When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobile and the Cloud
Upcoming SlideShare
Loading in...5
×
 

When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobile and the Cloud

on

  • 269 views

The american workplace is in a period of unprecedented change as the combination of mobile technology and social media is changing the "who, what, when and where" of work.

The american workplace is in a period of unprecedented change as the combination of mobile technology and social media is changing the "who, what, when and where" of work.

Statistics

Views

Total Views
269
Views on SlideShare
269
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • And now, shifting gears, we will move on to mobile devices.
  • Different Rules for Regulated industries – FINRA, FIFIEC- federal Financial Institutions Examination Council (non-banks, mortgage brokers) Most recent FINRA guidance became effective on February 4, 2013 regarding preapproval and supervision of social media. Of course, the firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.. . . firms should have the ability to separate business and personal communications, such as by requiring that the associated persons use a separately identifiable [secure] application on the device for their business communications... If the firm has the ability to separate business and personal communications, and has adequate electronic communications policies and procedures regarding usage, then the firm is not required to supervise the personal emails made ·on these devices. Of course, firmsalso are free to treat all communications made through the personal communication device as business communications.
  • Ask Mass Eye and Ear Infirmary which paid a $1.5 million penalty arising out of the loss of a single laptop

When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobile and the Cloud When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobile and the Cloud Presentation Transcript

  • Translating the Trends: Mobile Communications, the Consumerization of IT, Social Media, and the Cloud Meet the Workforce 2
  • Margaret A. Keane Shareholder Littler, San Francisco Philip L. Gordon Shareholder Littler, Denver 3
  • Program Agenda  When Worlds Collide: Tracking the Trends at the Intersection of Social, Mobile and the Cloud − The Explosion of Social/Mobile at Work and Play − Social/Mobile Meets the Workplace: High Level Challenges − Cloud Content and Mobile & Access Devices = New Applications and New Risks − Enterprise Use of Social Media − Managing the Social/Mobile Juggernaut (BYOD and Beyond) − Wage and Hour Issues for the Perpetually Connected − Employment Law Risks − Privacy in a Transparent World 4
  • The Social / Mobile Explosion Is Driving Change Who: Offsharing/outsourcing; freelancers; shifting expertise across teams; increased employee mobility What: FLSA does not define work; Supreme Court: “physical or mental exertion . . . controlled or required by the employer and . . . for the benefit of employer.” Where: Decreasing reliance on “work” as a fixed physical space When: Knowledge workers have more autonomy over when to work; constant connectivity; and How: New tools, ex. enterprise microblogging and other collaborative tools; internal apps developed for enterprise and customers; workflows 5
  • Translating the Trends: What to Expect in 2013 The Explosion of Social/Mobile At Work and Play 6
  • The Drivers: Going Mobile. . . 7
  • The Drivers: How Are We Using Our Mobile Devices? Always Connected, IDC Study, Sponsored by Facebook, March 2013 8
  • What Do You Do When You First Wake Up? Always Connected, IDC Study, Sponsored by Facebook, March 2013 9
  • Blurring The Lines: Work vs. Personal  90% of full-time employees use a personal smartphone for work purposes • 62% of those use it every day • 39% don’t use password protection • 52% access unsecured wifi networks • 69% believe they are expected to access work emails after hours  1 in 10 workers receive a stipend for their smartphone (Cisco, BYOD Insights in 2013: A Cisco Partner Network Survey, March 2013) 10
  • Translating the Trends: What to Expect in 2013 Social/Mobile Meets the Workplace: Challenges and Opportunities 11
  • Blurring The Lines: Work vs. Personal • Do You View Your Tablet Device As Primarily A Work Or Personal Device? Source: iPass Q1 2013 Mobile Workforce Report 12
  • The Consumerization of IT is Here  55% of IT managers have made exceptions for “specialized members,” i.e., top executives to use their choice of devices and software (2013 iPass MobileIron study)  55% of IT directors will actively accommodate and encourage the use of personal devices (Citrix Study 2012)  81% of respondents accommodate personal devices in the workplace (2013 iPass MobileIron study)  54% of respondents had a formalized BYOD policy (2013 iPass MobileIron study) 13
  • How Are Different Sectors Responding? Source: Good Technology, BYOD Customer Survey, December 2012 14
  • Mobile Is Here To Stay  Lowes purchased 42,000 iPhones for employees  Employees can check inventory at nearby stores; share how-to videos, check competitor prices, order status, and schedules; verify sale prices and better serve customers  Innovative apps include tools to calculate the amount of paint needed to paint a room  My Lowe’s can organize customer history  Sales associates can use iPhones to ring up sales  Home Depot distributed 34,000 “First Phones” to employees  Associates can continuously update and monitor inventory levels  First Phones provide instant access to product info and speed checkout 15
  • Customers & Social Media  An estimated 23M Americans discover new brands through social networks; up from 18M in 2010  64% of social media users stated that social networks influenced their buying decisions  80% of companies planned to use social media for customer service by the end of 2012  47% of social media users actively seek customer service through social media (Click Software Study Dec. 2012) 16
  • The Social Intranet “Creating a community in the workplace where employees can share and engage on a real-time platform makes everyday communication and collaboration easier and more effective, delivering tangible business results.” (Social Business: 5 Trends To Watch For 2013 And Beyond, Forbes (Dec. 2012)) 17
  • Internal Social Media Benefits  83% of respondents use at least one social technology  73% of respondents use social technologies internally; 74% use with customers; and 48% connect with external partners  9 of 10 respondents who use social tools have tangible business benefits, including enhanced access to knowledge and internal experts, increased employee satisfaction and reduced travel costs. (McKinsey Quarterly, March 2013 Reporting on July 2012 survey of 3,542 executives) 18
  • Social Intranet vs. Mobile Common barriers to mobile design entry for intranets:  Data security concerns  Difficulty of choosing a platform  Lack of resources to create and maintain the design  Uncertainty about whether to implement a full feature set with a good mobile user experience or an app for particular tasks 19
  • Some Risks Of Social/Mobile • Loss of control over corporate data − Violation of regulatory compliance obligations, ex. SEC, HIPAA, GLBA − Security breaches − Misappropriation of trade secrets • Public nature of social media − Too much information about applicants and employees − Damage to brand reputation − Expanded responsibility for regulating employees’ off-duty conduct? • HR/Employment Risks − “Off the clock” wage and hour claims − Potential privacy-based claims − Workplace safety issues • Records management and e-discovery challenges 20
  • What Are The Organizational Challenges? • Social/mobile permeates the organization − Branding and public image − Relationships with customers, vendors and competitors − Getting the work done − Managing employees • IT, HR & Legal may have different objectives • Evolving communications standards − Five generations in the workplace, each with different communication norms • Risk of losing market share to more socially agile competitors 21
  • What Are The Legal Challenges?  Challenges of applying old laws and policies to new technology − FLSA (1938); NLRA (1933); SCA (1986)  Case law lags behind while rate of change accelerates  Early legislation and regulation in the U.S. − Social media password protection laws − Agency guidance on social media communications – SEC, NLRA, FTC, FINRA  The challenges of global legal compliance 22
  • Some Solutions 1. Understand how your organization is using social/mobile 2. Create a multi-disciplinary information governance team 3. Identify key risk areas 4. Develop an enterprisewide strategy for managing social/mobile risks 5. Implement a governance platform and update existing policies 6. Continuously evaluate the impact of new mobile and social technologies on the workplace 7. Continuously evaluate the impact of new laws and court decisions on existing policies 23
  • Translating the Trends: What to Expect in 2013 Cloud Content & Mobile Access = New Applications and New Risk 24
  • What Is Cloud Computing?  The “cloud” is “the act of storing, accessing and sharing data, applications and computing power in cyberspace.” (Pew Research Center)  Types of information that can be, and are, stored and processed in the cloud: customer records, databases, email, health records, financial data, personnel records  Nature of the cloud = f(degree of control over the data) − Personal cloud (retail to individuals) − Private cloud (corporate, limited access) − Public cloud (corporate equivalent of personal cloud) 25
  • Employees And The Cloud  Mobile devices send information to data storage, video, photography and social networking sites, and web-based email providers − iCloud, YouTube, Flickr, Facebook, Gmail  Cloud services also provide collaboration capabilities – may be used to circumvent IT restriction on sharing information outside the enterprise − Google Docs, Dropbox.com, Box.net  An employer rarely has any control over data stored by cloud service providers 26
  • Advantages Of Cloud Computing 1. Reduced costs and increased scalability 2. Increased security • Cloud providers often have greater resources and sophistication • Redundancy ensures business continuity and disaster recovery 3. Convenience: Users can access data from anywhere over the Internet using any computer 4. Save computing space: Software does not have to be installed on each hard drive 27
  • Legal Risks Of Cloud Computing 1. Loss of control of data to a third party • Information can be stored anywhere in the world 2. Loss of control over infrastructure and information security • CSP will control security incident response 3. Lower standard for government access 4. Inadequate protection of trade secrets 5. Electronic discovery challenges 6. Potential global data protection challenges 28
  • Practical Steps Towards Implementing 1. Interdisciplinary team (IT, HR, Legal, Business Unit leaders) 2. Understand applicable law, especially law related to cross-border data transfers 3. Determine which information to store in the cloud • Think twice before storing these in the cloud: Regulated data (PHI, PII, NPPI), privileged communications, trade secrets, business critical information, EU personal data 4. Conduct due diligence on the cloud service provider 5. Negotiate contractual protections 29
  • Practical Reality  CSPs will permit minimal to no due diligence  CSP Terms of Service often are non-negotiable  Cloud services can create operational risks o HHS obtained $100K settlement from a Phoenix surgery center that posed patient appointment calendar to the cloud  CSPs can play hardball with your organization’s data o GlaxoSmithKline sues CSP, alleging $80K ransom demand for return of critical documents 30
  • Translating the Trends: What to Expect in 2013 Enterprise Use of Social Media 31
  • Enterprise-Oriented Social Media Key steps to success: 1. Define your organization’s objectives 2. Get leadership buy-in 3. Create an information governance committee 4. Tailor for corporate culture/employee or customer needs 5. Determine who is authorized to post 6. Establish guidelines 7. Provide training 32
  • Think Before You Post  Summary judgment denied to Coyote Ugly on retaliation claim where company’s president and co-founder referenced on “Lil Spills” blog a former employee’s lawsuit and commented, “F**k that b**ch” Stewart v. Coyote Ugly Saloon Nashville, LLC, (M.D. Tenn. 2013)  NetFlix CEO posts to 200K Facebook followers that users have watched more than 1B hours of content on the Company’s streaming service • stock price jumps 6% • SEC issues Wells notice and investigates failure to use public means of communication 33
  • Key Guidelines For Social Speakers 1. Identify yourself 2. Protect confidential information 3. Speak for the organization only when authorized 4. Respect intellectual property rights 5. Get the message right and admit mistakes 6. Think global 34
  • Key Guidelines For Social Speakers 7. Company will monitor employees’ social media content 8. Personal accounts are not for business purposes 9. Beware of lurking wage & hour issues for non- exempt employees 10. Remember your other job duties: Social media can be addictive 35
  • Additional Issues: Customer-Facing Social Media 1. Compliance with sector-specific regulations 2. Protection of corporate accounts • Covered in detail during afternoon presentation 3. Monitoring and responding to customer complaints 36
  • Translating the Trends: What to Expect in 2013 Managing the Social/ Mobile Juggernaut: BYOD and Beyond 37
  • Lingo: Dual Use Mobile Devices And BYOD  BYOD = Bring Your Own Device  Dual Use Mobile Device: Mobile device used to create, store and transmit both personal and work-related data  COPE: Corporate Owned, Personally Enabled  Some Other Terms:  BYOC: Bring Your Own Computer. Programs that add laptops to the covered devices  BYOA: Bring Your Own App. 38
  • Two Perspectives of BYOD BYOD can improve employee productivity, engagement and satisfaction; help recruit new employees, and solve the “two pocket problem” vs. BYOD can pose tremendous compliance and security risks, can undermine litigation, as well as create exposure under wage and hour, privacy and related laws 39
  • Another Perspective: Does It Really Reduce Costs?  All tallied, it is not clear whether BYOD saves money. A typical mobile BYOD environment costs 33 percent more than a well-managed wireless deployment where the company owns the devices ***.” − Loss of bulk purchasing power − Higher help desk/support costs − Security issues  Expenses may be offset by enhanced productivity – Intel estimates that BYOD employees save 57 minutes daily through use of personal devices  IBM says the trend toward employee-owned devices isn’t saving it money. (MIT Technology Review, Monday, May 21, 2012) 40
  • Setting Up A BYOD Program: Overview A BYOD program includes: 1. User Policies that govern ownership and use 2. Information Security Policies that attempt to manage risk 3. HR Policies to address impact of mobile devices on workplace behavior 4. Selection, installation and deployment of mobile device management software 5. Applicable disciplinary procedures for non-compliance 6. Updates to BYOD Guidelines and policies as needed 7. Training re: all of the above 41
  • Security Risks Of Mobile Devices • BYOD a “significant” security risk for 78% of respondents (Global Information Security Workforce Study 2013) • Loss or theft of devices − 47% of IT managers reported dealing with lost or stolen phones (2013 Pass MobileIron study) − 39% of respondents stated that they have the necessary security controls to address the risks created by mobile devices (Ponemon Study Feb. 2012) • Malware − 69% of respondents ranked application vulnerabilities as the highest security concern, with malware and mobile devices a close second at 67% and 66% respectively (Global Information Security Workforce Study 2013) • Friends and family − 27.5% of FINCEN suspicious activity reports involving identity theft implicate friends, family, employee in home 42
  • Security Risks of Mobile Devices Mobile Devices As Gateway to the Cloud: − Employee ownership of the account with the service provider will limit company access to its data − No contract with company = no right to access data − Obligation to “vet” security controls of vendors − Data may be more available to law enforcement or others 43
  • Implications Of A Security Breach  Violation of statutory or regulatory requirements to secure personal information: HIPAA, GLBA, and state laws (MA, OR, OK, NV) − Statutes apply to service providers of covered entities − Enforcement: HHS and MA have recently obtained penalties  Security breach notification laws: 46 states, DC, PR, USVI, and Guam − Encryption safe harbor − Encryption requirements: MA, NV, HIPAA  Avg. cost of a breach is $194/lost record or $5.5M (Ponemon Study 2011) 44
  • Recommendation: Control Eligibility  Control eligibility to participate in BYOD and other remote access programs • The more people with BYOD, the greater the risk  Limit to employees with a business need for remote access  NOT employees with regular access to sensitive information • Legal, HR • Access to highly valuable trade secrets, e.g., product engineers • Access to highly sensitive, non-public financial info, e.g., CFO’s group 45
  • Recommendation: Install MDM Software Mobile Device Management Software: Allows corporate IT to manage use of mobile devices (BYOD and corporate issued). Available features include: • Encryption • Lock down end user’s ability to use specific device features or apps, such as cameras or iCloud • Enable remote locking or wipe of device • Enforce use of strong passwords • Prevent users from jailbreaking device or disabling or altering security settings on devices • Device locator Consider the use of “container” technology 46
  • Additional Recommendations 1. Limit the types of devices that can participate in the program 2. Limit the business applications on the device 3. Limit use of cloud-based apps, cloud-based backup, or synchronizing with home PCs 4. Require employees to protect the physical security of the device • No sharing of device or password with household members or friends • Require password protection 47
  • Translating the Trends: What to Expect in 2013 Wage & Hour Issues for the Perpetually Connected: Challenges of a Mobile Workplace 48
  • Who Will Pay And What Devices Are Included?  Who pays for/owns device? Is participation optional?  Who pays for service plan – employer selected options or reimbursement?  Options include technology allowances, reimbursement, standard devices issued by employer. 49
  • Who Pays For Mobile Devices And Use Fees?  Expense Reimbursement • Federal law – expenses can’t reduce pay below minimum wage • Eleven states have express or implied expense reimbursement requirements  California, Montana, North Dakota, South Dakota, New Hampshire, Alaska, Minnesota, Arkansas, Iowa, Kentucky, Michigan  California Labor Code § 2802 – Employer must reimburse Employee for “necessary expenditures or losses incurred by the employee... as a consequence of the discharge of his/her duties”  Reimbursement must meet certain criteria in order to be tax exempt 50
  • Who Pays In California? • Employer can reimburse for actual expenses or make a lump sum payment to fully reimburse employees for actual expenses necessarily incurred (Gattuso v. Harte-Hanks Shoppers, Inc., 42 Cal 4th 554 (2007) • Deleon v. Airtouch Cellular, unpublished opinion, (Ct. App. 2nd Dist. February 4, 2013) alleged violation of California Labor Code Section 2802 where employer stipend did not cover full cost of required cellular phone and equipment. − Employee allowances did not cover taxes, data plans, 411 calls and overages − Lump sum program with mechanism to seek approval for expenses in excess of the lump sum satisfies 2802 if it provides full reimbursement for actual expenses necessarily incurred − Take away: Court found fact issues with the operation of excess program, but did not question that employer is responsible for cell phone charges IF NECESSARILY INCURRED. 51
  • Who Pays For BYOD Devices? 52
  • The 24/7 Workplace And The FLSA • Wage & Hour – Is after-hours use of mobile devices compensable time? − When does “de minimis” time become compensable? − Emails themselves may be evidence of time spent and notice to employer − Time spent dealing with IT issues related to devices − Work by non-exempt or exempt employees during weeks off or leaves of absence 53
  • The 24/7 Workplace And The FLSA  Managing W&H Concerns • Prohibit non-exempt employees from accessing email or making work-related calls outside of scheduled hours • Limit access/program participation to employees who are exempt from OT • Create process for reporting work performed outside of working hours • Training – Employees – Managers – Compliant policy requiring pay for all hours worked – Must pay for all time worked, approved or not – Can treat time worked without authorization as a disciplinary issue 54
  • Lessons From Recent Case Law Allen v. City of Chicago, (N.D. ILL 2013) collective action alleging failure to pay overtime for off-duty time reading and responding to email on city- issued Blackberries Lessons: − Employer has a risk if managers are sending messages via company-provided devices, and the messages call for off-shift response − If you provide mobile devices to exempt employees, consider written policy that employees do not need to review and respond to email while off-shift Brown v. Scriptpro, LLC, (10th Cir. Nov. 27, 2012), Employee’s failure to use remote timekeeping system resulted in victory for employer Lessons: − Provide automated timekeeping system with easy remote access and train employees to use it − Make sure policy aligns with operational reality − Conduct compliance audits 55
  • Translating the Trends: What to Expect in 2013 Employment Law Risks 56
  • Can Trash Talk on a Blog be an Adverse Employment Action? Post by President of Defendant/Employer “By the way Lil, you should be getting served with a lawsuit. No worries just sign for it”. This particular case will end up pissing me off cause it is coming from someone we terminated for theft… I have been reading the basics of Buddhism and am going to a class on Monday. The Buddhist way would be to find beauty in the situation… Obviously, I am still a very new Buddhist cause my thoughts are “#$%! that @#$*#. Let me do my breathing exercises and see if any of my thoughts change. Lol Court ruling on retaliation claim: A reasonable jury could find that the posting of this blog entry constituted an adverse action, since it falsely stated that she engaged in theft, . . . and could find that this [conduct] would have likely dissuaded a reasonable worker from making . . . an FLSA claim. Stewart v. Coyote Ugly Saloon Development Corp., et al., 2013 WL 456482 (M.D. Tenn. Feb. 6, 2013) 57
  •  Recruiting and Hiring  Performance Management  Harassment, Discrimination & EEO  Workplace Safety  Time Recording and Overtime  All Policies Governing Use of Electronic Resources  Social Media Policies, including policies governing external communications and internal company social networks  Compliance and Ethics, Including SEC Disclosure Rules  Advertising and Marketing  Records Management and Retention  Data Privacy & Security  Litigation Holds  Confidentiality & Trade Secret Protection  Termination Practices Potentially Outdated Policies 58
  • Other Issues  E-Discovery Challenges − Identification of BYOD devices/information − Practical challenges of data collection − Does the employee “control” data on the devices? − Will employees be required to produce mobile for e-discovery purposes?  Records Management: FINRA retention requirements  Protection of trade secrets o Gateway to the cloud o Review exit interview process 59
  • Translating the Trends: What to Expect in 2013 Employee Privacy in a Transparent World 60
  • Employee Privacy Rights  Issuing a remote wipe command • Employees have a reasonable expectation of privacy in their personal device • All 50 states have computer trespass laws • Potential liability under the Computer Fraud & Abuse Act if the unauthorized access causes damages > $5,000  Accessing an employee’s personal e-mail or cloud account • Federal Stored Communications Act, e.g., Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, 587 F. Supp. 2d 548 (S.D.N.Y. 2008)  Access to private information: GINA 61
  • Geolocation Tracking And Telematics  FTC: Geographic location is sensitive information  CA Penal Code 637.7(a). No person . . . shall use an electronic tracking device to determine the location or movement of a person.  CA Penal Code 637.7(d). Electronic tracking device is “any device attached to a vehicle or other movable thing that reveals its location or movement by the transmission of electronic signals.”  Tread carefully. 62
  • International Data Protection Issues  The number of countries with broad data protection laws has increased dramatically in the past three years  Ability to roll out program globally can vary substantially by country − France, Mexico, Spain: Yes − Brazil, Czech Republic: No − Singapore: Yes with adjustments 63
  • The Dual-Use Device Agreement Critical Terms: Protection against computer trespass, invasion of privacy and other claims 1. Agree to Company’s use of remote wipe 2. Agree to Company’s monitoring of personal device 3. Agree to produce the personal device for inspection and copying in response to a legitimate requests 4. Release Company from any liability for destruction or incidental viewing of personal information  Expect Pushback 64
  • The Dual-Use Device Agreement Additional Terms: 1. Will install corporate security package 2. Will not modify corporate security package 3. Will immediately report loss or theft of device 4. Will limit storage of corporate information 5. Acknowledge that all company policies apply to the dual-use device 65
  • 66
  • © 2013 Littler Mendelson, P.C.