Your SlideShare is downloading. ×
Tech@Work: How Employers Can Thrive in the Digital Workplace
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Tech@Work: How Employers Can Thrive in the Digital Workplace

163
views

Published on

Training seminar for Hawaii Employers Council members on June 13, 2013 …

Training seminar for Hawaii Employers Council members on June 13, 2013
Presenters: Elijah Yip, Esq. (Cades Schutte LLP) and Michael Miranda, Esq. (Hawaiian Telcom)

Topics covered:
- Social media in the workplace
- BYOD
- Electronic signatures

Published in: Real Estate, Business, Career

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
163
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1.  Litigation partner at Cades Schutte LLP Practices commercial litigation, media law Founder and chair of firm’s Digital Media andInternet Law practice group Twitter Handle: @LegalTXTS Hashtag for this training seminar - #hectechELIJAHYIP
  • 2. SOCIAL MEDIA &EMPLOYMENTImage by David Saunders [CC-BY-SA-2.0] via Flickr
  • 3. TOPICS COVEREDSocial media policiesSocial media in hiringDiscipline and investigation related to socialmedia conduct of employees#hectech@LegalTXTS
  • 4. SM POLICIES – NLRB MemosIssued memos onAugust 18, 2011: http://1.usa.gov/RXYEOrJanuary 24, 2012: http://1.usa.gov/RXYxm6May 30, 2012: http://1.usa.gov/RXYlTWMemos do not have force of law, but docreate risk for employers wanting to adoptcertain policies. Must weigh various risks.#hectech@LegalTXTS
  • 5. SM POLICIES – NLRB MemosEmployers generally can’t have social mediapolicy that prohibits employees from:Harming employer’s reputation or criticizingemployer on social mediaUsing company information (includingtrademarks, logos) on personal social mediaprofilesDiscussing controversial topics on social media#hectech@LegalTXTS
  • 6. SM POLICIES – NLRB MemosSpeaking to media about terms and conditionsof employmentAiring out work concerns on social mediainstead of using internal proceduresOn Sept. 7, 2012, NLRB published firstdecision re social media in which it followedthe logic of the Guidance Memos in strikingdown Costco’s social media policy#hectech@LegalTXTS
  • 7. SM POLICIES – Guiding PrinciplesDeter high-risk social media behavior (i.e.,loss prevention for employer)Try to comply with employment and laborlawsCreate parameters for appropriate andbeneficial social media use#hectech@LegalTXTS
  • 8. SM POLICIES – The EssentialsDefine what “social media” isState to whom policy applies; might needmore than one policyLimit when and how employees may usesocial mediaRemind employees of dangers andramifications of using social media#hectech@LegalTXTS
  • 9. SM POLICIES – The EssentialsSet guidelines for when and how employeesmay (or may not) use social media on behalf ofemployerSet guidelines on interactions with, orstatements about, co-workersSet guidelines on interactions with, orstatements about, outsidersDescribe consequences of non-compliance#hectech@LegalTXTS
  • 10. SM POLICIES – Suggested PointsLimit use of company equipment forpurposes of social media activityRemind employees to use good judgmentPermanency of online contentNo such thing as anonymityBlurring of work and personal lives#hectech@LegalTXTS
  • 11. SM POLICIES – Suggested PointsEncourage courtesy and civilityProhibit discriminatory remarks, harassment,threats of violence, unlawful conductRemind employees to disclose affiliation withemployer when posting content thatpromotes company or its products/services#hectech@LegalTXTS
  • 12. SM POLICIES – Suggested PointsProtect intellectual property and trade secretsClarify ownership and control over social mediaassetsLink to existing company policiesLink to applicable professional codes of conductSet guidelines on media relations#hectech@LegalTXTS
  • 13. SM IN HIRING37% of companies are researching job candidatesusing social networking sites (Source: 2012 CareerBuildersurvey)Managers may be researching applicants on socialmedia already even if HR doesn’t know itNeed to implement policies to minimize riskGaskell v. University of Kentucky (E.D. Ky. 2010)#hectech@LegalTXTS
  • 14. SM IN HIRING – Password Requests36 states are considering employer socialmedia password request lawsBills introduced at HI legislature this year didnot passPossible federal legislation#hectech@LegalTXTS
  • 15. SM IN HIRING – Good Practices1. Be consistent2. Limit searches to publicly accessible sites3. Update hiring procedures/train managers4. Consider using HR specialist as a filter5. If using a third-party vendor, comply withFCRA requirements#hectech@LegalTXTS
  • 16. SM DISCIPLINE – General RulesEmployees can be disciplined or terminated fortheir social media conduct, but…Beware of violating NLRA. Ask: Did employee inengage in “concerted, protected activity”? Did the employee discuss the terms and conditions ofemployment? Did the employee discuss the post or the subject matterwith other employees? Was the employee trying to bring a concern tomanagement’s attention?#hectech@LegalTXTS
  • 17. SM DISCIPLINE – Example CasesHispanics United of Buffalo, Inc.: Employees postingFacebook messages about co-worker’s criticisms oftheir work habitsPier Sixty, LLC: Calling manager nasty names butending post with “VoteYES for the UNION.”DesignTechnology Group, LLC: Facebook messagescomplaining about manager’s denial of request toclose store earlier#hectech@LegalTXTS
  • 18. SM INVESTIGATIONSEEOC: harassment via social media raises“same types of issues”Failure to investigate complaints aboutharassment and take corrective action couldexpose employers to liabilityEspinoza v. County of Orange (Cal. Ct.App. Feb.9, 2012)#hectech@LegalTXTS
  • 19. Michael Miranda• Maryknoll 1990, UCF, Gonzaga, UH• Miranda Rights• Geek Passion• Coder at Heart• Cyber Security Spartan• HawaiianTelcom
  • 20. HawaiianTelcom does not specifically endorseany of the companies mentioned in thispresentation.
  • 21. SOCIAL NETWORKING SITESMichael Miranda, Sr. Manager, HawaiianTelcom
  • 22. HR Considerations• “Eyeballs” are on SNS, it is the “norm”• Branding must extend and be consistent onsocial media sites• Opportunities to advertise (i.e. LinkedIn)• Open and public interactive communications
  • 23. Risks and MitigationRisks• Informal communicationsmay become “business”communications• Critical reviews can hurt yourbusiness• Stolen user accountcredentials could be used tohurt your image and businessMitigation• Be formal with allcommunications• Do not conduct transactionson SNS• Monitor and respond tonegative reviews quickly• Strategize to protect youruser account credentials
  • 24. Wired (12/2012)
  • 25. • “hackers destroyed my entire digital life in the span of an hour”• Victim Account Info Needed:– Master EmailAddress (for recoveries)– BillingAddress– Last 4 Digits of a Credit Card– NoAdvanced Security Beyond Password• Social Engineered and Exploited Procedures to Gain Access to hisaccounts with: Apple, Gmail, Amazon andTwitter
  • 26. Damage• Deleted 8 years worth of email on Gmail• Took overTwitter account to broadcastoffensive messages• Erased all data on iPhone, iPad and Macbook– Family photos– Work documents and email
  • 27. User Account Strategy• Use a separate business email address forSNS and other business activity, includingbackground checks• Use an alias email address instead of a realemail address (even for recovery emailaddresses)
  • 28. airjordan808@yahoo.comairjordan808@hotmail.comairjordan808@gmail.comairjordan808@me.comairjordan808@live.commiranda@university.eduMY BUSINESSmike@mybusiness.comadm@mybusiness.com(email alias for alltransactions)xyz@mybusiness.com(keep private!)xyz@gmail.com(keep private!)
  • 29. .com• Commit to a an Online Presence onThe Popular Platforms• Treat as a Primary CommunicationChannel• Monitor/RespondTimely andProfessionally
  • 30. SNS for Business…Securely• Only for informational business communications. DONOT:– Contract using SNS messaging– Transmit or receive sensitive information• Monitor and respond consistently• Segregate and protect business SNS accounts• Use two-factor authentication when available
  • 31. BYODMichael Miranda, Sr. Manager, HawaiianTelcom
  • 32. Why BYOD?1. Ease of working outside the office2. Staff have relevant equipment3. Attract and retain top talent (any age)4. Reduce device management costs5. Attract and retain younger workers• Source:http://www.citrix.com/lang/English/lp/lp_2314315.asp
  • 33. Expected Benefits of BYOD?1. Improved Employee Satisfaction2. Increased worker productivity3. Greater mobility for workers4. More flexible work environmentsfor employees5. Reduced IT costs• Source:http://www.citrix.com/lang/English/lp/lp_2314315.asp
  • 34. 49
  • 35. LargeSMBsSMBs Represent 94% of All Hawaii Businesses5280% have 20Employees or Less
  • 36. HawaiianTelcom KellyGreenTemplate 53
  • 37. 54
  • 38. HawaiianTelcom KellyGreenTemplate 55
  • 39. 56
  • 40. =
  • 41. 90%ActedWithin24 HoursMobile Users94%Searched forLocal Info70%Called aBusinessAfterSearching66%Visited inPerson45%Use for In-StoreResearch722MSmartphonesShipped in2012
  • 42. BYOD Risks• Costs – Cheaper for employees or employers?• Physical Security– Weak Passcodes– Lost or Stolen• Intellectual property theft after jobtermination
  • 43. Mobile Devices Attacked“Like its 1999”• Phishing Scams, Malicious Web Sites/Advertisements,Malicious Apps• Zbot.ANQ– Reportedly installs as a trojan on aWindows computer– Social engineers user to install software on mobile phoneand to provide phone number to hacker– Hijacks SMS messages from banks to steal money
  • 44. 0.00%10.00%20.00%30.00%40.00%50.00%60.00%70.00%80.00%Market ShareMalware2011Apple iOS• Data is not public• Isolated reports of malware• 775,000 Apps!
  • 45. Top 5 Mobile ContentAssociated with Malware1. Pornography2. Known Spam Sites3. Computer/Internet4. Web Advertisements5. Entertainment
  • 46. LEGALRISKS
  • 47. LEGAL RISKS OF BYODEmployment lawsFair Labor Standards (FLSA)TitleVII (harassment and hostile work environment)Health Insurance Portability and AccountabilityAct (HIPAA)Gramm-Leach-Bliley Act (GLBA)Sarbanes-Oxley Act (SOX)#hectech@LegalTXTS
  • 48. LEGAL RISKS OF BYODAmericans with Disabilities Act (ADA)Section 5 of the Federal Trade Commission ActData disposal laws (HRS § 487R-2)Security breach laws (HRS § 487N-2)Hawaii UniformTrade Secrets Act (HUTSA)Privacy lawsE-discovery laws#hectech@LegalTXTS
  • 49. FLSA – Overtime RequirementsNon-exempt employees must receive overtime pay(at least 1.5x regular pay rate) for hours workedover 40 in a workweek.Employee doesn’t need to be asked to work beyonda 40-hour workweek to be entitled to overtime pay.He/she just needs to perform overtime work foremployer’s benefitEmployees could rack up overtime by using personaldevices for work w/o employee’s consent if no clearBYOD policy in place#hectech@LegalTXTS
  • 50. FLSA – Allen v. City of Chicago Chicago police officer sued employer under FLSA forworking “off the clock” using department-issued PDAs orother electronic communication devices without receivingovertime pay. Officer alleged that PDAs required them to be on call 24/7 In March 2011, court denied motion to dismiss In January 2013, court granted conditional certification of acollective action for the case; 200 officers allowed to joinaction#hectech@LegalTXTS
  • 51. FLSA – TipsBe careful of relying on de minimis exceptionTrack hours worked remotelyInstitute policy requiring prior writtenauthorization to work remotely via mobile device.Make sure to communicate policy.#hectech@LegalTXTS
  • 52. HIPAA
  • 53. 11101010101001001000111010111101010010010010011101010010100111010010011WHERE DOESYOURLIVE?
  • 54. HIPAA – RequirementsThe issue is patient health information ending upon mobile devicesHIPAA mandates the “implementation of securitymeasures sufficient to reduce risks andvulnerabilities to a reasonable and appropriatelevel.” 45 C.F.R. § 164.308(a)(1)HIPAA also requires “physical safeguards for allworkstations that access ePHI, to restrict access toauthorized users.” 45 C.F.R. § 164.310(c)#hectech@LegalTXTS
  • 55. HIPAA – Omnibus RuleHIPAA Omnibus Rule took effect on March 23,2013; compliance due date is September 23, 2013HIPAA compliance used to be limited to “coveredentities” and their “business associates”Under Omnibus Rule, all providers of services tohealth care providers, health insurers, HMOs andemployee health benefit plans must comply if theycreate, receive, or maintain protected healthinformation on behalf of a covered entity#hectech@LegalTXTS
  • 56. HIPAA – Lost or Stolen Devices40% of large HIPAA rule violations involvedlost or stolen devices (per 2012 HHS study)HHS:“[H]ad these devices been encrypted,their data would have been secured.”Consider preventing local storage of patientdata on mobile devices#hectech@LegalTXTS
  • 57. Gramm-Leach-BlileyAct
  • 58. GLBA – “Financial Institutions”GLBA applies to “financial institutions.”Scope of “financial institutions” can be broad.mortgage brokersnonbank lendersreal estate appraiserseducational institutions#hectech@LegalTXTS
  • 59. GLBA – Safeguards RuleEach covered institution must develop, implement,and maintain a “comprehensive informationsecurity program”Program must include “administrative, technical andphysical safeguards”#hectech@LegalTXTS
  • 60. GLBA – Safeguards RuleProgram objectives are to:Insure the security and confidentiality of customerinformationProtect against any anticipated threats or hazardsto the security or integrity of such information; andProtect against unauthorized access to or use ofsuch information that could result in substantialharm or inconvenience to any customer.#hectech@LegalTXTS
  • 61. GLBA – Information CoveredApplies to all “customer information” inpossession of financial institutionInformation does not have to pertain tocustomer of financial institutionCan be information of customer of otherfinancial institutions that provided theinformation#hectech@LegalTXTS
  • 62. GLBA – “Customer Information”“Customer Information” is any information:a consumer provides to obtain a financial productor service from the institutionabout a consumer resulting from any transactionwith the institution involving a financial product orservice; orotherwise obtained about a consumer in connectionwith providing a financial product or service to thatconsumer#hectech@LegalTXTS
  • 63. GLBA – RisksInadvertent disclosure of customer informationMalwareResidual storage of customer information#hectech@LegalTXTS
  • 64. HUTSA – What’s a “Trade Secret”?HUTSA allows claim for misappropriation of atrade secretDefinition of “trade secret” requires thatreasonable efforts were taken to maintainsecrecy of the alleged trade secretAllowing employees to store proprietary dataon personal device can destroy reasonablenessof efforts to maintain secrecy#hectech@LegalTXTS
  • 65. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)One of the defendants (Mitchell) used to work forthe Plaintiff cryogenics company (Kendall)While working for Kendall, Mitchell maintainedbackup set of proprietary shop drawings at hishome (paper & electronic) with Kendall’s permissionAfter Mitchell stopped working for Kendall, he wasnot asked to return drawings#hectech@LegalTXTS
  • 66. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)Mitchell then started working for a competingcompany, who used shop drawings to develop itsproduct lineIn lawsuit that followed, trial court grantedsummary judgment to defendants on trade secretmisappropriation claimOn appeal, defendants argued that shop drawingswere not “trade secrets” because Kendall didn’ttake reasonable efforts to protect their secrecy
  • 67. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)Plaintiff took these precautions:Stamped shop drawings with legend barringdisclosure or transmission to unauthorized partiesIncluded confidentiality provision in Mitchell’semployment contractMaintained policies “that attest to the company’sdesire to protect confidentiality and safeguardproprietary information”#hectech@LegalTXTS
  • 68. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)Sixth Circuit held that the shop drawings couldqualify as “trade secrets” based on those effortsat preserving their secrecyReversed trial court#hectech@LegalTXTS
  • 69. HUTSA – Kendall Holdings, Ltd v. EdenCryogenics, LLC (6th Cir.Apr. 5, 2013)Key takeaways:Be careful of letting employees store proprietaryinformation at homeHave employees sign confidentiality agreementsKeep inventory of all info stored at employee’shomeHave separating employees sign acknowledgementthat he/she no longer possesses proprietary info#hectech@LegalTXTS
  • 70. INTERNET PRIVACYVENN DIAGRAM ONINTERNET PRIVACY
  • 71. PRIVACY – UH Data BreachRetired UH professor posted personal data of over90,000 faculty, students, alumni on public web serverHackers gained access to private records of 53,000students and employees on Mānoa campusFormer student files class action against UH forviolation of constitutional right of privacyLawsuit settled in April 2012#hectech@LegalTXTS
  • 72. PRIVACY – Personal DataPotential liability for remote wiping Intrusion into seclusion Other possible tort claims: conversion, trespassPotential liability for accessing personal data on dual-use devices Stored Communications Act Computer Fraud and Abuse Act#hectech@LegalTXTS
  • 73. E-DISCOVERY & BYODDuty to preserve electronic data (litigation holds)Practical challenges of e-discovery of data on dual-use devicesIdentifying BYOD devices/informationCollecting data from dual-use devicesWhat data does the employer “control”?#hectech@LegalTXTS
  • 74. Essential Security Controls• Policies• Firewall (Perimeter and End Point)• IPS/IDS• EncryptedTransmissions• Secure Authentication• Vulnerability Management• Secure Systems with Updates• Access Control• Log and Event Reviews• Testing andValidation
  • 75. Virtual Desktop InfrastructureActiveSync (MS Exchange)Network Access ControlMobile Device Management97
  • 76. Mobile Device ManagementEmployee-OwnedHardwareOperatingSystem (MDM)Applications(MDM)Data
  • 77. MDM ConsiderationsFeature Employee ConsiderationCompany assumes control of mostfeatures on the device.Device is now co-managed with employerand employer may have visibility into useof personal device.Company can control which applicationscan be installed.Employee will lose certain features onceconnected to the company network;dependent of company policy.Isolation of company data. Can only access company data fromapproved applications on the mobiledevice.Remote-wipe of data, and possibly ofwhole device.Risk that personal data will also bedeleted.Remote locking of device by company. Risk that personal use of the device maybe blocked by employer upontermination of employment or other HRaction.
  • 78. 100
  • 79. Essential Considerations• Do you need to support BYOD?– Morale, Productivity,Technology, Cost– Which devices/OS’s? What data?Which applications?Who?• Essential Security Controls are Primary– Network Security– Systems Security– Policies• AdditionalTechnologies Enhance Essential Security (not a substitute)– VDI, ActiveSync, NAC, MDM• Essential Network Security Goes a LongWay101
  • 80. Other Considerations• Working Hours– BYOD = 24x7 Availability– Specify response policies to company communications received onemployee-owned devices and when overtime applies• GeneralCompany PoliciesApply– Send official company communications using company email addresses only– Use branded company templates for emails– Use only the communications technologies specifically approved for use(can’t useTwitter if company does not useTwitter)– Phone calls to customers should originate from company phone numbers;unless there is an extenuating circumstance
  • 81. BYOD FinalTips• Keep Mobile OS updated and Use Passcode Locks• Assume mobile device is vulnerable at all times andonly visit known safe sites• Carefully research apps prior to installation• Do NOT Jailbreak• Include Mobile Devices in Overall Cyber SecurityPlanning
  • 82. Michael Mirandamichael.miranda@hawaiiantel.com(808) 546-8200
  • 83. Electronic Signatures
  • 84. E-SIG – Uses For EmployersDocuments that are impractical to obtainhard-copy signatures forOnboarding for new-hire paperworkForm I-9FormW-4Benefits administration#hectech@LegalTXTS
  • 85. E-SIG – E-SIGN and UETAFederal law: Electronic Signatures in Global andNational Commerce Act (E-SIGN)State law: Uniform Electronic Transactions Act(UETA) – HRS Chapter 489EE-SIGN applies to contracts affecting interstateor foreign commerceE-SIGN may be overridden by state law whereUETA has been adopted#hectech@LegalTXTS
  • 86. “Electronic signature” means “any electronic sound,symbol, or process attached to or logicallyassociated with a contract or other record andexecuted or adopted by a person with the intentto sign the record.”Technology neutral. Examples of e-sigs: Typed name or signature block Digitized image of signature Digital signature (PKI encryption) Biometric identification
  • 87. E-SIG – E-SIGN and UETAE-sigs have same legal effect as handwrittenonesContract not invalid just because electronicrecord or signature was usedIf a law requires a record to be in writing,electronic record satisfies the lawUse and acceptance of electronic transactions isvoluntary#hectech@LegalTXTS
  • 88. E-SIG – E-SIGN and UETATechnology neutralCertain kinds of documents cannot be e-signed (e.g., wills, foreclosure or evictionnotices)UETA applies only where each party to anagreement has agreed to conduct thetransaction in electronic form#hectech@LegalTXTS
  • 89. E-SIG – E-Sig System Essentials Signature must be unique to person using it Signature must be verifiable as belonging to user Signature must be under sole control of person using it E-sig process must guarantee integrity of signature anddocument, ensuring that contents of document remainunaltered Capture and preserve signer’s intention that e-sig hassame force and effect as handwritten signature#hectech@LegalTXTS
  • 90. E-SIG – Other General TipsE-sigs are not new, but legal precedent onenforceability of e-sigs is still developingIf you expect the document to end up in litigation,considering using paper signatures. E.g., arbitrationagreements, trademark agreements, non-competes Neuson v. Macy’s Department Stores#hectech@LegalTXTS
  • 91. E-SIG – Other General TipsObtain each employee’s written consent to use e-sigs for HR-related documents Consent is based on the context and surroundingcircumstances Better practice is to have employee or applicant signseparate written agreement to consent to use of e-sigs.The consent doesn’t need to be separate if the maindocument to be signed is in electronic form, e.g., a “click-wrap”#hectech@LegalTXTS
  • 92. E-SIG – Other General TipsDevelop e-sig and document retention policyTrain employees on the policies#hectech@LegalTXTS
  • 93. E-SIG – Arbitration AgreementsEmployment agreements often contain terms tothe effect that the employee agrees to resolvedisputes by arbitrationCourts are split on enforceability of arbitrationagreements that are e-signed#hectech@LegalTXTS
  • 94. E-SIG – Arbitration AgreementsNot enforceable: Campbell v. General DynamicsGov’t Sys. Corp. (1st Cir. 2005); Kerr v. DillardStore Services, Inc., (D. Kan. Feb. 17, 2009)Enforceable: Bell v. Hollywood EntertainmentCorp. (Ohio Ct.App.Aug. 3, 2006)#hectech@LegalTXTS
  • 95. ElijahYip, Esq.eyip@cades.com(808) 521-9326Blog: www.legaltxts.comTwitter: @LegalTXTS