Training seminar for Hawaii Employers Council members on June 13, 2013
Presenters: Elijah Yip, Esq. (Cades Schutte LLP) and Michael Miranda, Esq. (Hawaiian Telcom)
Topics covered:
- Social media in the workplace
- BYOD
- Electronic signatures
Shapoorji Pallonji Codename Evolve Pine Bangalore.pdf
Tech@Work: How Employers Can Thrive in the Digital Workplace
2. Litigation partner at Cades Schutte LLP
Practices commercial litigation, media law
Founder and chair of firm’s Digital Media and
Internet Law practice group
Twitter Handle: @LegalTXTS
Hashtag for this training seminar - #hectech
ELIJAHYIP
4. TOPICS COVERED
Social media policies
Social media in hiring
Discipline and investigation related to social
media conduct of employees
#hectech
@LegalTXTS
5. SM POLICIES – NLRB Memos
Issued memos on
August 18, 2011: http://1.usa.gov/RXYEOr
January 24, 2012: http://1.usa.gov/RXYxm6
May 30, 2012: http://1.usa.gov/RXYlTW
Memos do not have force of law, but do
create risk for employers wanting to adopt
certain policies. Must weigh various risks.
#hectech
@LegalTXTS
6. SM POLICIES – NLRB Memos
Employers generally can’t have social media
policy that prohibits employees from:
Harming employer’s reputation or criticizing
employer on social media
Using company information (including
trademarks, logos) on personal social media
profiles
Discussing controversial topics on social media
#hectech
@LegalTXTS
7. SM POLICIES – NLRB Memos
Speaking to media about terms and conditions
of employment
Airing out work concerns on social media
instead of using internal procedures
On Sept. 7, 2012, NLRB published first
decision re social media in which it followed
the logic of the Guidance Memos in striking
down Costco’s social media policy
#hectech
@LegalTXTS
8. SM POLICIES – Guiding Principles
Deter high-risk social media behavior (i.e.,
loss prevention for employer)
Try to comply with employment and labor
laws
Create parameters for appropriate and
beneficial social media use
#hectech
@LegalTXTS
9. SM POLICIES – The Essentials
Define what “social media” is
State to whom policy applies; might need
more than one policy
Limit when and how employees may use
social media
Remind employees of dangers and
ramifications of using social media
#hectech
@LegalTXTS
10. SM POLICIES – The Essentials
Set guidelines for when and how employees
may (or may not) use social media on behalf of
employer
Set guidelines on interactions with, or
statements about, co-workers
Set guidelines on interactions with, or
statements about, outsiders
Describe consequences of non-compliance
#hectech
@LegalTXTS
11. SM POLICIES – Suggested Points
Limit use of company equipment for
purposes of social media activity
Remind employees to use good judgment
Permanency of online content
No such thing as anonymity
Blurring of work and personal lives
#hectech
@LegalTXTS
12. SM POLICIES – Suggested Points
Encourage courtesy and civility
Prohibit discriminatory remarks, harassment,
threats of violence, unlawful conduct
Remind employees to disclose affiliation with
employer when posting content that
promotes company or its products/services
#hectech
@LegalTXTS
13. SM POLICIES – Suggested Points
Protect intellectual property and trade secrets
Clarify ownership and control over social media
assets
Link to existing company policies
Link to applicable professional codes of conduct
Set guidelines on media relations
#hectech
@LegalTXTS
14. SM IN HIRING
37% of companies are researching job candidates
using social networking sites (Source: 2012 CareerBuilder
survey)
Managers may be researching applicants on social
media already even if HR doesn’t know it
Need to implement policies to minimize risk
Gaskell v. University of Kentucky (E.D. Ky. 2010)
#hectech
@LegalTXTS
15. SM IN HIRING – Password Requests
36 states are considering employer social
media password request laws
Bills introduced at HI legislature this year did
not pass
Possible federal legislation
#hectech
@LegalTXTS
16. SM IN HIRING – Good Practices
1. Be consistent
2. Limit searches to publicly accessible sites
3. Update hiring procedures/train managers
4. Consider using HR specialist as a filter
5. If using a third-party vendor, comply with
FCRA requirements
#hectech
@LegalTXTS
17. SM DISCIPLINE – General Rules
Employees can be disciplined or terminated for
their social media conduct, but…
Beware of violating NLRA. Ask: Did employee in
engage in “concerted, protected activity”?
Did the employee discuss the terms and conditions of
employment?
Did the employee discuss the post or the subject matter
with other employees?
Was the employee trying to bring a concern to
management’s attention?
#hectech
@LegalTXTS
18. SM DISCIPLINE – Example Cases
Hispanics United of Buffalo, Inc.: Employees posting
Facebook messages about co-worker’s criticisms of
their work habits
Pier Sixty, LLC: Calling manager nasty names but
ending post with “VoteYES for the UNION.”
DesignTechnology Group, LLC: Facebook messages
complaining about manager’s denial of request to
close store earlier
#hectech
@LegalTXTS
19. SM INVESTIGATIONS
EEOC: harassment via social media raises
“same types of issues”
Failure to investigate complaints about
harassment and take corrective action could
expose employers to liability
Espinoza v. County of Orange (Cal. Ct.App. Feb.
9, 2012)
#hectech
@LegalTXTS
20. Michael Miranda
• Maryknoll 1990, UCF, Gonzaga, UH
• Miranda Rights
• Geek Passion
• Coder at Heart
• Cyber Security Spartan
• HawaiianTelcom
21. HawaiianTelcom does not specifically endorse
any of the companies mentioned in this
presentation.
31. HR Considerations
• “Eyeballs” are on SNS, it is the “norm”
• Branding must extend and be consistent on
social media sites
• Opportunities to advertise (i.e. LinkedIn)
• Open and public interactive communications
32. Risks and Mitigation
Risks
• Informal communications
may become “business”
communications
• Critical reviews can hurt your
business
• Stolen user account
credentials could be used to
hurt your image and business
Mitigation
• Be formal with all
communications
• Do not conduct transactions
on SNS
• Monitor and respond to
negative reviews quickly
• Strategize to protect your
user account credentials
34. • “hackers destroyed my entire digital life in the span of an hour”
• Victim Account Info Needed:
– Master EmailAddress (for recoveries)
– BillingAddress
– Last 4 Digits of a Credit Card
– NoAdvanced Security Beyond Password
• Social Engineered and Exploited Procedures to Gain Access to his
accounts with: Apple, Gmail, Amazon andTwitter
35. Damage
• Deleted 8 years worth of email on Gmail
• Took overTwitter account to broadcast
offensive messages
• Erased all data on iPhone, iPad and Macbook
– Family photos
– Work documents and email
36. User Account Strategy
• Use a separate business email address for
SNS and other business activity, including
background checks
• Use an alias email address instead of a real
email address (even for recovery email
addresses)
38. .com
• Commit to a an Online Presence on
The Popular Platforms
• Treat as a Primary Communication
Channel
• Monitor/RespondTimely and
Professionally
39. SNS for Business…Securely
• Only for informational business communications. DO
NOT:
– Contract using SNS messaging
– Transmit or receive sensitive information
• Monitor and respond consistently
• Segregate and protect business SNS accounts
• Use two-factor authentication when available
60. BYOD Risks
• Costs – Cheaper for employees or employers?
• Physical Security
– Weak Passcodes
– Lost or Stolen
• Intellectual property theft after job
termination
62. Mobile Devices Attacked
“Like its 1999”
• Phishing Scams, Malicious Web Sites/Advertisements,
Malicious Apps
• Zbot.ANQ
– Reportedly installs as a trojan on aWindows computer
– Social engineers user to install software on mobile phone
and to provide phone number to hacker
– Hijacks SMS messages from banks to steal money
67. LEGAL RISKS OF BYOD
Employment laws
Fair Labor Standards (FLSA)
TitleVII (harassment and hostile work environment)
Health Insurance Portability and Accountability
Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act (SOX)
#hectech
@LegalTXTS
68. LEGAL RISKS OF BYOD
Americans with Disabilities Act (ADA)
Section 5 of the Federal Trade Commission Act
Data disposal laws (HRS § 487R-2)
Security breach laws (HRS § 487N-2)
Hawaii UniformTrade Secrets Act (HUTSA)
Privacy laws
E-discovery laws
#hectech
@LegalTXTS
70. FLSA – Overtime Requirements
Non-exempt employees must receive overtime pay
(at least 1.5x regular pay rate) for hours worked
over 40 in a workweek.
Employee doesn’t need to be asked to work beyond
a 40-hour workweek to be entitled to overtime pay.
He/she just needs to perform overtime work for
employer’s benefit
Employees could rack up overtime by using personal
devices for work w/o employee’s consent if no clear
BYOD policy in place
#hectech
@LegalTXTS
71. FLSA – Allen v. City of Chicago
Chicago police officer sued employer under FLSA for
working “off the clock” using department-issued PDAs or
other electronic communication devices without receiving
overtime pay.
Officer alleged that PDAs required them to be on call 24/7
In March 2011, court denied motion to dismiss
In January 2013, court granted conditional certification of a
collective action for the case; 200 officers allowed to join
action
#hectech
@LegalTXTS
72. FLSA – Tips
Be careful of relying on de minimis exception
Track hours worked remotely
Institute policy requiring prior written
authorization to work remotely via mobile device.
Make sure to communicate policy.
#hectech
@LegalTXTS
75. HIPAA – Requirements
The issue is patient health information ending up
on mobile devices
HIPAA mandates the “implementation of security
measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate
level.” 45 C.F.R. § 164.308(a)(1)
HIPAA also requires “physical safeguards for all
workstations that access ePHI, to restrict access to
authorized users.” 45 C.F.R. § 164.310(c)
#hectech
@LegalTXTS
76. HIPAA – Omnibus Rule
HIPAA Omnibus Rule took effect on March 23,
2013; compliance due date is September 23, 2013
HIPAA compliance used to be limited to “covered
entities” and their “business associates”
Under Omnibus Rule, all providers of services to
health care providers, health insurers, HMOs and
employee health benefit plans must comply if they
create, receive, or maintain protected health
information on behalf of a covered entity
#hectech
@LegalTXTS
77. HIPAA – Lost or Stolen Devices
40% of large HIPAA rule violations involved
lost or stolen devices (per 2012 HHS study)
HHS:“[H]ad these devices been encrypted,
their data would have been secured.”
Consider preventing local storage of patient
data on mobile devices
#hectech
@LegalTXTS
79. GLBA – “Financial Institutions”
GLBA applies to “financial institutions.”
Scope of “financial institutions” can be broad.
mortgage brokers
nonbank lenders
real estate appraisers
educational institutions
#hectech
@LegalTXTS
80. GLBA – Safeguards Rule
Each covered institution must develop, implement,
and maintain a “comprehensive information
security program”
Program must include “administrative, technical and
physical safeguards”
#hectech
@LegalTXTS
81. GLBA – Safeguards Rule
Program objectives are to:
Insure the security and confidentiality of customer
information
Protect against any anticipated threats or hazards
to the security or integrity of such information; and
Protect against unauthorized access to or use of
such information that could result in substantial
harm or inconvenience to any customer.
#hectech
@LegalTXTS
82. GLBA – Information Covered
Applies to all “customer information” in
possession of financial institution
Information does not have to pertain to
customer of financial institution
Can be information of customer of other
financial institutions that provided the
information
#hectech
@LegalTXTS
83. GLBA – “Customer Information”
“Customer Information” is any information:
a consumer provides to obtain a financial product
or service from the institution
about a consumer resulting from any transaction
with the institution involving a financial product or
service; or
otherwise obtained about a consumer in connection
with providing a financial product or service to that
consumer
#hectech
@LegalTXTS
84. GLBA – Risks
Inadvertent disclosure of customer information
Malware
Residual storage of customer information
#hectech
@LegalTXTS
86. HUTSA – What’s a “Trade Secret”?
HUTSA allows claim for misappropriation of a
trade secret
Definition of “trade secret” requires that
reasonable efforts were taken to maintain
secrecy of the alleged trade secret
Allowing employees to store proprietary data
on personal device can destroy reasonableness
of efforts to maintain secrecy
#hectech
@LegalTXTS
87. HUTSA – Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
One of the defendants (Mitchell) used to work for
the Plaintiff cryogenics company (Kendall)
While working for Kendall, Mitchell maintained
backup set of proprietary shop drawings at his
home (paper & electronic) with Kendall’s permission
After Mitchell stopped working for Kendall, he was
not asked to return drawings
#hectech
@LegalTXTS
88. HUTSA – Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
Mitchell then started working for a competing
company, who used shop drawings to develop its
product line
In lawsuit that followed, trial court granted
summary judgment to defendants on trade secret
misappropriation claim
On appeal, defendants argued that shop drawings
were not “trade secrets” because Kendall didn’t
take reasonable efforts to protect their secrecy
89. HUTSA – Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
Plaintiff took these precautions:
Stamped shop drawings with legend barring
disclosure or transmission to unauthorized parties
Included confidentiality provision in Mitchell’s
employment contract
Maintained policies “that attest to the company’s
desire to protect confidentiality and safeguard
proprietary information”
#hectech
@LegalTXTS
90. HUTSA – Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
Sixth Circuit held that the shop drawings could
qualify as “trade secrets” based on those efforts
at preserving their secrecy
Reversed trial court
#hectech
@LegalTXTS
91. HUTSA – Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
Key takeaways:
Be careful of letting employees store proprietary
information at home
Have employees sign confidentiality agreements
Keep inventory of all info stored at employee’s
home
Have separating employees sign acknowledgement
that he/she no longer possesses proprietary info
#hectech
@LegalTXTS
93. PRIVACY – UH Data Breach
Retired UH professor posted personal data of over
90,000 faculty, students, alumni on public web server
Hackers gained access to private records of 53,000
students and employees on Mānoa campus
Former student files class action against UH for
violation of constitutional right of privacy
Lawsuit settled in April 2012
#hectech
@LegalTXTS
94. PRIVACY – Personal Data
Potential liability for remote wiping
Intrusion into seclusion
Other possible tort claims: conversion, trespass
Potential liability for accessing personal data on dual-
use devices
Stored Communications Act
Computer Fraud and Abuse Act
#hectech
@LegalTXTS
95. E-DISCOVERY & BYOD
Duty to preserve electronic data (litigation holds)
Practical challenges of e-discovery of data on dual-
use devices
Identifying BYOD devices/information
Collecting data from dual-use devices
What data does the employer “control”?
#hectech
@LegalTXTS
96. Essential Security Controls
• Policies
• Firewall (Perimeter and End Point)
• IPS/IDS
• EncryptedTransmissions
• Secure Authentication
• Vulnerability Management
• Secure Systems with Updates
• Access Control
• Log and Event Reviews
• Testing andValidation
99. MDM Considerations
Feature Employee Consideration
Company assumes control of most
features on the device.
Device is now co-managed with employer
and employer may have visibility into use
of personal device.
Company can control which applications
can be installed.
Employee will lose certain features once
connected to the company network;
dependent of company policy.
Isolation of company data. Can only access company data from
approved applications on the mobile
device.
Remote-wipe of data, and possibly of
whole device.
Risk that personal data will also be
deleted.
Remote locking of device by company. Risk that personal use of the device may
be blocked by employer upon
termination of employment or other HR
action.
101. Essential Considerations
• Do you need to support BYOD?
– Morale, Productivity,Technology, Cost
– Which devices/OS’s? What data?Which applications?Who?
• Essential Security Controls are Primary
– Network Security
– Systems Security
– Policies
• AdditionalTechnologies Enhance Essential Security (not a substitute)
– VDI, ActiveSync, NAC, MDM
• Essential Network Security Goes a LongWay
101
102. Other Considerations
• Working Hours
– BYOD = 24x7 Availability
– Specify response policies to company communications received on
employee-owned devices and when overtime applies
• GeneralCompany PoliciesApply
– Send official company communications using company email addresses only
– Use branded company templates for emails
– Use only the communications technologies specifically approved for use
(can’t useTwitter if company does not useTwitter)
– Phone calls to customers should originate from company phone numbers;
unless there is an extenuating circumstance
103. BYOD FinalTips
• Keep Mobile OS updated and Use Passcode Locks
• Assume mobile device is vulnerable at all times and
only visit known safe sites
• Carefully research apps prior to installation
• Do NOT Jailbreak
• Include Mobile Devices in Overall Cyber Security
Planning
106. E-SIG – Uses For Employers
Documents that are impractical to obtain
hard-copy signatures for
Onboarding for new-hire paperwork
Form I-9
FormW-4
Benefits administration
#hectech
@LegalTXTS
107. E-SIG – E-SIGN and UETA
Federal law: Electronic Signatures in Global and
National Commerce Act (E-SIGN)
State law: Uniform Electronic Transactions Act
(UETA) – HRS Chapter 489E
E-SIGN applies to contracts affecting interstate
or foreign commerce
E-SIGN may be overridden by state law where
UETA has been adopted
#hectech
@LegalTXTS
108. “Electronic signature” means “any electronic sound,
symbol, or process attached to or logically
associated with a contract or other record and
executed or adopted by a person with the intent
to sign the record.”
Technology neutral. Examples of e-sigs:
Typed name or signature block
Digitized image of signature
Digital signature (PKI encryption)
Biometric identification
109. E-SIG – E-SIGN and UETA
E-sigs have same legal effect as handwritten
ones
Contract not invalid just because electronic
record or signature was used
If a law requires a record to be in writing,
electronic record satisfies the law
Use and acceptance of electronic transactions is
voluntary
#hectech
@LegalTXTS
110. E-SIG – E-SIGN and UETA
Technology neutral
Certain kinds of documents cannot be e-
signed (e.g., wills, foreclosure or eviction
notices)
UETA applies only where each party to an
agreement has agreed to conduct the
transaction in electronic form
#hectech
@LegalTXTS
111. E-SIG – E-Sig System Essentials
Signature must be unique to person using it
Signature must be verifiable as belonging to user
Signature must be under sole control of person using it
E-sig process must guarantee integrity of signature and
document, ensuring that contents of document remain
unaltered
Capture and preserve signer’s intention that e-sig has
same force and effect as handwritten signature
#hectech
@LegalTXTS
112. E-SIG – Other General Tips
E-sigs are not new, but legal precedent on
enforceability of e-sigs is still developing
If you expect the document to end up in litigation,
considering using paper signatures. E.g., arbitration
agreements, trademark agreements, non-competes
Neuson v. Macy’s Department Stores
#hectech
@LegalTXTS
113. E-SIG – Other General Tips
Obtain each employee’s written consent to use e-
sigs for HR-related documents
Consent is based on the context and surrounding
circumstances
Better practice is to have employee or applicant sign
separate written agreement to consent to use of e-sigs.
The consent doesn’t need to be separate if the main
document to be signed is in electronic form, e.g., a “click-
wrap”
#hectech
@LegalTXTS
114. E-SIG – Other General Tips
Develop e-sig and document retention policy
Train employees on the policies
#hectech
@LegalTXTS
115. E-SIG – Arbitration Agreements
Employment agreements often contain terms to
the effect that the employee agrees to resolve
disputes by arbitration
Courts are split on enforceability of arbitration
agreements that are e-signed
#hectech
@LegalTXTS
116. E-SIG – Arbitration Agreements
Not enforceable: Campbell v. General Dynamics
Gov’t Sys. Corp. (1st Cir. 2005); Kerr v. Dillard
Store Services, Inc., (D. Kan. Feb. 17, 2009)
Enforceable: Bell v. Hollywood Entertainment
Corp. (Ohio Ct.App.Aug. 3, 2006)
#hectech
@LegalTXTS