Training seminar for Hawaii Employers Council members on June 13, 2013
Presenters: Elijah Yip, Esq. (Cades Schutte LLP) and Michael Miranda, Esq. (Hawaiian Telcom)
Topics covered:
- Social media in the workplace
- BYOD
- Electronic signatures
TENANT SCREENING REPORT SERVICESâ How Tenant Screening Reports Work
Â
Tech@Work: How Employers Can Thrive in the Digital Workplace
1.
2. ď Litigation partner at Cades Schutte LLP
ď Practices commercial litigation, media law
ď Founder and chair of firmâs Digital Media and
Internet Law practice group
ď Twitter Handle: @LegalTXTS
ď Hashtag for this training seminar - #hectech
ELIJAHYIP
4. TOPICS COVERED
ďSocial media policies
ďSocial media in hiring
ďDiscipline and investigation related to social
media conduct of employees
#hectech
@LegalTXTS
5. SM POLICIES â NLRB Memos
ďIssued memos on
ďAugust 18, 2011: http://1.usa.gov/RXYEOr
ďJanuary 24, 2012: http://1.usa.gov/RXYxm6
ďMay 30, 2012: http://1.usa.gov/RXYlTW
ďMemos do not have force of law, but do
create risk for employers wanting to adopt
certain policies. Must weigh various risks.
#hectech
@LegalTXTS
6. SM POLICIES â NLRB Memos
ďEmployers generally canât have social media
policy that prohibits employees from:
ďHarming employerâs reputation or criticizing
employer on social media
ďUsing company information (including
trademarks, logos) on personal social media
profiles
ďDiscussing controversial topics on social media
#hectech
@LegalTXTS
7. SM POLICIES â NLRB Memos
ďSpeaking to media about terms and conditions
of employment
ďAiring out work concerns on social media
instead of using internal procedures
ďOn Sept. 7, 2012, NLRB published first
decision re social media in which it followed
the logic of the Guidance Memos in striking
down Costcoâs social media policy
#hectech
@LegalTXTS
8. SM POLICIES â Guiding Principles
ďDeter high-risk social media behavior (i.e.,
loss prevention for employer)
ďTry to comply with employment and labor
laws
ďCreate parameters for appropriate and
beneficial social media use
#hectech
@LegalTXTS
9. SM POLICIES â The Essentials
ďDefine what âsocial mediaâ is
ďState to whom policy applies; might need
more than one policy
ďLimit when and how employees may use
social media
ďRemind employees of dangers and
ramifications of using social media
#hectech
@LegalTXTS
10. SM POLICIES â The Essentials
ďSet guidelines for when and how employees
may (or may not) use social media on behalf of
employer
ďSet guidelines on interactions with, or
statements about, co-workers
ďSet guidelines on interactions with, or
statements about, outsiders
ďDescribe consequences of non-compliance
#hectech
@LegalTXTS
11. SM POLICIES â Suggested Points
ďLimit use of company equipment for
purposes of social media activity
ďRemind employees to use good judgment
ďPermanency of online content
ďNo such thing as anonymity
ďBlurring of work and personal lives
#hectech
@LegalTXTS
12. SM POLICIES â Suggested Points
ďEncourage courtesy and civility
ďProhibit discriminatory remarks, harassment,
threats of violence, unlawful conduct
ďRemind employees to disclose affiliation with
employer when posting content that
promotes company or its products/services
#hectech
@LegalTXTS
13. SM POLICIES â Suggested Points
ďProtect intellectual property and trade secrets
ďClarify ownership and control over social media
assets
ďLink to existing company policies
ďLink to applicable professional codes of conduct
ďSet guidelines on media relations
#hectech
@LegalTXTS
14. SM IN HIRING
ď37% of companies are researching job candidates
using social networking sites (Source: 2012 CareerBuilder
survey)
ďManagers may be researching applicants on social
media already even if HR doesnât know it
ďNeed to implement policies to minimize risk
ďGaskell v. University of Kentucky (E.D. Ky. 2010)
#hectech
@LegalTXTS
15. SM IN HIRING â Password Requests
ď36 states are considering employer social
media password request laws
ďBills introduced at HI legislature this year did
not pass
ďPossible federal legislation
#hectech
@LegalTXTS
16. SM IN HIRING â Good Practices
1. Be consistent
2. Limit searches to publicly accessible sites
3. Update hiring procedures/train managers
4. Consider using HR specialist as a filter
5. If using a third-party vendor, comply with
FCRA requirements
#hectech
@LegalTXTS
17. SM DISCIPLINE â General Rules
ďEmployees can be disciplined or terminated for
their social media conduct, butâŚ
ďBeware of violating NLRA. Ask: Did employee in
engage in âconcerted, protected activityâ?
ď Did the employee discuss the terms and conditions of
employment?
ď Did the employee discuss the post or the subject matter
with other employees?
ď Was the employee trying to bring a concern to
managementâs attention?
#hectech
@LegalTXTS
18. SM DISCIPLINE â Example Cases
ďHispanics United of Buffalo, Inc.: Employees posting
Facebook messages about co-workerâs criticisms of
their work habits
ďPier Sixty, LLC: Calling manager nasty names but
ending post with âVoteYES for the UNION.â
ďDesignTechnology Group, LLC: Facebook messages
complaining about managerâs denial of request to
close store earlier
#hectech
@LegalTXTS
19. SM INVESTIGATIONS
ďEEOC: harassment via social media raises
âsame types of issuesâ
ďFailure to investigate complaints about
harassment and take corrective action could
expose employers to liability
ďEspinoza v. County of Orange (Cal. Ct.App. Feb.
9, 2012)
#hectech
@LegalTXTS
20. Michael Miranda
⢠Maryknoll 1990, UCF, Gonzaga, UH
⢠Miranda Rights
⢠Geek Passion
⢠Coder at Heart
⢠Cyber Security Spartan
⢠HawaiianTelcom
21. HawaiianTelcom does not specifically endorse
any of the companies mentioned in this
presentation.
31. HR Considerations
⢠âEyeballsâ are on SNS, it is the ânormâ
⢠Branding must extend and be consistent on
social media sites
⢠Opportunities to advertise (i.e. LinkedIn)
⢠Open and public interactive communications
32. Risks and Mitigation
Risks
⢠Informal communications
may become âbusinessâ
communications
⢠Critical reviews can hurt your
business
⢠Stolen user account
credentials could be used to
hurt your image and business
Mitigation
⢠Be formal with all
communications
⢠Do not conduct transactions
on SNS
⢠Monitor and respond to
negative reviews quickly
⢠Strategize to protect your
user account credentials
34. ⢠âhackers destroyed my entire digital life in the span of an hourâ
⢠Victim Account Info Needed:
â Master EmailAddress (for recoveries)
â BillingAddress
â Last 4 Digits of a Credit Card
â NoAdvanced Security Beyond Password
⢠Social Engineered and Exploited Procedures to Gain Access to his
accounts with: Apple, Gmail, Amazon andTwitter
35. Damage
⢠Deleted 8 years worth of email on Gmail
⢠Took overTwitter account to broadcast
offensive messages
⢠Erased all data on iPhone, iPad and Macbook
â Family photos
â Work documents and email
36. User Account Strategy
⢠Use a separate business email address for
SNS and other business activity, including
background checks
⢠Use an alias email address instead of a real
email address (even for recovery email
addresses)
38. .com
⢠Commit to a an Online Presence on
The Popular Platforms
⢠Treat as a Primary Communication
Channel
⢠Monitor/RespondTimely and
Professionally
39. SNS for BusinessâŚSecurely
⢠Only for informational business communications. DO
NOT:
â Contract using SNS messaging
â Transmit or receive sensitive information
⢠Monitor and respond consistently
⢠Segregate and protect business SNS accounts
⢠Use two-factor authentication when available
60. BYOD Risks
⢠Costs â Cheaper for employees or employers?
⢠Physical Security
â Weak Passcodes
â Lost or Stolen
⢠Intellectual property theft after job
termination
61.
62. Mobile Devices Attacked
âLike its 1999â
⢠Phishing Scams, Malicious Web Sites/Advertisements,
Malicious Apps
⢠Zbot.ANQ
â Reportedly installs as a trojan on aWindows computer
â Social engineers user to install software on mobile phone
and to provide phone number to hacker
â Hijacks SMS messages from banks to steal money
67. LEGAL RISKS OF BYOD
ďEmployment laws
ďFair Labor Standards (FLSA)
ďTitleVII (harassment and hostile work environment)
ďHealth Insurance Portability and Accountability
Act (HIPAA)
ďGramm-Leach-Bliley Act (GLBA)
ďSarbanes-Oxley Act (SOX)
#hectech
@LegalTXTS
68. LEGAL RISKS OF BYOD
ďAmericans with Disabilities Act (ADA)
ďSection 5 of the Federal Trade Commission Act
ďData disposal laws (HRS § 487R-2)
ďSecurity breach laws (HRS § 487N-2)
ďHawaii UniformTrade Secrets Act (HUTSA)
ďPrivacy laws
ďE-discovery laws
#hectech
@LegalTXTS
69.
70. FLSA â Overtime Requirements
ďNon-exempt employees must receive overtime pay
(at least 1.5x regular pay rate) for hours worked
over 40 in a workweek.
ďEmployee doesnât need to be asked to work beyond
a 40-hour workweek to be entitled to overtime pay.
He/she just needs to perform overtime work for
employerâs benefit
ďEmployees could rack up overtime by using personal
devices for work w/o employeeâs consent if no clear
BYOD policy in place
#hectech
@LegalTXTS
71. FLSA â Allen v. City of Chicago
ď Chicago police officer sued employer under FLSA for
working âoff the clockâ using department-issued PDAs or
other electronic communication devices without receiving
overtime pay.
ď Officer alleged that PDAs required them to be on call 24/7
ď In March 2011, court denied motion to dismiss
ď In January 2013, court granted conditional certification of a
collective action for the case; 200 officers allowed to join
action
#hectech
@LegalTXTS
72. FLSA â Tips
ďBe careful of relying on de minimis exception
ďTrack hours worked remotely
ďInstitute policy requiring prior written
authorization to work remotely via mobile device.
Make sure to communicate policy.
#hectech
@LegalTXTS
75. HIPAA â Requirements
ďThe issue is patient health information ending up
on mobile devices
ďHIPAA mandates the âimplementation of security
measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate
level.â 45 C.F.R. § 164.308(a)(1)
ďHIPAA also requires âphysical safeguards for all
workstations that access ePHI, to restrict access to
authorized users.â 45 C.F.R. § 164.310(c)
#hectech
@LegalTXTS
76. HIPAA â Omnibus Rule
ďHIPAA Omnibus Rule took effect on March 23,
2013; compliance due date is September 23, 2013
ďHIPAA compliance used to be limited to âcovered
entitiesâ and their âbusiness associatesâ
ďUnder Omnibus Rule, all providers of services to
health care providers, health insurers, HMOs and
employee health benefit plans must comply if they
create, receive, or maintain protected health
information on behalf of a covered entity
#hectech
@LegalTXTS
77. HIPAA â Lost or Stolen Devices
ď40% of large HIPAA rule violations involved
lost or stolen devices (per 2012 HHS study)
ďHHS:â[H]ad these devices been encrypted,
their data would have been secured.â
ďConsider preventing local storage of patient
data on mobile devices
#hectech
@LegalTXTS
79. GLBA â âFinancial Institutionsâ
ďGLBA applies to âfinancial institutions.â
ďScope of âfinancial institutionsâ can be broad.
ďmortgage brokers
ďnonbank lenders
ďreal estate appraisers
ďeducational institutions
#hectech
@LegalTXTS
80. GLBA â Safeguards Rule
ďEach covered institution must develop, implement,
and maintain a âcomprehensive information
security programâ
ďProgram must include âadministrative, technical and
physical safeguardsâ
#hectech
@LegalTXTS
81. GLBA â Safeguards Rule
ďProgram objectives are to:
ďInsure the security and confidentiality of customer
information
ďProtect against any anticipated threats or hazards
to the security or integrity of such information; and
ďProtect against unauthorized access to or use of
such information that could result in substantial
harm or inconvenience to any customer.
#hectech
@LegalTXTS
82. GLBA â Information Covered
ďApplies to all âcustomer informationâ in
possession of financial institution
ďInformation does not have to pertain to
customer of financial institution
ďCan be information of customer of other
financial institutions that provided the
information
#hectech
@LegalTXTS
83. GLBA â âCustomer Informationâ
ďâCustomer Informationâ is any information:
ďa consumer provides to obtain a financial product
or service from the institution
ďabout a consumer resulting from any transaction
with the institution involving a financial product or
service; or
ďotherwise obtained about a consumer in connection
with providing a financial product or service to that
consumer
#hectech
@LegalTXTS
84. GLBA â Risks
ďInadvertent disclosure of customer information
ďMalware
ďResidual storage of customer information
#hectech
@LegalTXTS
85.
86. HUTSA â Whatâs a âTrade Secretâ?
ďHUTSA allows claim for misappropriation of a
trade secret
ďDefinition of âtrade secretâ requires that
reasonable efforts were taken to maintain
secrecy of the alleged trade secret
ďAllowing employees to store proprietary data
on personal device can destroy reasonableness
of efforts to maintain secrecy
#hectech
@LegalTXTS
87. HUTSA â Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
ďOne of the defendants (Mitchell) used to work for
the Plaintiff cryogenics company (Kendall)
ďWhile working for Kendall, Mitchell maintained
backup set of proprietary shop drawings at his
home (paper & electronic) with Kendallâs permission
ďAfter Mitchell stopped working for Kendall, he was
not asked to return drawings
#hectech
@LegalTXTS
88. HUTSA â Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
ďMitchell then started working for a competing
company, who used shop drawings to develop its
product line
ďIn lawsuit that followed, trial court granted
summary judgment to defendants on trade secret
misappropriation claim
ďOn appeal, defendants argued that shop drawings
were not âtrade secretsâ because Kendall didnât
take reasonable efforts to protect their secrecy
89. HUTSA â Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
ďPlaintiff took these precautions:
ďStamped shop drawings with legend barring
disclosure or transmission to unauthorized parties
ďIncluded confidentiality provision in Mitchellâs
employment contract
ďMaintained policies âthat attest to the companyâs
desire to protect confidentiality and safeguard
proprietary informationâ
#hectech
@LegalTXTS
90. HUTSA â Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
ďSixth Circuit held that the shop drawings could
qualify as âtrade secretsâ based on those efforts
at preserving their secrecy
ďReversed trial court
#hectech
@LegalTXTS
91. HUTSA â Kendall Holdings, Ltd v. Eden
Cryogenics, LLC (6th Cir.Apr. 5, 2013)
ďKey takeaways:
ďBe careful of letting employees store proprietary
information at home
ďHave employees sign confidentiality agreements
ďKeep inventory of all info stored at employeeâs
home
ďHave separating employees sign acknowledgement
that he/she no longer possesses proprietary info
#hectech
@LegalTXTS
93. PRIVACY â UH Data Breach
ďRetired UH professor posted personal data of over
90,000 faculty, students, alumni on public web server
ďHackers gained access to private records of 53,000
students and employees on MÄnoa campus
ďFormer student files class action against UH for
violation of constitutional right of privacy
ďLawsuit settled in April 2012
#hectech
@LegalTXTS
94. PRIVACY â Personal Data
ďPotential liability for remote wiping
ď Intrusion into seclusion
ď Other possible tort claims: conversion, trespass
ďPotential liability for accessing personal data on dual-
use devices
ď Stored Communications Act
ď Computer Fraud and Abuse Act
#hectech
@LegalTXTS
95. E-DISCOVERY & BYOD
ďDuty to preserve electronic data (litigation holds)
ďPractical challenges of e-discovery of data on dual-
use devices
ďIdentifying BYOD devices/information
ďCollecting data from dual-use devices
ďWhat data does the employer âcontrolâ?
#hectech
@LegalTXTS
96. Essential Security Controls
⢠Policies
⢠Firewall (Perimeter and End Point)
⢠IPS/IDS
⢠EncryptedTransmissions
⢠Secure Authentication
⢠Vulnerability Management
⢠Secure Systems with Updates
⢠Access Control
⢠Log and Event Reviews
⢠Testing andValidation
99. MDM Considerations
Feature Employee Consideration
Company assumes control of most
features on the device.
Device is now co-managed with employer
and employer may have visibility into use
of personal device.
Company can control which applications
can be installed.
Employee will lose certain features once
connected to the company network;
dependent of company policy.
Isolation of company data. Can only access company data from
approved applications on the mobile
device.
Remote-wipe of data, and possibly of
whole device.
Risk that personal data will also be
deleted.
Remote locking of device by company. Risk that personal use of the device may
be blocked by employer upon
termination of employment or other HR
action.
101. Essential Considerations
⢠Do you need to support BYOD?
â Morale, Productivity,Technology, Cost
â Which devices/OSâs? What data?Which applications?Who?
⢠Essential Security Controls are Primary
â Network Security
â Systems Security
â Policies
⢠AdditionalTechnologies Enhance Essential Security (not a substitute)
â VDI, ActiveSync, NAC, MDM
⢠Essential Network Security Goes a LongWay
101
102. Other Considerations
⢠Working Hours
â BYOD = 24x7 Availability
â Specify response policies to company communications received on
employee-owned devices and when overtime applies
⢠GeneralCompany PoliciesApply
â Send official company communications using company email addresses only
â Use branded company templates for emails
â Use only the communications technologies specifically approved for use
(canât useTwitter if company does not useTwitter)
â Phone calls to customers should originate from company phone numbers;
unless there is an extenuating circumstance
103. BYOD FinalTips
⢠Keep Mobile OS updated and Use Passcode Locks
⢠Assume mobile device is vulnerable at all times and
only visit known safe sites
⢠Carefully research apps prior to installation
⢠Do NOT Jailbreak
⢠Include Mobile Devices in Overall Cyber Security
Planning
106. E-SIG â Uses For Employers
ďDocuments that are impractical to obtain
hard-copy signatures for
ďOnboarding for new-hire paperwork
ďForm I-9
ďFormW-4
ďBenefits administration
#hectech
@LegalTXTS
107. E-SIG â E-SIGN and UETA
ďFederal law: Electronic Signatures in Global and
National Commerce Act (E-SIGN)
ďState law: Uniform Electronic Transactions Act
(UETA) â HRS Chapter 489E
ďE-SIGN applies to contracts affecting interstate
or foreign commerce
ďE-SIGN may be overridden by state law where
UETA has been adopted
#hectech
@LegalTXTS
108. ďâElectronic signatureâ means âany electronic sound,
symbol, or process attached to or logically
associated with a contract or other record and
executed or adopted by a person with the intent
to sign the record.â
ďTechnology neutral. Examples of e-sigs:
ď Typed name or signature block
ď Digitized image of signature
ď Digital signature (PKI encryption)
ď Biometric identification
109. E-SIG â E-SIGN and UETA
ďE-sigs have same legal effect as handwritten
ones
ďContract not invalid just because electronic
record or signature was used
ďIf a law requires a record to be in writing,
electronic record satisfies the law
ďUse and acceptance of electronic transactions is
voluntary
#hectech
@LegalTXTS
110. E-SIG â E-SIGN and UETA
ďTechnology neutral
ďCertain kinds of documents cannot be e-
signed (e.g., wills, foreclosure or eviction
notices)
ďUETA applies only where each party to an
agreement has agreed to conduct the
transaction in electronic form
#hectech
@LegalTXTS
111. E-SIG â E-Sig System Essentials
ď Signature must be unique to person using it
ď Signature must be verifiable as belonging to user
ď Signature must be under sole control of person using it
ď E-sig process must guarantee integrity of signature and
document, ensuring that contents of document remain
unaltered
ď Capture and preserve signerâs intention that e-sig has
same force and effect as handwritten signature
#hectech
@LegalTXTS
112. E-SIG â Other General Tips
ďE-sigs are not new, but legal precedent on
enforceability of e-sigs is still developing
ďIf you expect the document to end up in litigation,
considering using paper signatures. E.g., arbitration
agreements, trademark agreements, non-competes
ď Neuson v. Macyâs Department Stores
#hectech
@LegalTXTS
113. E-SIG â Other General Tips
ďObtain each employeeâs written consent to use e-
sigs for HR-related documents
ď Consent is based on the context and surrounding
circumstances
ď Better practice is to have employee or applicant sign
separate written agreement to consent to use of e-sigs.
The consent doesnât need to be separate if the main
document to be signed is in electronic form, e.g., a âclick-
wrapâ
#hectech
@LegalTXTS
114. E-SIG â Other General Tips
ďDevelop e-sig and document retention policy
ďTrain employees on the policies
#hectech
@LegalTXTS
115. E-SIG â Arbitration Agreements
ďEmployment agreements often contain terms to
the effect that the employee agrees to resolve
disputes by arbitration
ďCourts are split on enforceability of arbitration
agreements that are e-signed
#hectech
@LegalTXTS
116. E-SIG â Arbitration Agreements
ďNot enforceable: Campbell v. General Dynamics
Govât Sys. Corp. (1st Cir. 2005); Kerr v. Dillard
Store Services, Inc., (D. Kan. Feb. 17, 2009)
ďEnforceable: Bell v. Hollywood Entertainment
Corp. (Ohio Ct.App.Aug. 3, 2006)
#hectech
@LegalTXTS