Digital privacy versus national security. That’s how scores of articles have framed the controversy over Apple Inc.’s refusal to cooperate with the FBI in bypassing the security features of an iPhone used by Syed Farook, one of the deceased shooters in the San Bernardino terrorist attack. Largely overlooked is the fact that Farook’s employer could’ve prevented the whole controversy had it installed common software on the phone.
Syed worked for the County of San Bernardino as a health inspector. The county issued the iPhone in question to Farook to help him do his job. Farook signed an agreement giving the county the right to search the contents of the phone, but the county did not take measures to ensure its could enforce that right. Employers who allow their employees to use mobile devices for work typically install mobile device management (MDM) software on the device. MDM allows the employer to unlock a mobile device phone remotely, wipe the contents of the device, push software updates, and track the device’s location. According to an AP report, the county had a contract with a MDM provider, but it never installed the MDM software on Farook’s phone. The MDM service costs $4 per month per phone.
There are HR and IT lessons to be learned from this incident. One lesson is that employees should be required to grant their employers access to their mobile devices as a condition of using them for work-related purposes. Specifically, management should obtain an employee’s signed written agreement authorizing the company to access the contents of a mobile device that is connected to the company network. The County of San Bernardino did it at least obtain this kind of authorization.
A second lesson is that the right to access an mobile device is useless if you have no practical way of gaining access. This is where technology like MDM software is useful. Installation of MDM controls should be standard operating procedure in any Bring Your Own Device program. MDM software doesn’t have to be expensive either. Popular email server platforms like Microsoft Exchange have MDM controls built in. For more robust functionality, consider investing in specialized MDM solutions.
It shouldn’t take the prospect of a terrorist attack to highlight the importance of taking these lessons seriously.
Anyone with a smartphone has the ability to record sound and video. This can raise privacy concerns as well as create a record of events without others’ knowledge. For these reasons, companies may prohibit employees from making workplace recordings. If your employee handbook contains such a rule, consider giving it a second look because the National Labor Relations Board (NLRB) recently struck down “no recording” rules implemented by Whole Foods.
A three-member panel of the NLRB reviewed two workplace policies: one prohibiting employees from making audio or video recordings of company meetings without prior management approval or the consent of all parties to the conversation, and the second prohibiting employees from recording conversations without prior management approval. The stated purpose of both policies was to foster open and honest communication, a free exchange of ideas, and an atmosphere of trust. Allowing employees to record conversations in secret, the policies explained, would deter employees from holding frank discussions about sensitive and confidential matters in the workplace.
The NLRB saw the “no recording” rules differently. In a NLRB Whole Foods Decision, the NLRB ordered Whole Foods to rescind the rules because they effectively violate employees’ rights under Section 7 of the National Labor Relations Act to engage in protected concerted activity. A majority of the NLRB panel expressed concern that the rule would prohibit employees from engaging in protected activities such as “recording images of protected picketing, documenting unsafe workplace equipment or hazardous working conditions, documenting and publicizing discussions about terms and conditions of employment, documenting inconsistent application of employer rules, or recording evidence to preserve it for later use in administrative or judicial forums in employment-related actions.” The majority noted that covert recordings were an essential element in vindicating Section 7 rights in many cases. The employer’s interest in encouraging open and frank communications did not override the Section 7 rights of employees.
One member of the NLRB panel dissented, arguing that employees would reasonably interpret the “no recording” rules to protect, not prohibit, Section 7 activity. However, the majority found the blanket prohibition on all recordings troubling. A witness for Whole Foods testified that the rules would apply “regardless of the activity that the employee is engaged in, whether protected concerted activity or not.” According to the majority, employees would reasonably read the broad and unqualified language of the rules to prohibit recording Section 7 activity.
The decision suggests that a “no recordings” rule that exempts protected activities could be valid. But where to draw the line between protected and unprotected activities remains an open question. Given the NLRB’s tendency to construe the scope of Section 7 activities broadly, a wide range of business discussions could be considered to involve protected activity and thus exempt from a “no recordings” rule. This would make the rule virtually useless. The NLRB’s decision may not be last word on recording rules, however, as Whole Foods has appealed the decision to the Second Circuit Court of Appeals.
Your employees may return to the office after the holidays with new gadgets strapped to their wrist. Wearable devices like the Apple Watch, Android Wear smart watch, and FitBit are some of the hottest holiday gifts of 2015. Or maybe your company gave wearable devices as gifts to its employees. Either way, wearables are showing up more and more in the office. With that trend come a slew of legal concerns. Here are some of the legal issues created by wearables to be aware of:
Wearable devices make it easier to violate privacy rights. If the wearable device is employer-issued, it could be used to track and monitor employees. Be sure to give notice to employees before doing that, and obtain their written consent to having their activity monitored. Employees should be told what information the company collects and how it will be used. If your workforce is unionized, use of wearables for monitoring purposes may be a point for collective bargaining.
Then there’s the privacy of co-workers. Some wearables can record audio and video, but they’re generally less detectable than smartphones and cameras. An employees’ ability to record interactions with co-workers and customers without their knowledge raises a variety of legal challenges. Workplace policies should explain the circumstances under which certain categories may or may not be used and describe the kind of notice employees who use wearables in the workplace must give to co-workers and customers.
If a wearable device is allowed access to the company network, it should be subject to BYOD policies like use of encryption, strong password requirements, device locks, etc. Don’t let wearables be an undetected hole in your network’s security. Also be sure to preserve the right to collect work-related information stored on your employees’ wearable devices, as such access might be necessary to comply with information requests in an investigation or litigation.
Smartphones and web browsers already give employees plenty of opportunities to engage in distractions that kill productivity, and wearables make that problem even more challenging. Consider modifying your workplace policies to address the use of company resources and company time to engage in personal activity using wearables.
You’ve adopted a social media policy after hearing all the warnings about employees behaving badly on social media. But do you enforce the policy consistently? Failure to do so can be risky business, as illustrated by a recent federal court decision, Redford v. KTBS, LLC, 2015 WL 5708218 (W.D. La. Sept. 28, 2015). The court in Redford allowed an employment discrimination claim to continue because of management’s uneven enforcement of its social media policy.
The social media policy of KTBS, a Louisiana TV station, instructs employees not to respond to viewer complaints on social media. Chris Redford, an on-air crime reporter for KTBS and a white male, posted a negative comment on his Facebook page in response to a viewer’s comment on a KTBS story. Redford was fired for violating the KTBS social media policy.
Redford sued KTBS for race and sex-based employment discrimination. Redford pointed to KTBS’ treatment of two other employees for their social media conduct. Lee, an on-air personality and an African-American female, responded multiple times to negative viewer comments on the official KTBS Facebook page. She received numerous warnings from management before being fired on the same day as Redford. Sarah Machi, an on-air personality and a white female, responded negatively to a KTBS viewer’s comment on her personal Facebook page, but received no warning or discipline. Based on this evidence, Redford argued that KTBS fired him not for violating the social media policy, but to prevent a potential lawsuit by Lee for race or sex discrimination. According to the court, Redford had a viable claim that he was treated less favorably than Lee and Machi because of his race or sex.
KTBS argued that it took no action against Machi because she posted her comments on her personal Facebook page, which was set to “private” so that only her Facebook friends could access it. Redford’s Facebook page did not have privacy filters turned on, and he often used his page to promote his work at KTBS. Since KTBS apparently considered comments posted on an employee’s “private” Facebook page to be outside the scope of its social media policy, the court reasoned that KTBS’ stated reason for firing Redford could be pretextual if Redford’s Facebook page was considered “private.” This issue had to be resolved at trial, so the court denied summary judgment to KTBS on the pretext issue.
Redford is a good reminder of the importance of consistent enforcement of social media policies. Even-handed enforcement is made easier by clearly spelling out the scope of the policy. If the policy makes a distinction between “company” and “personal” pages, for example, describe the specifically and consider providing examples. Ambiguity and inconsistency are your worst enemies when it comes to enforcing a social media policy.
One of the bombshells in the DeflateGate saga was the revelation that Tom Brady had his cell phone destroyed shortly before meeting with the National Football League’s investigators. According to the NFL’s written decision suspending Brady, Brady knew that the investigators wanted access to text messages on the phone he had when the AFC Championship was played. Even so, Brady instructed his assistant to dispose of the phone—just four months after starting to use it. The dubious circumstances surrounding the disappearance of the phone greatly hurt Brady’s credibility in NFL Commissioner Roger Goodell’s eyes, and was instrumental to his eventual decision to discipline Brady.
There are HR lessons to be learned from this story. An employee’s mobile device can contain information you need for an investigation or lawsuit. So what can you do to get access to the device or the data on it now that employees frequently use their personal devices for work?
Adopting a Bring Your Own Device (BYOD) work policy is a good start. At a minimum, a BYOD policy should reserve the company’s right to access any electronic device an employee uses for work, even if the employee owns it. The policy should also state upfront that employees have no expectation of privacy to data stored on their personal devices – that’s the tradeoff for letting them connect to the company network.
After establishing the ability to take possession of employee-owned devices, think through the steps for preserving data on the devices before it’s too late. One measure is to issue a “litigation hold” instructing employees not to destroy a device or delete data from it. Be specific about the kinds of data they need to preserve. A crucial element of a litigation hold is an instruction to suspend routine purging of data or equipment – much like Brady’s practice of destroying his old phone whenever he got a new one. The litigation hold should be issued as soon as you know that a lawsuit or investigation is coming.
Next, determine the kind of electronic information you want. Preservation and extraction methods differ depending on the kind of data. Text messages need to be preserved quickly because once they’re deleted off a phone or tablet, it’s difficult to find a copy of them elsewhere. As Brady learned when he tried accessing text messages on his missing phone through his wireless carrier, carriers don’t keep subscribers’ text messages on their servers for very long, and they typically delete the messages after delivery to the recipient. Emails have a longer shelf life, especially if they’re stored in a web-based account like Gmail or Yahoo or transmitted through company servers.
Be proactive and act quickly. Don’t let your hopes of getting the electronic evidence you need get deflated.