Program on social media nad mobile device management issues facing employers in 2013, including use of social media in the hiring process from recruiting to background checks; BYOD and other mobile device management policies; drafting social media policies in light of NLRB guidance and enforcement action and protecting your social media assets.
1. The Connected Workplace
Presented to San Francisco Employer Advisory Council by:
Margaret A. Keane
Littler Mendelson, P.C., San Francisco Office
415.288.6303, mkeane@littler.com
www.linkedin.com/in/makeane/
February 7, 2013
1
2. Table of Contents
• Workplace Issues
– The New World
– Hiring Practices, circa 2013
– Yours, Mine or Ours: BYOD and Other Challenges
of Mobile Devices
– The NLRA, Social Media Policies, Confidentiality
and Related Disciplinary Actions
– Ownership and Control of Social Media Accounts
– Genetic Information Non‐Discrimination Act
2
3. Online Social Networks
• Facebook reports over 1.06 billion monthly
active users as of 12/31/12 and 618 million daily
active users*
• Approximately 157 million users per month
access Facebook through mobile applications.
• LinkedIn – 150 million plus members and 4.2
billion professionally oriented searches in 2011
• 110 million tweets are sent daily
• Don’t think your employees are out there?
Think again. Type your company’s name into
the search engine of any social networking site.
(Source: Facebook Q4 2012 Investor Slide Deck)
(Source: thenextweb.com/facebook/ 2011/094/23/the‐number‐growth‐and‐evolution‐of‐the‐behemoth‐that‐is‐facebook/) 3
4. Running Water, Electricity and Wi‐Fi
• IPASS Global Workforce Report for Q2
describes wireless access as a necessity of life
• Do you consider wireless access (3G, 4G and
wi‐fi) as important to your life as running
water and electricity?
− Yes, it is that important to the way I live – 59%
− No, but it is pretty close – 29%
IPASS Global Mobile Workforce Report, Q2 2012, p. 5
4
5. Are You at Work?
Mobile Technology Blurs the Line Between Home and Work
• By one estimate, 72% of Americans check their email on weekends and vacations
and 42% check email while home sick.
– Source: www.kikabink.com/news/most‐workers‐addicted‐to‐email‐2‐out‐of‐3‐u‐s‐and‐u‐k‐workers‐
check‐mail‐outside‐business‐hours/ (citing Harris Interactive research)
• iPass Mobile Employee Definition: Employee using a mobile device who accesses
networks (other than corporate LAN or WLAN) for work purposes
• Average mobile worker works 240 hours per year longer than work force in
general
• 43% of mobile workers keep smart phone at arm’s reach when they sleep
• 96% of mobile workers under 45 have smart phones
• 35% of mobile workers check email first thing upon awakening
– Source: The iPass Global Mobile Workforce Report, August 2011
www.mobile‐workforce‐project.ipass.com/cpwp/wp‐content/files_mf/ipass_mobileworkforcereport‐
q‐3_2011.pdf
5
6. Yours, Mine and Ours:
A New World of Sharing
How do you use your smartphone?
Source: The iPass Global Mobile Workforce Report, http://mobile‐workforce‐project.ipass.com/cpwp/wp‐
content/files_mf/ipass_mobileworkforcereport_q3_2011.pdf
6
7. Yours, Mine and Ours:
A New World of Sharing (Cont’d)
Do you use your tablet primarily as a personal or work device?
7
8. Employees and the Cloud
• Mobile devices send information to data storage, video,
photography and social networking sites, and web‐based email
providers
• Cloud services can replace thumb drives for storage
• Cloud services also provide collaboration capabilities – may be
used to circumvent IT restriction on sharing information
outside the enterprise
• Third party storage: Where is your data?
– iCloud
– Google Docs
– Dropbox.com
– Box.net
• Generally, there is no reasonable expectation of privacy in data
held by third parties
• An employer rarely has any control over data stored by third
party providers
8
9. Some Challenges of Social Media and
Mobile Computing
• Increased security risk to employer’s information technology systems
(viruses, malware)
• Data breaches due to lost devices, security breach or employee theft
• Inappropriate behavior towards co‐workers on social media sites
• Inappropriate and/or defamatory references posted on public sites and
accompanying reputational damage
• Wage and hour claim for “off the clock” work by non‐exempt employees
• Claims of discriminatory hiring, promotion and firing decisions based on
information obtained from social media may include claims of subjective
practices and/or violations of Genetic Information Non‐Discrimination
Act (GINA)
• Wrongful termination claims arising from decisions and policies that may
violate the National Labor Relations Act 9
10. Beyond the Like Button:
Uses of Social Media
• Tool to build trust and engagement and convey valuable
information for consumers.
• Means to obtain and verify information during the hiring
process.
• Forensic tool to investigate potential fraud.
• Facilitate product orders and other business processes.
• Method of addressing public relations crises.
• Enhanced ability to disseminate information. Can be product
info or general public service.
• Tool to access networking opportunities.
• Means to engage customers and build personal brand, provide
rapid responses to questions.
• Enables customers to learn about products and prices, ask
questions, compare products and service providers, and
complain about negative experiences with products and
service providers.
10
11. The Many Facets of Compliance
• Employers need to comply with relevant regulatory requirements, which
may include:
– Advertising and marketing laws and regulations
– Monitoring and responding to consumer complaints
– Testimonials and endorsements of, and to, individuals and companies
– Privacy Laws – Federal laws including HIPPA, Gramm‐Leach‐Bliley (“GLB”),
Children’s On‐Line Privacy Protection Act (“COPPA”), State privacy laws and
new Password Protection laws (ex. CA AB 1844)
– Record Retention Requirements, particularly for government contractors
– Security Breach Notification Statutes
– FINRA, FDA and other sector‐specific regulators
– Supervision, Monitoring and Training regarding all of the above
11
12. Getting to Know You:
Using Social Networking in the Hiring Process
• 91% of employers had hired a staff member
based on their social networking profile
• 69% decided not to make job offer to candidate
after seeing profile (photos of drugs/drinking
or inappropriate behavior were the most
popular reasons for eliminating candidate)
• 47% of companies check candidates' profiles on
social networking sites after they receive an
application and 27% review after a screening
interview.
Source: Job Screening With Social Networks: How Are Employers
Screening Job Applicants, Reppler, October 2011
Source: The Use of Social Networking Websites and Online Search
Engines in Screening Job Candidates, Society for Human
Resource Management, August 25, 2011
12
13. Getting to Know You:
Risks of Using Social Networking Websites in the Hiring Process
• Risk of making employment decisions based
on inaccurate, irrelevant or false info
• Online social networking profiles often
present personal information that would not
properly be subject to inquiry during the
hiring process
• Potential to eliminate applicants based on
protected class status in violation of federal
and state anti‐discrimination laws
• Need to balance applicant’s rights with
employer’s need to screen candidates
thoroughly
13
15. Getting to Know You:
Be Wary of Subjective Practices and Disparate Impact Claims
• Federal Reserve Bank of NY study:
– Referred candidates are twice as likely to land
an interview as other applicants
– At the interview stage, referred candidates have
a 40% greater likelihood of being hired
– 63.5% of employees recommended candidates
of the same sex
– 71.5% of employees recommended candidates
of the same race or ethnicity
Source: In Hiring, a Friend in Need is a Prospect, Indeed, New York Times, January 28, 2013
15
16. Getting to Know You:
Responsible Use of Social Networking Websites in the Hiring
Process
• Build a process for lawful use of social media data
– Determine when on‐line searches will be used in hiring and
promotion process
– Decide whether to inform applicants
about on‐line searches and whether to
ask for email addresses, user names
and blog posts
– Give notice and obtain consent
where needed
– Do not engage in unauthorized access to password protected
sites or require users to disclose passwords unlawfully (ex., CA,
IL, MD, MI)
– Comply with FCRA if using third parties to conduct search
– Determine scope of review: what sources will be checked and
what information will be collected?
18. A Word about Passwords in Hiring
• At least four states currently prohibit employers from asking applicants
or employees for social media passwords, including CA, Illinois,
Maryland and Michigan. At least thirteen other states are currently
considering legislation.
• California’s statute provides an exception that permits employers to
“request an employee to divulge personal social media reasonable
believed to be relevant to an investigation” of allegations of misconduct.
• California also has an exception for
usernames and passwords used
to access employer‐issued devices.
19. Lingo:
Dual Use Mobile Devices and BYOD
• Dual Use Mobile Device: Mobile device used to create, store and transmit both personal
and work‐related data
• BYOD: Bring Your Own Device
– A BYOD program includes:
• Policies that govern use of personal devices to
access corporate services
• Policies attempt to manage risk associated with
storage and transmittal of data using devices that
may be outside of the employers control
• Policies to address impact of mobile devices on existing
workplace behavior
• Some Other Considerations:
− Regulatory issues, esp. FINRA – financial services, insurance,
HIPPA 19
20. What is MDM – Mobile Device
Management?
Mobile Device Management:
• Software that allows corporate IT to manage use of mobile devices.
Component of BYOD programs. Features may allow an employee to:
– Require users to register device as condition of network access
– Lock down end user’s ability to use specific device features or apps, such as
cameras, Siri or iCloud
– Enable remote locking or wipe of device
– Enforce use of strong passwords
– Implement anti‐spam solutions – Siri,
iCloud file sharing, blacklists
– Prevent users from disabling or altering
security settings on devices
20
21. Policies Affected by BYOD:
Mobile devices have impact on policies throughout your
business
• Data Privacy & Security
• Harassment, Discrimination & EEO
• Workplace Safety
• Time Recording and Overtime
• Acceptable Use of Technology
• Compliance and Ethics
• Records Management
• Litigation Holds
• Confidentiality & Trade Secret Protection
21
22. Setting Up a BYOD Program:
A Master Plan for mobile device use in your
organization
• Need to address challenges of dual use devices, REGARDLESS of whether
you adopt a BYOD program
• If you implement BYOD, your policy should be part of an integrated
Information Governance Plan
• Determine goals and objectives
– Economics – Not necessarily saving money
– Security
– E‐Discovery compliance
– Risk Management concerns
– Privacy Considerations
• Remote wipes
• Containers
• Backups
– Pushing back the tide
22
23. Setting Up a BYOD Program:
Which employees can participate in the program?
• Who participates in program?
– Limit to exempt employees to reduce
exposure to “of the clock” claims.
– If non‐exempt employees are included,
need to address overtime wage exposure.
– Exclude contractors and contingent workers
who may be working for other customers.
– Consider excluding individuals in sensitive
positions or involved in litigation or
regulatory proceedings.
23
24. Setting Up a BYOD Program:
Terms and Conditions
• Who will pay and what devices are included?
– Who pays for/owns device?
– Who pays for service plan – employer selected options or
reimbursement?
– Options include technology allowances, reimbursement, standard
devices issued by employer.
24
25. Setting Up a BYOD Program:
Terms and Conditions
• What conditions will be imposed on participants in the
program?
• Program may include limits on acceptable applications,
passwords, encryption, employer monitoring, reporting
obligations and remote wipes in event of loss
• Address tradeoffs
– Participation in program is a privilege,
not a right
– May have privacy tradeoff for convenience of
remote access and device
25
26. Privacy in a BYOD World
Will your program distinguish between personal and business use?
Privacy Parameters
• Distinguish between data and device
• Device
– May require return upon demand or inspection as part of investigation
– May require return, with data intact, upon separation from employment
• Data
– Determine whether employer will retain right to review all contents of
device or will exclude categories such as music and photos
– Require employee to provide access to cloud
backups or home server?
– Monitor/limit employee’s use of web‐based
applications? Example: Siri, Dropbox, iCloud, etc.
– Set parameters for timing, terms and extent of remote
wipes 26
27. Privacy in a BYOD World
1. Remote wipes of lost devices – can be
viewed as either pro‐privacy or an
intrusion. Participation in BYOD program
may be conditioned upon consent to
remote wipes.
2. Litigation issues:
– Identification of BYOD devices/information
– Practical challenges of data collection
– Does the employee “control” data on the
devices?
– Will employees be required to produce mobile
devices to employer for inspection, preservation
and production?
27
28. Privacy in a BYOD World:
What is a Reasonable Expectation of Privacy?
3. Even if your policy gives you access to the device , employees may have
privacy expectations in personal data stored with online services. Be
careful.
– Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 587 F. Supp. 2d 548 (S.D.N.Y. 2008)
(employee had reasonable expectation of privacy in password protected emails stored on hotmail
and gmail servers, regardless of fact that she accessed them on a work computer)
– Steingart v. Loving Care Agency, Inc., 201 N.J. 300 (NJ 2010) (employee had reasonable expectation
of privacy in personal password protected web‐based email sent through employer’s computer)
– Pietrylo v. Hillstone Restaurant Group, No. 06‐5754, 2008 U.S. Dist. LEXIS 108834, at *20 (D.N.J. July
24, 2008) (question of whether employee had a reasonable expectation of privacy in My Space page
is a question of fact)
– Ehling v. Monmouth‐Ocean Hospital Service Corp., Civ. No. 2:11‐CV 033305 (WJM) (D.N.J. May 30,
2012)(plaintiff may have reasonable expectation of privacy in Facebook posting where she restricted
access to her Facebook page)
– Doe v. City of San Francisco, No. C10‐04700 THE (N.D. Cal. June 12, 2012)(employee had reasonable
expectation of privacy in web‐based emails viewed from a shared workplace computer designated
for personal use by employees)
28
29. Can Data in the Cloud Undermine Your
Trade Secret Protection?
Trade Secrets Must Be:
1. Maintained in confidence
2. Have commercial value from not being generally known
3. Must not be readily ascertainable by proper means
Risk Areas:
1. LinkedIn – Customer lists in the public domain?
2. Sasqua Group, Inc. v. Cartney, No. CV 10‐528, 2010 WL 36138855 (EDNY, August
2, 2010)
– Customer information not a trade secret where publicly available information
“exceeded the amount and level of detail contained in the Sasqua database.”
– Sasqua did not have password protected computers; did not require employee to sign
confidentiality or non‐solicitation agreement
3. LinkedIn contacts may violate non‐solicit and non‐compete restrictions (TEK
Systems v. Hammernick, Civ. No. 10‐CV‐00819 (D. Minn. Mar. 16, 2010)
29
30. Protection of Trade Secret Information
in the Cloud
• Take Reasonable
Measures to Protect
Trade Secrets in a BYOD
Environment
• Use Confidentiality
Agreements/Proprietary
Information Assignment
Agreements (“PIAA”)
30
31. Geolocation Tracking and Telematics
• FTC: Geographic location is sensitive information
• CA Penal Code 637.7. No person or entity in this
state shall use an electronic tracking device to
determine the location or movement of a person
• Tread carefully
Source: CTIA – The Wireless Association, Best Industry Practices and Guidelines for
providers of location based services
31
32. The FTC Speaks:
FTC Testimonial Guidelines
• Governs endorsements and testimonials in advertising
• No private right of action; may be enforced by FTC under section 5 of the
FTC Act
• Advertisers are subject to liability for false or unsubstantiated statements
made through endorsements
• Advertisers subject to liability for failing to
disclose material connections between
themselves and endorsers
• Endorsements relating the experience
of a customer must disclose
generally expected
performance
32
33. Breaking Up is Hard to Do:
From Dooce to the NLRB
• Dooced: Termination based on a blog posting; see www.dooce.com (blog
of woman who was fired after writing about employer on blog)
• NLRB v. American Medical Response Company, Case No. 34‐CA‐12576
(Connecticut, 2011). Employee terminated for criticizing her supervisor
on Facebook in violation of policies. Important case because it
challenged both the firing decision AND the employer’s policies.
• NLRB v. Hispanics United of Buffalo (“HUB”), September 2, 2011. First
ruling by an NLRB Administrative Law Judge, ruled that HUB violated the
NLRA when it terminated five employees for criticizing a sixth co‐worker
on Facebook
– “It is irrelevant to this case that the [Facebook posters] were not trying to
change their working conditions and that they did not communicate their
concerns to HUB”
33
34. NLRB Position on Social Media Practices and Policies:
My Workforce Isn’t Unionized. Why Should I Care?
• Portions of the NLRA apply to ALL
private employees.
• Specifically, employers can’t punish
employees for discussing working
conditions or unionization.
• Agency has taken aggressive stance
on terminations as discipline for
critical posts on social media.
• NLRA gives employees the affirmative
right to engage in concerted action
for mutual benefit and protection.
34
35. NLRB Acting General Counsel Releases First
Report on Social Media Cases: August 18, 2011
• Report provides analysis of 14 cases
involving employer’s social and
general media policies submitted to
NLRB’s Division of Advice.
• Four cases found protected activity
where employees posting on
Facebook were discussing terms and
conditions of employment with
fellow employees. Four other cases
found activity was not protected.
• In five cases, Division of Advice found
provisions of employers’ social media
policies were unlawfully over‐broad.
Focus on the “protected, concerted”
nature of activities.” 35
36. More From the NLRB
• January 24, 2012 NLRB Acting GC
Memo update on social media
usage
• Is the employee posting on
Facebook/twitter “engaged in
protected concerted activity.”
• [A] finding of protected activity
does not change if employee
statements were communicated
via the Internet.
36
37. The Third Time’s the Charm?
• May 30, 2012 Acting GC’s Third
Memorandum on Social Media Issues
• Rules that are ambiguous as to their
application to Section 7 activity and that
contain no limiting language or context
to clarify that the rules do not restrict
section 7 rights are unlawful. In
contrast, rules that clarify and restrict
their scope by including examples…are
not unlawful.
37
38. Breaking Up is Hard to Do:
Clarify your right to wipe devices and ownership of social
media assets before the breakup
• Tell employees that their company
issued electronic devices will be
“scrubbed” or “wiped” in the event
of termination and get written
acknowledgement.
• Clarify ownership of social media
assets. Maintain access to, and
right to change, passwords to
corporate accounts.
38
39. Genetic Information
Nondiscrimination Act of 2008 (GINA)
• Illegal to discriminate against employees or applicants because of genetic
information
• Employers may not use genetic information in making employment decisions and
may not request, require or purchase genetic information
• Any employer that possesses genetic information about an employee must
maintain such information in separate files; and must treat it as a confidential
medical record and may disclose it only under very limited circumstances
• Prohibition on requesting information defines “request” to include “conducting
an internet search on an individual in a way that is likely to result in a covered
entity obtaining genetic information.” 29 C.F.R. §1635
• Safe harbor for inadvertent acquisition applies where employer “inadvertently
learns genetic information from a social media platform where he or she was
given permission to access by the creator of the profile at issue (e.g., a supervisor
and employee are connected on a social networking site and the employee
provides family medical history on his page).” 29 C.F.R. §1634
39
40. Managing Change in the Workplace:
Some of Today’s Challenges
• Lack of clear precedent: courts and legislators lag
behind while agencies run ahead
• Social networking: lines between work and life
continue to blur
• New communication channels: instant messaging as
corporate tool and texting is not just for teens
• Electronic discovery: the document that would not die
• Workplace privacy: evolving standards
• Anywhere, anytime access: security risk and other
challenges of mobile computing
• The 24/7 workplace and the FLSA
• Control is a remnant of days gone by
• Generational differences affect communication styles
40