Legal | Bach Seat

Tag Archive for Legal

RB | September 18, 2014

Comments Off

10 Policies to Minimize BYOD Risk

The challenge for employers offering BYOD, according to schnaderworks, a labor and employment blog from Schnader Harrison Segal & Lewis LLP, is finding the right cost/benefit balance for their businesses. In developing an effective “bring your own device” (BYOD) policy, employers must first identify which employees will be eligible for the program according to the blog.

Once the basic parameters are set, the lawyers stress a written policy is essential to set up ground rules and permit enforcement to protect the company’s data and other interests. They suggest the following steps are key to establishing an effective BYOD policy:

1. Establish a Mandatory Authorization Process: The lawyers say this should be completed before an employee can use company data and systems on a personal mobile device.

2. Require Password Protection: Each authorized device should have the same password protection as an employer-issued device. According to the article, such protections include limiting the number of password entry attempts, setting the device to time out after a period of inactivity, and requiring new passwords at regular intervals.

3. Clarify Data Ownership: A BYOD policy should specifically address who owns the data stored on the authorized device. It should be clear that company data belongs to the employer and that all company data will be remotely wiped from the device if the employee violates the BYOD policy, terminates employment, or switches to a new device. The policy should also alert employees that it is their responsibility to backup any personal data stored on the authorized device states the article.

4. Control the Use of Risky Applications and Third Party Storage: Schnader Harrison Segal & Lewis recommends employers may want to ban the use of applications that present known data security risks, such as the use of “jailbroken” or “rooted” devices and cloud storage.

5. Limit Employee Privacy Expectations The BYOD policy should clearly disclose the extent to which the employer will have access to an employee’s personal data stored on an authorized device and state whether such personal data is stored on the company’s backup systems. The article recommends minimizing the co-mingling of company and personal data. Employers may want to install software that permits the “segmenting” of authorized devices. However, no matter what measures the company takes to preserve employee privacy, the policy must emphasize that the company does not guarantee employee privacy if an employee opts in to the BYOD program.

6. Address Any Business-Specific Privacy Issues: Certain businesses are subject to legal requirements about the storage of private personal information (such as social security numbers, drivers’ license numbers, and credit and debit card numbers, etc.) which may need to be addressed in a BYOD policy. The blog points out that HIPAA requires native encryption on any device that holds data subject to the act. An employer may need to put in place processes prohibiting or limiting remote access for certain categories of sensitive data.

7. Consider Wage and Hour Issues: Permitting employees to use an authorized device for work purposes outside of the employee’s regular work hours may trigger wage and hour claims. The lawyers suggest the BYOD policy should set forth the employer’s expectations about after-hours use (such as a requirement that non-exempt employees must refrain from checking or responding to work emails, voice mail, and texts after hours) (rb- Yeah).

8. Ensure Compliance with Company Confidentiality Policies. The author says a BYOD policy should reiterate that an employee using an authorized device must comply with all company policies on confidentiality and the “acceptable use” of company information.

9. Spell Out Procedures In Case of Loss or Theft: The employer should set up a specific protocol to be followed in the event an authorized device is lost or stolen. The blog says the process should include the prompt reporting of a lost or stolen device and the remote wiping of the device.

10. Document Employee Consent: Finally the law firm, in good lawyer form, suggests the employer should get an employee’s written consent to all terms and conditions of the BYOD policy.

Where to start with BYOD security (techpageone.dell.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2014, BYOD, HIPAA, Legal, Mobile, Password, Policy, Privacy, Security

RB | September 24, 2013

Comments Off

BYOD Love Affair Waning?

Tom Kaneshige at CIO.com warns that the “Bring Your Own Device” love affair is coming to an abrupt and bitter end, and the lawyers are circling. He argues that in the early days of BYOD, say, last year, employees, especially Millennials, fell madly in love with the idea of using their own Apple (AAPL) iPhones, Google (GOOG) Android smartphones, and newfangled tablets for work. Finally, they could finally ditch corporate-issued BlackBerrys (BBRY).

BYOD ushered in a new era of consumer tech in the enterprise, one that promised employees and employers will live happily ever after. But the BYOD romance has suddenly turned sour. Employees are questioning corporate intrusion on their personal devices. Did IT turn their beloved smartphone into a spy that tracks their whereabouts? The article says employees are beginning to sense companies taking advantage of BYOD by intruding on personal time to get free work time.

Now they’re thinking about suing. John Marshall, CEO at AirWatch, an enterprise mobile device management (MDM) vendor with 6,500 customers, told CIO, “I anticipate a bunch of little [lawsuits], then something big will happen that’ll be a class action and become headline news.”

CEO Marshall reports that the suits have already started. A federal case in Chicago is winding its way through the courts which claims that the city owes some 200 police officers millions of dollars in overtime back pay. The case centers on allegations that the city pressured officers into answering work-related calls and emails over department-issued BlackBerrys during off-hours.

There’s no question BYOD blurs the line even more between work life and personal life. The Airwatch CEO not surprisingly recommends a Mobile Device Management (MDM) application to control email delivery to BYOD devices. This way an employer can set a business rule that won’t allow delivery of corporate email to a subset of users during off-hours. Or a CIO can address this issue in the BYOD terms-of-use agreement. (rb– Both would be best)

Smashed BYOD The CIO article offers up another legal nightmare scenario: Lacking MDM tools to block out what can and cannot be seen on a BYOD smartphone, a help desk technician notices that an employee’s device has a lot of personal apps about a health problem—and mentions his concern to the employee in the cafeteria.

“The employee can say, ‘How in the world did you know that?‘” Mr. Marshall says. “All of a sudden, something that’s very benign and innocuous turns into something that’s blown out of proportion.” (rb- Help Net Security cites recent U.S. DHSS seven-figure settlements from healthcare institutions that failed to protect patients’ health information under HIPAA regs.)

Mr. Marshall recommends a comprehensive BYOD terms-of-use agreement, along with transparency about the capabilities and limitations of the technology, will help ward off such scenarios. The IT staff also needs to be educated about their role in a BYOD environment.

However, this doesn’t mean problems won’t crop up. Part of the problem, the article indicates, is that BYOD often puts business unit managers who aren’t well-versed in technical user agreements in a leadership position with mobile apps. They’re likely to give the green light to rogue mobile apps that violate such agreements.

For instance, employees are chiefly concerned about privacy and especially location-based services with BYOD, and so many user agreements stipulate that apps will not collect location-based information. But someone who wants to be helpful, builds a map app for the corporate campus that allows employees to schedule conference rooms and find safety information, such as where to go if there’s a tornado. Airwatch’s Marshall explains:

Maybe there’s also a button on there that says where you are in the campus … All of a sudden people wake up and realize that every single device using that app is collecting location-based information—that’s an issue. These are really plausible scenarios … There’s so much copy and paste and reuse of all these components that these things can happen very innocently.

Then there’s the dreaded remote wipe, which can land a company in some legal hot water according to the article. Help Net Security says there is little to no case law in this area. CIO.com reports that just last year, CIOs said they felt comfortable with BYOD because they held security’s holy grail: remote wipe, a scorched-earth capability for wiping all data on a mobile device.

But employees weren’t happy with the idea that the company can wipe personal data on their personal device. Some employees refused to take part in the BYOD program for this reason. Others waited days or weeks before reporting a lost or stolen device so that IT wouldn’t wipe it.

waited days or weeks before reporting a lost or stolen device MDM software advanced quickly and seemed to come up with a fix. Now companies can wipe only corporate apps from a BYOD smartphone or tablet, leaving personal apps untouched. In fact, AirWatch won’t even allow a full device wipe anymore for legal reasons. While this helps tremendously, it doesn’t completely solve the problem.

Mr. Marshall proposed a scenario where a company buys the popular productivity app, Evernote, for employees to put on their BYOD smartphones. Since the company paid for the app, the company can remove it at any time. The note-taking app collects company data but also might store personal data, too. An employee can use Evernote to create a shopping list, recipes, vacation plans, or perhaps something more critical to their job.

Guess what happens to this personal data when the employee leaves the company? The app, along with all the data, is wiped from the device and account. If the BYOD terms-of-use agreement about Evernote wasn’t spelled out clearly, who is liable for the lost data?

The bloom is off the BYOD rose, and so companies had better add protections against employee lawsuits in the BYOD terms-of-use agreement and leverage MDM to make sure the agreement is followed.

Truth is, employees tend to get a bit emotional when their privacy is violated or their location is tracked via a mobile device that they personally own. They don’t like their personal data to be wiped, either. When these things happen, companies can expect the wrath of a scorned employee. “That’s where it gets tricky,” Mr. Marshall told CIO.com.

Tony Busseri, CEO of Canadian digital security firm Route1, told Help Net Security:

Along with security concerns, BYOD has brought the potential of major legal issues for the Enterprise … Many current BYOD corporate policies leave enterprise data unprotected in the event of a security breach and during an employee’s exit from the company. The policy of tracking and wiping an employee’s personal device opens the enterprise up to the potential for mass litigation.

rb-

Misco in the UK reported that the majority of employees will not cooperate with employers’ BYOD efforts. According to the data:

82% of the survey participants viewed their employer’s ability to track their location as an invasion of privacy;
82% are concerned or extremely concerned about having their browsing history monitored;
76% stated that they would not allow their company to view the applications installed on their personal mobile devices;
75% said they would not go along with an installation made by their employer;
Only 15% had no concerns about employers tracking activities.

Category: Uncategorized | Tags: 2013, AirWatch, BYOD, Device, Evernote, iPad, iPhone, Legal, Management, MDM, Mobile, Risk, Security

RB | August 20, 2013

Comments Off

US Internet Laws Unequally Enforced

The Internet Society (ISOC) provides a summary of a report from the Fordham Center on Law and Information Policy (CLIP), entitled “Internet Jurisdiction: A Survey of Legal Scholarship Published in English and United States Case Law” (PDF) examining the case-law and legal literature analyzing jurisdiction for claims arising out of Internet activity in the United States. The report finds that despite definitive case law, the practice of U.S. courts “lacks uniformity”.

The report concludes that U.S. Internet law jurisdictions are typically set by the Second and Ninth Circuit Courts. The Second Court covers New York, Vermont, and Connecticut. The Ninth Court covers the west coast of the US from Alaska to California and from Hawaii to Montana.

The CLIP research found that the most frequent Internet jurisdiction issues addressed by the courts are intellectual property and defamation cases. According to Wikipedia, Intellectual property (IP) is a legal concept that refers to creations of the mind for which exclusive rights are recognized. Under IP law, owners are granted certain exclusive rights to a variety of intangible assets, such as musical, discoveries and inventions; and words, symbols, and designs. Common types of intellectual property rights include copyright, trademarks, patents, and in some jurisdictions trade secrets. (rb- I have written a great deal about IP in my Patent Trolling articles.)

The researchers found that 62% of Internet jurisdiction cases centered on disputes about intellectual property. Specifically, 43% of the cases related to trademarks; 20% related to copyright; and 9% related to patents.

Within the Fordham data. There were also 35 defamation cases studied with 23% of these cases related to the intentional tort. Wikipedia defines defamation as communicating a false statement that harms an individual, business, product, group, government, religion, or nations’ reputation. Under common law, to constitute defamation, a claim must generally be false and made to someone other than the person defamed.’

According to the Fordham research, there are two primary cases the courts use to address most Internet jurisdiction cases, The first is Zippo Manufacturing Co. v. Zippo Dot Com, Inc. IT Law Wiki explains that Zippo created a three-prong test for determining whether a court has jurisdiction over a website. Under this test, there are three types of websites: Commercial, Passive, and Interactive.

Interactive websites allow the exchange of information between the website owner and visitors, may be subject to the jurisdiction, depending on the website’s level of interactivity and commerciality, and the number of contacts which the website owner has developed with the forum due to the availability of the website within the jurisdiction.

The other key case that Fordham found was Calder v. Jones. IT Law Wiki writes that this case resulted in the “effects test.” The article asserts, “… virtually every jurisdiction has held that the Calder effects test requires intentional conduct expressly aimed at or targeting the forum state in addition to the defendant’s knowledge that his intentional conduct would cause harm in the forum.

The article concludes that the Zippo and Calder tests remain the dominant ones applied, but that these tests are not mutually exclusive. Although Zippo is most often applied in matters of specific jurisdiction, there exists a varied and, at times, a blurred framework that incorporates the Zippo sliding scale and Calder’s effects test, as well as traditional standards for personal jurisdiction. Therefore, although the landscape for Internet jurisdiction matters has clear, predominant legal standards and tests, on the whole, when and how these are applied by U.S. courts lacks uniformity.

rb-

I am not a lawyer, and of course, you should seek the advice of an attorney.

While I am not a lawyer, I do have common sense and how is it possible for different courts to rule in different ways on the same topic when they have InnerTubes to rule consistently?

I believe this shows how out of touch the law is from technology.

Some of this could be due to the basic conservative nature of the legal profession.

I also believe that there is money in it for the politicians to make laws that are so confusing that lawyers are needed to understand the law. After all most Senators are lawyers.

Category: Uncategorized | Tags: 2013, Circuit, Court, Intellectual property, Legal, Patent troll, U.S.

RB | January 10, 2013

Comments Off

Patent Trolls Going After Users

Patent trolls have changed their tactics by going after users according to TechEye. Patent trolls have realized that taking on big companies with large legal teams is a risky prospect so they have started looking for softer targets. Ars Technica is reporting the case of Steven Vicinanza and BlueWave, who received a letter ordering him to pay $1,000 per employee for a license for some “distributed computer architecture” patents.

The blog says the troll in question, “Project Paperless LLC.” claims to have a patent covering the ability to scan documents to e-mail and was demanding money with legal menaces. If BlueWave paid, the troll would have collected $130,000. BlueWave was not the only company the troll went after. Lots of other small and medium companies were being hit.

Steven Hill, a partner at Hill, Kertscher & Wharton, an Atlanta law firm represented Project Paperless. The attorney told Mr. Vicinanza that if you hook up a scanner and e-mail a PDF document the company’s patent covers that process. In other words, any company that used office equipment would have to pay up.

In this case, Mr. Vicinanza decided to fight and beat the troll in court. Despite the victory, TechEye says Project Paperless patents claims are continuing to appear. The troll claims were passed to a network of shell companies. Ars found that the patent threats are going out under at least ten differently named LLCs.

These outfits are sending out hundreds of copies of the same demand letter to small businesses from New Hampshire to Minnesota. The article says the troll’s royalty demands range from $900 to $1,200 per employee.

Ars Technica reports that Project Paperless has four patents and one patent application it asserts, all linked to an inventor named Laurence C. Klein. “It was a lot of what I’d call gobbledygook,” said BlueWave’s Vicinanza. “Just jargon and terms strung together—it’s really literally nonsensical.”

Ars provides links to the asserted patents, numbers 6,185,590, 6,771,381, 7,477,410 and 7,986,426. AdzPro also notes it has an additional patent application filed in July 2011 that hasn’t yet resulted in a patent. Ars states that the patents may have been useless from a technologist’s perspective, but fighting them off in court would be no small matter. The problem is that it often costs more in legal costs for small businesses to fight the trolls than it does to pay up and make them go away.

Mr. Vicinanza spent $5,000 on a prior art search and sent the results to the Project Paperless lawyers. He filed a third-party complaint against four of the companies that actually made the scanners, Xerox (XRX) Canon (CAJ), HP (HPQ), and Brother (6448). That could have compelled the manufacturers to get involved in the case.

In the end, Hill dropped its lawsuit against BlueWave and went away and the case never came to court. However, Ars points out a detailed website called “Stop Project Paperless,” with information about the patents and links to the Hill, Kertscher, and Wharton law firm.

TechEye concludes that if a firm wants to make a lot of money from a dubious patent, it is better to sue users than the companies which make products that use it. If Apple wanted to kill off Samsung’s business all it would have to do is sue every Android user. Most of them would never go to court and pay whatever Apple demands. That particular scenario is unlikely, but it does show where the antics of patent trolls are headed.

rb-

The politicians tried to work on the problem with the SHIELD Act which I covered here, but that apparently went nowhere. After all, they are too busy driving us all off the fiscal cliff.

Maybe it was top troll Apple that stopped the law from getting a full House vote, Apple is now the biggest patent troll of them all.

So more proof that Patent Trolls Cost the US $29 Billion which I covered earlier.

Patents still pending on paper, words, breathing (howtospotapsychopath.com)

Category: Uncategorized | Tags: 2013, Apple, BlueWave, email, HP, HPQ, Legal, Patent, Patent troll, Samsung, Scanner, Xerox, XRX

RB | October 11, 2011

4 comments

Time to Review Corporate Computer Policies

The National Law Journal is reporting that three recent court decisions make it important for companies to begin a thorough review of their computer policies. The National Law Journal suggests firms focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of the employee’s permissible access to the company computers. The article by Nick Akerman, a partner in the New York office of Dorsey & Whitney who specializes in trade secrets and computer data discusses three recent decisions and their implications for creating effective corporate computer policies that protect the company against the theft of its data.

Mr. Ackerman says two recent decisions, Quon v. Arch Wireless Operating Co. Inc. and Stengart v. Loving Care Agency Inc., affect a company’s ability to gather evidence from its own computers. The article states both cases found company computer policies insufficient to defeat the employee’s expectation of privacy in using the company computers for personal reasons. Whether an employee has an expectation of privacy on the company computers can become a critical issue when an employee is suspected to have stolen corporate data.

In Quon, (which I wrote about here) the 9th U.S. Circuit Court of Appeals held that a review of text messages on pagers provided to municipal police officers violated the Fourth Amendment as an unreasonable search. The article explains that although the city had no express policy “directed to text messaging by use of the pagers,” it did have a general “Computer Usage, Internet and E-mail Policy” applicable to all employees that limited the “use of City-owned computers and all associated equipment, software, programs, networks, Internet, e-mail and other systems operating on these computer” to city business. This policy was acknowledged in writing by each city employee, and it was announced orally that this policy applied to pagers according to the National Law Journal.

The article goes on to state that the 9th Circuit affirmed the district court’s finding that Quon had a reasonable expectation of privacy with respect to the text messages because the policy did not reflect the “operational reality” at the police department where the staff was told that the department “would not audit their pagers so long as they agreed to pay for any overages” that exceeded a “25,000 character limit.” Consistent with that informal policy, Quon had exceeded that limit “‘three or four times and had paid for the overages every time without anyone reviewing the text of the messages,” demonstrating that the police department “followed its ‘informal policy’ and that Quon reasonably relied on it” the author states.

In Stengart, Mr. Ackerman argues the issue of the computer policies arose in the context of the attorney-client privilege. Marina Stengart used her employer’s laptop computer to communicate with her attorney about an anticipated lawsuit against her employer “through her personal, web-based, password-protected Yahoo email account.” After Stengart filed a discrimination suit, her then-ex-employer found many e-mails on the company computer between Stengart and her attorney. The employer’s computer policy was nearly identical to the policy addressed in Quon with one significant exception. Unlike the written policy in Quon, which limited the use of the computers to the employer’s business, the policy in Stengart provided that “[o]ccasional personal use is permitted.”

The court found two specific “ambiguities” with the computer policy that “cast doubt over the legitimacy of the company’s attempt to seize and retain personal e-mails sent through the company’s computer via the employee’s personal email account.” First, the “policy neither defines nor suggests what is meant by ‘the company’s media systems and services,’ nor do those words alone convey a clear and unambiguous understanding about their scope.” Second, the court found that one could reasonably conclude “that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.” Given these ambiguities, Stengart could have assumed her e-mails with her attorney would be confidential.

The National Law Journal article says the third decision relates to a company’s ability to use evidence found on its own computers to bring a viable court action against the disloyal employee under the federal Computer Fraud and Abuse Act to retrieve the stolen data and prevent its dissemination in the marketplace. The CFAA, provides a civil remedy for a company that “suffers damage or loss” by reason of a violation of the CFAA. A critical element in proving most CFAA claims is that the violator accessed the computer “without authorization” or “exceeding authorized access.”

The last case, LVRC Holdings LLC v. Brekka, Mr. Ackerman argues has made it more important than ever for corporate computer policies to address what is not permissible access to the company computer system. He reports that Brekka puts into question the concept that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company computers terminates. Brekka refused to apply the CFAA to a theft of employer data, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer.

Although this division in the circuit courts will ultimately have to be resolved by the U.S. Supreme Court, the article says that from an employer’s standpoint it is important to emphasize that the agency relationship with the employee is not the only way to prove that an employee’s access to the company computer was unauthorized or exceeded authorization. Employers can proactively establish the predicate for unauthorized access by promulgating the rules of access through company policies. The “CFAA … is primarily a statute imposing limits on access and enhancing control by information providers.. Thus, a company “can easily spell out explicitly what is forbidden” through several methods including an employee handbook explains the National Law Journal article.

Mr. Ackerman concludes by suggesting that in designing corporate computer policies and employee agreements, it is important not to lose sight of the well-established operating principle that company computers are company property, and, as such, the company can “attach whatever conditions to their use it wanted to,” even if these conditions are not “reasonable.” Nonetheless, he suggests in light of Quon, Stengart and Brekka, a company should check its computer policies to make sure that they do the following:

• Clearly define the computer systems covered by the policy; expressly encompass whatever technology is used, such as text messaging or instant messaging; and address not only the servers but removable media such as thumb drives and disks.

• Make clear that all data created in furtherance of any personal use belongs to the company — including use of the company systems to access personal web-based e-mail accounts — and may be monitored by the company and will not be confidential.

• Reflect operational reality and are audited at least annually to ensure they reflect operational reality.

• Spell out precisely the scope of an employee’s permissible authorization to the company computers, particularly what they are not permitted to do, e.g., access the company computers to retrieve company data for a competitor.

The time to get this right is now before the company finds itself the victim of data theft.

Employer Sues Former Employee For Checking Facebook and Personal E-Mail and “Excessive Internet Usage” at Work (volokh.com)

Category: Uncategorized | Tags: 2011, Computer Fraud and Abuse Act, Constitution, Court of Appeals, Employment, Expectation of privacy, Fourth Admendment, Legal, Ninth Circuit, U.S.

« Older Entries

Bach Seat

Tag Archive for Legal

10 Policies to Minimize BYOD Risk

Related articles

BYOD Love Affair Waning?

US Internet Laws Unequally Enforced

Patent Trolls Going After Users

Related articles

Time to Review Corporate Computer Policies

Related articles

Meta