byod bring your own device employee owned technology in
play

BYOD (Bring Your Own Device): Employee-owned Technology in the - PowerPoint PPT Presentation

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace MCHRMA Spring Conference April 4, 2014 MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST PRESENTED BY: Sonya Guggemos MCIT Staff Counsel for Risk Control sguggemos@mcit.org


  1. BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace MCHRMA Spring Conference April 4, 2014 MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

  2. PRESENTED BY: Sonya Guggemos MCIT Staff Counsel for Risk Control sguggemos@mcit.org The information contained in this document is intended for general information purposes only and does not constitute legal or coverage advice on any specific matter. MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST

  3. Use of Personal Devices for Work • BYOD: Bring Your Own Device – Trend for employees to use their own smartphone for work purposes – Dual-use device used for personal and professional tasks MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 3

  4. How Are Employees Using Their Personal Devices? • Phone calls and voice mail • Text messaging • E-mail • Document review • Drafting documents • Access to computer servers or databases MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 4

  5. Why BYOD? • Employee • Employer – Convenience and – Believed to be cost- flexibility efficient – Increased productivity – Increased employee productivity and – Employer has limited engagement resources MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 5

  6. Risks to Employer and Employee • Data retention, preservation and retrieval • Data privacy and security • Wage and hour concerns: Fair Labor Standards Act MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 6

  7. Bring Your Own Device DATA RETENTION, PRESERVATION AND RETRIEVAL MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 7

  8. Data Retention, Preservation and Retrieval • Both government entity and employee may have an obligation to retain, preserve or produce data and/or device – Minnesota Government Data Practices Act (MGDPA) – Litigation hold or discovery – Investigation MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 8

  9. Minnesota Government Data Practices Act • Imposes obligation to • Government data is not produce government data defined by where it is and an obligation to make stored, in what format or data easily accessible for how it is used convenient use • Responsive government • Includes all data data stored on collected, created, employee’s dual-use received, maintained or device must be produced disseminated by any government entity MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 9

  10. Minnesota Government Data Practices Act • Government entity: Failure to produce data may be a violation of MGDPA • Employee – Failure to cooperate with employer could be grounds for disciplinary action – Willful violation of MGDPA may be just cause for disciplinary sanctions MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 10

  11. Litigation Holds and Discovery • Litigation hold: A means by which relevant documents, data and other information is identified and preserved for potential use in a lawsuit • Discovery: Requires production of documents, electronically stored information or things in a lawsuit MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 11

  12. Litigation Holds and Discovery • Employers are responsible for maintaining or producing documents or items in possession, custody or control • Failure to comply could lead to court sanctions against the employer, employee or both, depending on circumstances MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 12

  13. Investigation • Government entity may need to access sources of data on employee’s personal device in the course of an investigation – Internal complaint – Responding to outside investigations – Investigating a data breach MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 13

  14. The Problem • Government entity owns the data • Employee owns the device • Work and personal data are likely inter- mingled on the device MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 14

  15. The Bottom Line • Employee – May be required to provide employer or third-party access to the device or the device itself to avoid discipline or sanctions – This may include access to personal data • Employer – May have limited ability to preserve the data – Employee may have reasonable expectation of privacy in devices and personal data on the device MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 15

  16. Bring Your Own Device DATA PRIVACY AND SECURITY MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 16

  17. Data Privacy and Security • Government entities and employees are obligated to keep certain government data private, confidential and secure • Minnesota Government Data Practices Act – Requires that government entity establishes and implements appropriate safeguards – Restricts access to data classified as private or confidential MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 17

  18. Data Privacy and Security • Health Insurance Portability and Accountability Act (HIPAA) – Requires covered entity or business associate to implement policies and procedures that restrict unauthorized access to electronic protected health information – Includes “individually identifiable health information” • Other privacy or security requirements in law or agreement MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 18

  19. The Problem • Government entity is legally responsible for data privacy and security • Employee is responsible for physically securing device and data MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 19

  20. Inadvertent Release of Data • Lost or stolen device • Access by friends and family • Malware or computer viruses • Employee upgrades device • End of employment relationship • Remote backup and storage MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 20

  21. The Bottom Line • Employer – May be responsible for its employee’s inadvertent release of the data and violation of data privacy laws • Employee – May be subject to discipline for violating personnel, data privacy and security or records retention policies • Both – Other causes of action, such as invasion of privacy, could apply MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 21

  22. Bring Your Own Device WAGE AND HOUR CONCERNS MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 22

  23. Fair Labor Standards Act (FLSA) • Classifies employees as exempt or nonexempt • Nonexempt employees generally have the right to overtime or comp time for time worked beyond 40 hours • Includes all time “suffered or permitted to work” • Applies if employer knows or has reason to know employee performed work MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 23

  24. FLSA and BYOD • Checking and answering e-mail, phone calls and voice mail during nonwork hours may constitute compensable time for nonexempt employees • Possible FLSA violations – Failing to compensate employee properly for hours worked – Failing to keep accurate time records • Could subject employer to fines and entitle employee to back wages and damages, including attorney fees MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 24

  25. Bring Your Own Device MANAGING THE RISK MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 25

  26. Complex Issue • Risks to BYOD apply to both employer and employee • No one-size-fits-all solution – Depends on the needs and resources of government entity and employees – May differ between departments and positions • Multidisciplinary approach may yield best results MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 26

  27. Conduct a Risk Assessment of Current BYOD Use • Who is using a personal • How is government data mobile device for work being accessed or stored purposes? on the device? – Exempt vs. nonexempt • What data or information employees is being accessed or • How often is the device stored? used for work purposes? • How is the data or • Why is the employee information classified using his or her personal under the MGDPA? device? • What security measures are in place on device? MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 27

  28. Consider Ongoing and Future BYOD Use • Do the benefits of BYOD outweigh the risks posed and the potential cost of managing those risks? • What is the organization’s comfort level with BYOD? • Are there certain positions or certain uses that are not acceptable risks for BYOD? MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 28

  29. The IT Component • Analyze technological capabilities and capacity • Review capacity of IT staff to support employee personal devices and any BYOD requirements • Assess the feasibility of implementing technological strategies for BYOD MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 29

  30. Technological Strategies • Password/passcode protection • Encryption • Virtual or remote access • Mobile device management software MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 30

  31. Mobile Device Management Software • Placed on employee’s personal device but controlled by employer • Features can include – Password protection and encryption – Remote locking of device – Remote wipe of the device – Tracking lost or stolen device through GPS – Restricting application installation MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 31

  32. Mobile Device Management Software • Disadvantage: Improper use could raise issues under Fourth Amendment or federal and state laws – Remote wipe of device may delete entire device – Unauthorized tracking of employees after hours • Best practice: Written informed consent MINNESOTA COUNTIES INTERGOVERNMENTAL TRUST 32

Recommend


More recommend