Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2013 Haynes and Boone, LLP
Bring Your Own Device (“BYOD”)
Best Practices & Worst-Case-Scenarios Surrounding Employee-Owned Devices in the Workplace
© 2013 Haynes and Boone, LLP
© 2013 Haynes and Boone, LLP
2
Join the Discussion!
@xperthrusa
#XHRLive
Have a question? Ask us during the presentation using the chat box.
© 2013 Haynes and Boone, LLP
3
What is BYOD? • The practice whereby employers permit
employees to bring their own personal mobile devices – typically smartphones or tablets – into the workplace and encourage employees to use these devices for business-related tasks.
© 2013 Haynes and Boone, LLP
4
BYOD Statistics – the Good • By 2016, 80% of employees will be eligible to use their
own devices (Gartner)
• And 38% of employers will stop providing devices to employees (Gartner)
• Employees are willing to spend an average of almost a $1,000 on their devices and over $700 on internet data plans (CloudTweaks)
• 89% of IT professionals support BYOD and 85% agree that it increases company efficiency (CDW)
© 2013 Haynes and Boone, LLP
5
BYOD Statistics – the Bad • 54% of employers either are still developing BYOD
policies or have none in place
• Only half of IT Managers said their companies “had a strategy in place to effectively manage and secure the additional, personally-owned devices” (CDW)
• 51% of employees connect to unsecured wireless networks with their personal devices (Cisco)
• 53% of employees use unsupported software or Internet-based services on their personal devices to do work (Forrester)
© 2013 Haynes and Boone, LLP
6
What Does This Mean? • BYOD is here to stay
– By 2017, 50% of employers will require employees to supply their own devices for work purposes (Gartner)
• Many employers are unprepared and lack
sophisticated policies and procedures
© 2013 Haynes and Boone, LLP
7
What Does This Mean cont’d? • Employees are performing unauthorized
activities, or simply lack formal consent • Employers are vulnerable to security &
privacy issues and increasingly susceptible to lawsuits
© 2013 Haynes and Boone, LLP
8
What Should Employers Do? • Develop a strategy for safely and effectively
managing BYOD
• Implement a clear and effective policy, which includes an Acceptable Use Agreement
• Educate employees about BYOD policy and provide effective training
• Perform periodic audits to ensure compliance
© 2013 Haynes and Boone, LLP
9
The Rise of BYOD • Traditionally, enterprise IT drove consumer
technology and trends. Employers provided employees with IT; e.g. Blackberry; Palm PDAs
• Today, tech-savvy employees are adopting consumer-focused and business-oriented technologies – e.g. iPhones & Androids – thereby consolidating their personal and work devices for enhanced productivity and convenience
© 2013 Haynes and Boone, LLP
10
The Rise of BYOD cont’d • As of 2013, it was estimated that mobile
devices outnumber people (Cisco) • With the influx of devices that have the
ability to communicate, as well as track and maintain data, there is a greater likelihood that employees will utilize personal devices with dual functionality
© 2013 Haynes and Boone, LLP
11
The Benefits of BYOD • Cost-Savings
– Employers save $ since they no longer provide employees with device
– Upwards 20% savings on IT • Improved morale • More sophisticated and efficient equipment in
the workplace leading to increase in productivity
© 2013 Haynes and Boone, LLP
12
The Benefits of BYOD cont’d • Employees possess better understanding of
their own devices thereby reducing the need for training and support
• Employees treat their own property better than
employer owned property
© 2013 Haynes and Boone, LLP
13
BYOD Risks • Employer Security
– Public exposure of employer’s confidential & proprietary information • Employees take their devices wherever
they go, which means company data goes where employees go
• Potential for outside users to access data -Leakage: employer data inadvertently spills out to the public domain -Lost or Stolen Devices
© 2013 Haynes and Boone, LLP
14
BYOD Risks cont’d • Employer Security
– Public exposure of employer’s confidential & proprietary information • Employees sending work email or
documents to their personal email account through their own devices bypassing employer security channels
• Employee use of unencrypted third-party file-hosting services
© 2013 Haynes and Boone, LLP
15
BYOD Risks cont’d • Employer Security
– Threats to employer’s network • Data breaches • Network Invasions e.g. malwares and
viruses that harm employer’s network by collecting data (e.g. mechanisms that target shared folders as well as internal File Transfer Protocol (FTP) sites)
© 2013 Haynes and Boone, LLP
16
BYOD Risks cont’d • Employee Privacy
– Protection of employee’s personal information – Because its their device, employees may
possess greater expectation of privacy – The protective measures employers
implement to combat security threats often implicate privacy concerns
© 2013 Haynes and Boone, LLP
17
BYOD Risks cont’d • Employee Privacy cont’d
• E.g. Tracking or monitoring employee devices; wiping devices when lost or stolen
• Reviewing an employee’s device upon departure from company and sometimes the potentially awkward situation where an HR or IT Professional reviews employee owned device
• These policies must be made clear
© 2013 Haynes and Boone, LLP
18
BYOD Risks cont’d • Liability for employee conduct on devices
– Because they’re using their own devices, employees might be inclined to bring unacceptable “after-hours” behavior into the workplace
– Texts, social media, and tweets sent in the office of through an employer’s network can lead to sexual harassment lawsuits and bullying
© 2013 Haynes and Boone, LLP
19
BYOD Risks cont’d • Potential wage & hour lawsuits
– Employees’ use of smartphones to respond to work-related matters outside of business hours can blur the line between personal & work time
– Creates potential for overtime claims, e.g. Fair Labor Standard Act (FLSA) claims, which requires non-exempt employees to be paid for all hours worked and overtime for hours worked beyond 40 in a week
© 2013 Haynes and Boone, LLP
20
BYOD Risks cont’d • Safety Concerns
– Chatman-Wilson v. Cabral and Coca-Cola Refreshments USA, Inc., 2013 WL5756347
• Coca-Cola, Inc. ordered to pay $21.5M for employee’s car accident resulting from talking on her personal cell phone while driving
• Coca-Cola employee violated company’s hands free cell phone policy while using cell phones for work purposes
• Coca-Cola found vicariously liable
© 2013 Haynes and Boone, LLP
21
BYOD Risks cont’d • Wage and Hour Concerns
− Mohammadi v. Nwabuisi, 2014 WL 29031
• Employer found liable for not compensating employee for overtime work performed using employee owned device
• In addition, employer failed to keep accurate records, and employee’s oral recollection of time worked satisfied record keeping requirements
© 2013 Haynes and Boone, LLP
22
BYOD Risks cont’d • “Information governance,” compliance w/
corporate investigations & litigation discovery holds
• Inadvertent restrictions of union activities – compliance w/ § 7 of the NLRA
• Insurance coverage for BYOD conduct – Verify that your policies are up to date
© 2013 Haynes and Boone, LLP
23
Protective Measures • Mobile Device Management (MDM) and Mobile
Application Management (MAM) – MDM allows companies to encrypt data, as well as
remotely locate, lock & wipe devices, and track user activity
– MAM enables IT operators to manage and block applications that are potentially harmful
• “Sandboxing” – Software virtualization that partitions employee &
employer’s data
© 2013 Haynes and Boone, LLP
24
MDM & MAM are not Perfect! • MDM creates potential privacy issues
– Excessive monitoring, or monitoring without consent, can be an invasion of employee privacy
• MAM cannot monitor and control all apps – Impossible to monitor and control all apps
downloaded onto employee devices – E.g. Employees uploading docs through third-
party cloud services
© 2013 Haynes and Boone, LLP
25
Sandboxing is not Perfect! • Sandboxing is not 100% effective
– “Spillage,” when employer data migrates to the personal side of a device can occur
– Employee use of third-party cloud services
that automatically backs up documents and other information on personal devices can inadvertently compromise employee data
© 2013 Haynes and Boone, LLP
26
Sandboxing is not Perfect! Cont’d
• E.g. Apple stores (in the cloud) EVERYTHING you tell Siri for two years. As a result, employees may inadvertently share sensitive information simply by using common features on a device
© 2013 Haynes and Boone, LLP
27
Drafting BYOD Policy: General Advice
• Implement a policy that combines technology solutions with clear and comprehensive policies
• Emphasize security & respect employee privacy • Clearly explain permissible behaviors and
activities on personal devices that have access to corporate systems
• Perform periodic audits to ensure compliance with BYOD Policy
© 2013 Haynes and Boone, LLP
28
What to include in an Effective BYOD Policy
• Which employees are allowed to BYOD? – Some companies are inclined to limit BYOD to
high-level employees • Which devices are authorized? • Ensure that your BYOD Policy is consistent with
other policies (e.g., trade secret, harassment/discrimination, wage and hour)
© 2013 Haynes and Boone, LLP
29
What to include in an Effective BYOD Policy cont’d
• What are the employee’s security obligations? – E.g. prohibited websites & applications while
connected to employer network – E.g. passwords; firewall
• What are the parameters of acceptable use? – Acceptable information and communications
• What activities are prohibited?
© 2013 Haynes and Boone, LLP
30
What to include in an Effective BYOD Policy cont’d
• What employer networks, services and applications can be accessed?
• Protocols for device repairs; who bears the cost? • Detailed procedure in the event device is lost or
stolen – Ability to locate, lock, & wipe a device
© 2013 Haynes and Boone, LLP
31
What to include in an Effective BYOD Policy cont’d
• Disciplinary action • Assurance your company is not infringing upon
employees’ right to organize under the NLRA • Separate wage and hour policies • Safe driving • Include an Acceptable Use Agreement (“AUA”) • Outboarding: Employee departure procedure
– Ensure removal of employer data at end of employment
© 2013 Haynes and Boone, LLP
32
BYOD Training • Provide BYOD training to employees and
supervisors • Educate employees about BYOD Policy &
provide effective training that is consistent with other company policies
© 2013 Haynes and Boone, LLP
33
Notices to Incorporate in BYOD Policy
• Inform employees about all MDM monitoring or tracking of devices
• Inform employees before installing anything on employee devices
• Inform employees that they must consent to the BYOD Policy and agree to a Acceptable USE Agreement prior to utilizing a dual-use device
© 2013 Haynes and Boone, LLP
34
Crafting an Acceptable Use Agreement
• Explain that duel-use of a personal device is a “privilege“
• Acknowledgement & acceptance of the
Acceptable Use Agreement (“AUA”) • Employee acceptance of the AUA must be easy
© 2013 Haynes and Boone, LLP
35
Crafting an Acceptable Use Agreement cont’d
• Obtain employee consent for the company to: – Remotely wipe a device – Monitor the personal device when connected to
company network – Inspect device upon legitimate request, e.g. corporate
investigations and litigation holds Obtain company release from employee for any liability stemming from the destruction or incidental viewing of personal information – Employee acceptance of the AUA must be easy
© 2013 Haynes and Boone, LLP
36
Are you protected? • In the event your employee’s dual-use device is
lost or stolen, can you: – Lock down the device remotely – Identify what was on the device – Identify who is accessing your network and
what they’re doing, such as what files are being accessed
– Perform network forensics
© 2013 Haynes and Boone, LLP
37
Are you protected cont’d? • Are you tracking the latest developments
in employment law and does your BYOD policy conform with changes in the law? – Because the law is consistently changing,
your BYOD policy must be fluid and needs to be updated in order to stay current and ultimately be effective.
© 2013 Haynes and Boone, LLP
38
Questions?
© 2013 Haynes and Boone, LLP
39
Thank You! Buy now and we’ll take your webinar fee
from your subscription
Contact us at 1-855-XPERTHR or [email protected]
Learn more at:
http://www.xperthr.com