April 2012#hectech@LegalTXTS
  72. 72. PRIVACY – Personal DataPotential liability for remote wiping Intrusion into seclusion Other possible tort claims: conversion, trespassPotential liability for accessing personal data on dual-use devices Stored Communications Act Computer Fraud and Abuse Act#hectech@LegalTXTS
  73. 73. E-DISCOVERY & BYODDuty to preserve electronic data (litigation holds)Practical challenges of e-discovery of data on dual-use devicesIdentifying BYOD devices/informationCollecting data from dual-use devicesWhat data does the employer “control”?#hectech@LegalTXTS
  74. 74. Essential Security Controls• Policies• Firewall (Perimeter and End Point)• IPS/IDS• EncryptedTransmissions• Secure Authentication• Vulnerability Management• Secure Systems with Updates• Access Control• Log and Event Reviews• Testing andValidation
  75. 75. Virtual Desktop InfrastructureActiveSync (MS Exchange)Network Access ControlMobile Device Management97
  76. 76. Mobile Device ManagementEmployee-OwnedHardwareOperatingSystem (MDM)Applications(MDM)Data
  77. 77. MDM ConsiderationsFeature Employee ConsiderationCompany assumes control of mostfeatures on the device.Device is now co-managed with employerand employer may have visibility into useof personal device.Company can control which applicationscan be installed.Employee will lose certain features onceconnected to the company network;dependent of company policy.Isolation of company data. Can only access company data fromapproved applications on the mobiledevice.Remote-wipe of data, and possibly ofwhole device.Risk that personal data will also bedeleted.Remote locking of device by company. Risk that personal use of the device maybe blocked by employer upontermination of employment or other HRaction.
  78. 78. 100
  79. 79. Essential Considerations• Do you need to support BYOD?– Morale, Productivity,Technology, Cost– Which devices/OS’s? What data?Which applications?Who?• Essential Security Controls are Primary– Network Security– Systems Security– Policies• AdditionalTechnologies Enhance Essential Security (not a substitute)– VDI, ActiveSync, NAC, MDM• Essential Network Security Goes a LongWay101
  80. 80. Other Considerations• Working Hours– BYOD = 24x7 Availability– Specify response policies to company communications received onemployee-owned devices and when overtime applies• GeneralCompany PoliciesApply– Send official company communications using company email addresses only– Use branded company templates for emails– Use only the communications technologies specifically approved for use(can’t useTwitter if company does not useTwitter)– Phone calls to customers should originate from company phone numbers;unless there is an extenuating circumstance
  81. 81. BYOD FinalTips• Keep Mobile OS updated and Use Passcode Locks• Assume mobile device is vulnerable at all times andonly visit known safe sites• Carefully research apps prior to installation• Do NOT Jailbreak• Include Mobile Devices in Overall Cyber SecurityPlanning
  82. 82. Michael 546-8200
  83. 83. Electronic Signatures
  84. 84. E-SIG – Uses For EmployersDocuments that are impractical to obtainhard-copy signatures forOnboarding for new-hire paperworkForm I-9FormW-4Benefits administration#hectech@LegalTXTS
  85. 85. E-SIG – E-SIGN and UETAFederal law: Electronic Signatures in Global andNational Commerce Act (E-SIGN)State law: Uniform Electronic Transactions Act(UETA) – HRS Chapter 489EE-SIGN applies to contracts affecting interstateor foreign commerceE-SIGN may be overridden by state law whereUETA has been adopted#hectech@LegalTXTS
  86. 86. “Electronic signature” means “any electronic sound,symbol, or process attached to or logicallyassociated with a contract or other record andexecuted or adopted by a person with the intentto sign the record.”Technology neutral. Examples of e-sigs: Typed name or signature block Digitized image of signature Digital signature (PKI encryption) Biometric identification
  87. 87. E-SIG – E-SIGN and UETAE-sigs have same legal effect as handwrittenonesContract not invalid just because electronicrecord or signature was usedIf a law requires a record to be in writing,electronic record satisfies the lawUse and acceptance of electronic transactions isvoluntary#hectech@LegalTXTS
  88. 88. E-SIG – E-SIGN and UETATechnology neutralCertain kinds of documents cannot be e-signed (e.g., wills, foreclosure or evictionnotices)UETA applies only where each party to anagreement has agreed to conduct thetransaction in electronic form#hectech@LegalTXTS
  89. 89. E-SIG – E-Sig System Essentials Signature must be unique to person using it Signature must be verifiable as belonging to user Signature must be under sole control of person using it E-sig process must guarantee integrity of signature anddocument, ensuring that contents of document remainunaltered Capture and preserve signer’s intention that e-sig hassame force and effect as handwritten signature#hectech@LegalTXTS
  90. 90. E-SIG – Other General TipsE-sigs are not new, but legal precedent onenforceability of e-sigs is still developingIf you expect the document to end up in litigation,considering using paper signatures. E.g., arbitrationagreements, trademark agreements, non-competes Neuson v. Macy’s Department Stores#hectech@LegalTXTS
  91. 91. E-SIG – Other General TipsObtain each employee’s written consent to use e-sigs for HR-related documents Consent is based on the context and surroundingcircumstances Better practice is to have employee or applicant signseparate written agreement to consent to use of e-sigs.The consent doesn’t need to be separate if the maindocument to be signed is in electronic form, e.g., a “click-wrap”#hectech@LegalTXTS
  92. 92. E-SIG – Other General TipsDevelop e-sig and document retention policyTrain employees on the policies#hectech@LegalTXTS
  93. 93. E-SIG – Arbitration AgreementsEmployment agreements often contain terms tothe effect that the employee agrees to resolvedisputes by arbitrationCourts are split on enforceability of arbitrationagreements that are e-signed#hectech@LegalTXTS
  94. 94. E-SIG – Arbitration AgreementsNot enforceable: Campbell v. General DynamicsGov’t Sys. Corp. (1st Cir. 2005); Kerr v. DillardStore Services, Inc., (D. Kan. Feb. 17, 2009)Enforceable: Bell v. Hollywood EntertainmentCorp. (Ohio Ct.App.Aug. 3, 2006)#hectech@LegalTXTS
  95. 95. ElijahYip, 521-9326Blog: www.legaltxts.comTwitter: @LegalTXTS