Digital privacy versus national security. That’s how scores of articles have framed the controversy over Apple Inc.’s refusal to cooperate with the FBI in bypassing the security features of an iPhone used by Syed Farook, one of the deceased shooters in the San Bernardino terrorist attack. Largely overlooked is the fact that Farook’s employer could’ve prevented the whole controversy had it installed common software on the phone.
Syed worked for the County of San Bernardino as a health inspector. The county issued the iPhone in question to Farook to help him do his job. Farook signed an agreement giving the county the right to search the contents of the phone, but the county did not take measures to ensure its could enforce that right. Employers who allow their employees to use mobile devices for work typically install mobile device management (MDM) software on the device. MDM allows the employer to unlock a mobile device phone remotely, wipe the contents of the device, push software updates, and track the device’s location. According to an AP report, the county had a contract with a MDM provider, but it never installed the MDM software on Farook’s phone. The MDM service costs $4 per month per phone.
There are HR and IT lessons to be learned from this incident. One lesson is that employees should be required to grant their employers access to their mobile devices as a condition of using them for work-related purposes. Specifically, management should obtain an employee’s signed written agreement authorizing the company to access the contents of a mobile device that is connected to the company network. The County of San Bernardino did it at least obtain this kind of authorization.
A second lesson is that the right to access an mobile device is useless if you have no practical way of gaining access. This is where technology like MDM software is useful. Installation of MDM controls should be standard operating procedure in any Bring Your Own Device program. MDM software doesn’t have to be expensive either. Popular email server platforms like Microsoft Exchange have MDM controls built in. For more robust functionality, consider investing in specialized MDM solutions.
It shouldn’t take the prospect of a terrorist attack to highlight the importance of taking these lessons seriously.
Your employees may return to the office after the holidays with new gadgets strapped to their wrist. Wearable devices like the Apple Watch, Android Wear smart watch, and FitBit are some of the hottest holiday gifts of 2015. Or maybe your company gave wearable devices as gifts to its employees. Either way, wearables are showing up more and more in the office. With that trend come a slew of legal concerns. Here are some of the legal issues created by wearables to be aware of:
Wearable devices make it easier to violate privacy rights. If the wearable device is employer-issued, it could be used to track and monitor employees. Be sure to give notice to employees before doing that, and obtain their written consent to having their activity monitored. Employees should be told what information the company collects and how it will be used. If your workforce is unionized, use of wearables for monitoring purposes may be a point for collective bargaining.
Then there’s the privacy of co-workers. Some wearables can record audio and video, but they’re generally less detectable than smartphones and cameras. An employees’ ability to record interactions with co-workers and customers without their knowledge raises a variety of legal challenges. Workplace policies should explain the circumstances under which certain categories may or may not be used and describe the kind of notice employees who use wearables in the workplace must give to co-workers and customers.
If a wearable device is allowed access to the company network, it should be subject to BYOD policies like use of encryption, strong password requirements, device locks, etc. Don’t let wearables be an undetected hole in your network’s security. Also be sure to preserve the right to collect work-related information stored on your employees’ wearable devices, as such access might be necessary to comply with information requests in an investigation or litigation.
Smartphones and web browsers already give employees plenty of opportunities to engage in distractions that kill productivity, and wearables make that problem even more challenging. Consider modifying your workplace policies to address the use of company resources and company time to engage in personal activity using wearables.
A recent National Labor Relations Board Shore Point Advisory Letter gives a bit of good news to employers who want to use modern monitoring technology to monitor employees that they suspect are breaking work rules. On November 2, 2015, the NLRB concluded that an alcoholic beverage distributor (Shore Point), did not violate labor laws by failing to negotiate with its employees’ union before installing a GPS tracking device on an employee’s company truck. Shore Point suspected that the employee was stealing time while on his work routes. Shore Point’s collective bargaining agreement contains rules against stealing time.
Shore Point hired a private investigator to follow the employee to collect evidence for disciplinary purposes, an established practice the union had not objected to in the past. The investigator placed a GPS tracking device on the employee’s truck to maintain and regain visual contact. The GPS was only installed on the employee’s vehicle on the days when the investigator was following the employee, and was used as a backup method in case the investigator lost visual sight of the employee and his truck. Based on the investigator’s observations of the employee engaging in misconduct, Shore Point terminated the employee. The union filed a charge alleging that the employer unilaterally engaged in electronic surveillance without bargaining in violation of the National Labor Relations Act.
The NLRB determined that Shore Point did not have an obligation to bargain over the installation and use of the GPS device. Although the use of the device was a mandatory subject of bargaining, it did not amount to a material, substantial, and significant change in the terms and conditions of employment. Shore Point had an existing practice of using a personal investigator to monitor employees suspected of misconduct. Using a GPS tracking device was just “a mechanical method to assist in the enforcement of an established policy,” and therefore was not a material, substantial, or significant change in policy. The NLRB also noted that the GPS device only added to information that the private investigator had collected through personal observation, did not increase the likelihood of employee discipline, and did not provide an independent basis for termination.
At least two lessons can be learned from this case. First, when crafting employee work rules subject to bargaining, build in flexibility to allow for use of technological advances in enforcement methods. Second, disciplinary action against an employee should be supported with various types of evidence if possible. Just relying on evidence collected with a controversial or untested method is risky because if the use of the method is determined unlawful, the basis for the disciplinary action disappears.
The New York Times recently reported that Hillary Rodham Clinton used a personal email address for work and personal matters while she served as Secretary of State. Many employees could probably appreciate why Ms. Clinton chose to use a private email address for work purposes. She enjoyed the convenience of carrying one mobile device instead of two. That’s the same reason the Bring Your Own Device movement has been rapidly gaining momentum.
The convenience of commingling professional and personal online accounts comes at a price. One danger is unauthorized disclosure of confidential information. Work-related information stored in an employee’s personal online account is not subject to security measures like firewalls, anti-virus software, and metadata scrubbing programs. Private online accounts may be vulnerable to cyberattacks, putting the confidentiality of their contents at risk. While such records might not concern national security matters as in the Clinton controversy, they could contain personnel information, medical history, or trade secrets, the disclosure of which could violate data privacy laws like HIPAA and the Sarbanes-Oxley Act, not to mention hurting a company’s competitive edge or creating a public relations debacle.
Another risk is noncompliance with recordkeeping policies. Work rules dictating how long work files are kept before they’re disposed help organizations manage the task of responding to information inquiries like discovery requests in litigation. In some jurisdictions, an organization’s failure to produce a document in discovery because it was destroyed in compliance with the organization’s document retention policy generally is not considered unlawful destruction of evidence. (Note: Hawaii’s court rules were amended this year to recognize such a defense). But spotty enforcement of a document retention policy could destroy that defense. Popular ways of transferring work files include forwarding them to a personal email address or uploading them to a personal cloud storage account. Such practices could result in work files being kept beyond their authorized retention period, thus casting doubt on whether an organization actually follows its document retention policy.
Managing these risks begins with adopting a formal policy on use of personal accounts for work purposes and training employees to follow the policy. Without a policy in place, employees might have few qualms about using their personal accounts for work. Consult with a lawyer with data privacy experience to ensure that your policy manages legal risks.
If your company decides to prohibit the transfer of work data to external locations, enforce that policy diligently. Work with your IT department or outside vendors to implement physical and software safeguards against unauthorized transfers. Conduct audits to ensure compliance with the policy.
Another strategy is to offer solutions that allow employees to work outside of the office conveniently without having to use their personal accounts. Consider hosting a private cloud storage site where employees can share files in a secured environment under your control. Also popular is virtual desktop software that allows employees to access their workstation remotely in a controlled environment.
Don’t wait until your employees’ data handling practices make the headlines before taking action to protect the confidentiality of your work files.
The FTC released two guides on the privacy and security issues related to the Internet of Things. The first is a staff report based on discussions in an FTC-hosted workshop on the subject held on November 19, 2013. In addition to summarizing the workshop discussions, the report contains staff’s recommendations in the IoT space. This prompted a FTC Commissioner (Joshua Wright) to dissent from the decision to issue the report. In Commissioner Wright’s view, it is premature to publish staff recommendations in this area without further research, data, and analysis. The dissenting statement can be found here.
The report discusses the benefits of IoT as well as three risks:
- enabling unauthorized access and misuse of personal information;
- facilitating attacks on other systems; and
- creating risks to personal safety
The report also discusses Fair Information Practice Principles including security, data minimization, notice, and choice. Click here to read the full report.
Along with the staff report, the FTC issued a guide called “Careful Connections” that provides recommendations on building security into IoT applications. Download the guide here.