Digital privacy versus national security. That’s how scores of articles have framed the controversy over Apple Inc.’s refusal to cooperate with the FBI in bypassing the security features of an iPhone used by Syed Farook, one of the deceased shooters in the San Bernardino terrorist attack. Largely overlooked is the fact that Farook’s employer could’ve prevented the whole controversy had it installed common software on the phone.

Syed worked for the County of San Bernardino as a health inspector. The county issued the iPhone in question to Farook to help him do his job. Farook signed an agreement giving the county the right to search the contents of the phone, but the county did not take measures to ensure its could enforce that right. Employers who allow their employees to use mobile devices for work typically install mobile device management (MDM) software on the device. MDM allows the employer to unlock a mobile device phone remotely, wipe the contents of the device, push software updates, and track the device’s location. According to an AP report, the county had a contract with a MDM provider, but it never installed the MDM software on Farook’s phone. The MDM service costs $4 per month per phone.

There are HR and IT lessons to be learned from this incident. One lesson is that employees should be required to grant their employers access to their mobile devices as a condition of using them for work-related purposes. Specifically, management should obtain an employee’s signed written agreement authorizing the company to access the contents of a mobile device that is connected to the company network. The County of San Bernardino did it at least obtain this kind of authorization.

A second lesson is that the right to access an mobile device is useless if you have no practical way of gaining access. This is where technology like MDM software is useful. Installation of MDM controls should be standard operating procedure in any Bring Your Own Device program. MDM software doesn’t have to be expensive either. Popular email server platforms like Microsoft Exchange have MDM controls built in. For more robust functionality, consider investing in specialized MDM solutions.

It shouldn’t take the prospect of a terrorist attack to highlight the importance of taking these lessons seriously.

Working remotely has never been easier thanks to the proliferation of mobile devices like smartphones and tablets.  Enabling employees to do work outside of the office and standard work hours can be a boon for productivity, but it carries a legal risk for employers: unexpected claims for overtime pay.  Under the federal Fair Labor Standards Act (FLSA), non-exempt employees must be paid overtime compensation for work they perform for the employer’s benefit in excess of forty hours in any workweek.  Work done remotely, such as responding to emails on a smartphone or drafting a report on a laptop at home, could push an employee’s work hours in a given week beyond the forty-hour threshold.  FLSA violations can occur unexpectedly because an employee need not have been asked to work beyond the 40-hour workweek to be entitled to overtime pay.

Two cases illustrate the risk of allowing employees to work outside of the office using mobile devices.  In Allen v. City of Chicago, a Chicago officer sued the Chicago Police Department under FLSA for requiring him to work “off the clock” using a department-issued Blackberry device without receiving overtime pay.  A Chicago federal district judge conditionally certified a collective action to allow 200 similarly situated officers to join in the lawsuit.

In O’Neill v. Mermaid Touring Inc., the former personal assistant of pop artist Lady Gaga, Jennifer O’Neill, sued for overtime compensation under FLSA.  O’Neill alleged that she worked 24/7 because she was expected to have her phone on in order to respond to Lady Gaga’s calls at any time of the day.  A New York federal district judge recently denied the defendants’ motion for summary judgment that O’Neill’s on-call time is not compensable, thus setting the stage for trial in the case to begin on November 4.

Allen and O’Neill highlight the need to institute clear policies spelling out the authorization an employee must obtain working remotely with a mobile device.  Organizations that allow employees to use mobile devices for work purposes should require employees to keep track of the time they work remotely or consider installing software on that employee’s mobile device that automatically performs such a timekeeping function.  Taking proactive measures to manage mobile device usage at work is crucial to preventing employees from secretly racking up overtime hours and then demanding compensation for it.

Enhanced by Zemanta

No, it’s not an acronym advising you to come to dinner with your favorite vintage of pinot noir.  BYOD stands for Bring Your Own Device, a movement that’s changing the landscape of information technology at workplaces across the globe.  In the “old days,” companies issued electronic equipment to employees for work use.  Today, employees want to use the latest electronics of their own choice for both work and play.  Surveys consistently show that companies are giving in to such requests, citing the benefits of increased productivity and morale, as well as cost savings from not having to buy the equipment themselves.  However, BYOD programs also create legal risks for companies, including:

  • Violation of labor laws like the Fair Labor Standards Act due to the ability of workers to rack up overtime by doing work on personal devices practically anywhere and at any time, whether or not such overtime is authorized by management
  • Violation of laws prohibiting disclosure of the private information of customers, clients, or patients, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act
  • Inadvertent disclosure of proprietary company information, which jeopardizes their confidentiality, and as a result, their status as protected trade secrets
  • Complicating the e-discovery process, because electronic data that fall within the scope of a discovery request may reside on devices besides those under the direct control of the company

In light of these risks, the knee-jerk response of management might be to forbid BYOD entirely, but that is not necessarily the best approach.  BYOD is more prevalent than one might think.  A form of BYOD is in play whenever someone stores work data on a personal cloud storage account, uses a personal laptop to draft a memo for work, or forwards work-related word processing files to a private email account for easy access from home.  A company need not officially adopt a BYOD program to have one, which is all the reason why management should be proactive about putting BYOD policies in place.

Learn about the specific risks that a BYOD program creates for your company.  Develop guidelines on acceptable and unacceptable use of personal devices for work-related purposes.  Notify employees of the policies in writing and provide training.  Don’t wait until it’s too late!

Want more tips on BYOD?  Come to the Advanced Employment Issues Symposium in Las Vegas from November 13-15, where I’ll be giving a presentation on “BYOD Challenges: When Employees Bring Their Own Devices to Work.”  Registration information is available at www.aeisonline.com.

Enhanced by Zemanta

Supervisor snoops into former employee’s personal Gmail account after she returns company-issued BlackberryLazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)

Verizon BlackBerry Tour 9630The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets.   Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns.  The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.

Verizon issued a Blackberry smartphone to its employee, Sandi Lazette.  Lazette set up a personal Gmail account on the phone with Verizon’s permission.  Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee.  Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not.  Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.

Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy.  A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions.  The court also allowed Lazette’s privacy claim to move forward.

LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.

1.  Don’t read your employees’ personal messages—even if they are readily accessible.  Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent.  A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA.  Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry.  Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails.  The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.

2.  Construe grants of access narrowly.  If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account.  In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account.  Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him.  Years later, the supervisor logged into the account to read emails about the status of the company.  In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial.  Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.

3.  Thoroughly purge personal data from company-issued electronic devices before reusing them.  Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired.    Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like.  Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.

4.  Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools.  One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised.  MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device.  To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.

Related articles

Enhanced by Zemanta