Diamond

Sponsors:

Platinum

Sponsor:

Gold

Sponsor:

Presented

By:

Bring Your Own Device or Bring Your Own Disaster

Anne DillCorporate AssociateGeneral Counsel

Mia BelkSenior Counsel

Shirley HartNational Leader, End User Technology

Teresa Rider BultManaging/ Administrative Partnertbult@constangy.com

Agenda

What is BYOD? BYOD Considerations

• Technology• Process• People/Culture

Legal Perspective• Privacy• Data Protection• Litigation

What is BYOD?

BYOD – Bring Your Own Device• Usually refers to smartphones

and tablets• BYOC, BYOPC, BYOT are

similar terms• Part of the “Consumerization”

movement

BYOD Drivers Aren't Coming Just From End Users

Time

"I easily bypass IT —

they don't get it."

User Interest

"I'm too important!"Just this little exception, please.

After all I am the boss!

"I need better equipment!"

Organizational Interest

Contain rogue devices More of your employees than you realize are already usingtheir equipment to attach to your network!

Reduce support burden

Shift costs to users

Maintain attractivework environment

for hiring

System Capability

EffectiveFunctionality Gap {

Legacy

Envisioned Functionality

RequiredFunctionality

Source: Gartner, 2013

Why BYOD? Does it make business sense?

• Employee satisfaction• Recruitment and retention• Productivity• Risk and compliance• Cost savings?

Business Reaction to BYOD• Embrace• Support• Ignore• Restrict

BYO: The Trend Is Clear • More than 60% of employees report using a personal device for work

• Two thirds of consumers report that work influences what they buy for personal devices

• By 2015, the emphasis will shift toward cost-reduction through mandatory BYOD programs

• PC BYOD Lags Smartphones and Tablets (<8% of companies), but will accelerate in 2014+

Source: Bring Your Own Device: The Facts and the Future, 2013 N=453

How often employees use personal devices for work purposes

BYOD -- Technology

Devices• SmartPhones/Tablets• Computers

Management/Control• Mobile Device Management• Network Access Control• Virtual Desktops• Containerization

Support/Maintenance

BYOD -- Process Spend

• Stipends, voice/data Governance Policy

• Data wipe/data storage• Application usage

Security Support

BYOD – People/Culture

Demographics• It’s not for everyone• Younger employees tend to be

more proactive and accepting• Increasing level of computer

savvy Fit with company industry and

culture• Support environment• Industry perspective

• Powerful and connected smartphones and tablets have penetrated every facet of our personal and professional lives and are used continuously over the course of the day.

• Employees increasingly want to use their favorite mobile device for personal and professional use. They want to store personal data and install Internet games on devices used to access enterprise applications and data.

Summary: The BYOD Challenge

BYO Rationale

• User Perspective:– Desire for one device and phone number, not two– Desire to fully own the decision process when selecting a

personal device– Desire for the latest and greatest gadget

• Company Perspective:– Increased staff productivity due to better morale & hardware– Potential to reduce hardware, monthly service, provisioning

and ongoing support costs

• IT Department Perspective:– Potential for reduced IT staff workload as users move off

employer provided devices and onto BYO devices

BYO Challenges

• Security– Enterprise data confidentiality, integrity and availability– Liability for personal data (wipe, central storage)– Defining the security perimeter

• Applications– Impact of heterogeneous device environment on

application development and support requirements

• Support – Device certification, provisioning and management

• Cost– Potential loss of corporate-level volume discounts

because of personal purchase.

Enterprises should align user mobility expectations, IT capabilities and the needs of the business. Failure to act may increase security risk as unmanaged mobile devices continue to connect to the enterprise network.

Source: Deloitte

1. Sexting, sexual harassment, and discrimination2. Social Media Content3. Off the Clock/ Overtime liability 4. Distracted driving/ Workplace Safety5. Unsecured data/ Lost Devices. 6. Litigation Holds BONUS CONTENT:

1. Criminal Liability?2. Terminations and Wiping Devices3. Performance Management4. International Law

•40% of adults up to age 34 admit to “sexting.”

•Text more casual than emailing (if you can believe it!)

New problems:• Snapchat• Instagram

Exhibit A: No longer he said/ she said – PROOF.

BYOD PROBLEMS:• Not owning the device takes away a level of control• Less control over content – can’t spy on employees’ use of

Facebook (or can you?). Discrimination: Access to employees’ devices may mean

employers have more information than they want• Porn? • Genetic Information Nondiscrimination Act (GINA)-related

concerns. • E.g., Diabetes Management App?

Blocking Social Media Sites from Company Network does not block those Sites from BYOD devices

Racist comments posted on Twitter or a photo of an employee trespassing (even if it's done as a prank), can be used as evidence in a lawsuit that also names the employer as a defendant.

Non-exempt workers with devices presents problems (BYOD or not).

Universal Problems:• Texting:

• Managers texting non-exempt employees re: scheduling or before-work errands

• Employees texting re: tardies, changing schedules (how does this affect FMLA notice?)

BYOD problems:• Non-Exempt Employees with work email on personal devices

may be more likely to continue to check emails/ work after they leave.• I.e., How do you distinguish when you are working versus not

with your own device?

• Exempt employee on leave of absence may work on smartphone or tablet, accessing email and checking in on projects, etc. • If employee does work for more than a de minimis amount of

time – typically lasting longer than a couple minutes – she may be entitled to an entire week’s pay.

Do you believe your company could be liable for injuries sustained while driving and using a device?

a) Yesb) No

Would (should?) liability be worse if it is Company-Owned or BYOD?

a) Yesb) No

$24.7 million involving a 2008 crash in Missouri that killed three people and injured 15. • Driver of tractor-trailer was checking his phone for text messages; his truck

ran into10 vehicles stopped in backed-up traffic on freeway. • A plaintiff who sustained serious brain injuries, leaving him paralyzed and

unable to walk or talk until his death in 2011, was awarded $18 million; $6 million was awarded to the family of one of the deceased; and $700,000 was awarded to a victim who suffered broken bones.

$21.6 million award for a 2007 crash in Ohio• driver rear-ended vehicle on freeway in company car, causing the vehicle

struck to cross the median into oncoming traffic - one fatality at the scene. • Cell phone records showed employee driver was using cell phone at the time

of crash. $16.1 million settlement for a 2001 crash in Arkansas

• lumber distributor salesman crashed while talking on his cell driving to sales appointment. The crash severely disabled a 78-year-old woman.

Trade Secrets• Did you REALLY protect them if they somehow made their way to

an employee’s personal device? Sensitive Data about Clients/ Employees

• Soooo easy to access• Possibility it could be used against your company in court

Shared Devices (friends, family, neighbors. . .) Insecure Mobile Access

http://www.milner.com/company/blog/technology/2013/08/26/the-risks-and-danger-of-byod

• FRCP 34• party must preserve and produce responsive

docs & electronically stored information in its possession, custody & control.

• Control ≠ party having legal ownership or actual physical possession.

• Control = the right, authority or practical ability to obtain docs from nonparty.• Likely employer “controls” work product employees

create in furtherance of their employment. • Employers have to collect and produce corporate

documents by request even if the documents are in the employee’s home???

Spoliation Sanctions Awarded after defendant corporation failed to preserve or disclose any text messages from a key defendant’s cell phone in response to the plaintiffs’ first discovery request

• http://www.krollontrack.com/resource-library/case-law/?caseid=26480

• No allegation that company issued cell phones to company or that employees used cell phones for any work-related purpose• Court ruled that the phone and

text messages were not in company’s “possession,” and therefore they had no obligation to produce.

• But limited to a failure to plead issue.

• Case recognizes that it is difficult, if not impossible, for employers to fully control employees’ usage and deletion of data on personal devices.

BYOD might actually help with spoliation issues?

http://www.lxbn.com/tag/cotton-v-costco-wholesale-corp/

1. Performance Management – Close your eyes!• If IT has access to the personal content on phones as well as

business content, how do you close your eyes to ONLY manage business-performance?

• You may see things on device you don’t want to see.

2. Criminal Liability? • Once a device is used to perform work, employers have the right

to the information on it--and they can be held accountable for any laws broken through its use.

3. Terminations and Wiping Devices• Most targeted “wipes” require employee to hand over device• You can typically wipe the entire device remotely, but will wipe

ENTIRE device.

4. International Issues

http://www.eweek.com/mobile/slideshows/byod-brings-benefits-but-dont-ignore-the-risks-isf.html

1. Require employees to consent, in writing, to allow the company’s access to its data on their devices.

2. Check Union Contract3. Restrict BYOD usage by company executives, legal, HR,

and other members of your organization who are privy to highly confidential company information

4. Evaluate which other employees you will permit to BYOD (nonexempt?)

5. Install MDM (mobile device management) software 6. Restrict employees from using cloud-based apps, cloud-

based backup, or synchronizing with home PCs for work-related data (hard to enforce)

7. No use by friends and family members!

8. Rethink your Exit/ Termination process9. Clear statements that include consequences (i.e. if you are

caught sending sexually explicit texts in the workplace you could face termination)

10.Training programs to address mobile liabilities 11.Heightened security measures like remote wipe and other

capabilities 12.Users acknowledge that they understand their personal

devices could get confiscated for unspecified periods, in the event of a legal hold.

13.Explain How Much Device support employees will receive14.Keep track of the BYOD devices in use to ensure adequate

document retention and preservation

Anne DillCorporate AssociateGeneral Counsel

Mia BelkSenior Counsel

Shirley HartNational Leader, End User Technology

Teresa Rider BultManaging/ Administrative Partnertbult@constangy.com