“Big Data” means different things to different people. In a March 7th, speech, Virginia Rometty, Chairman, President and CEO of IBM, provided her take on “Big Data” and I thought she relayed a number of interesting points. Her speech, entitled Competitive Advantage in the Era of Smart, describes a new way for private and public organizations to compete in an era of “Big Data” – data in the clouds, data on smart mobile devices and social networks, and corporations mining data for insights and the competitive edge. To her, “Big Data” is the next natural resource, like oil or electricity, to propel this country forward as everyone will have access to cloud infrastructures, mobile devices and social networks.
Ms. Rometty suggests three “principles of change” – change, not just in technology, but in an evolution of an organization – a cultural way of thinking and acting. All organizations make decisions about capital, people, products and services; create value for those individuals and entitles; and deliver value to its customers. Ms. Rometty laid her principles of evolution out as:
- Decisions will be based not on “gut instinct,” but on predictive analytics;
- The social network is the new production line; and
- Value will be created not for “market segments” or demographics, but for individuals.
Let’s look at each principal enunciated by Ms. Rometty.
Principle 1: Decisions will be based not on “gut instinct,” but on predictive analytics
In today’s global community, Ms. Rometty believes that enterprises should move to an analytical decision making model. Why is that? Because every two days we generate the equivalent of all of the data produced up to 2003. With the volume of this data and today’s raw computing power organizations can and should harness this duality to produce accurate and insightful knowledge-based decisions.
Ms. Rometty believes that organizations must use analytical decision-making models to reduce errors, and inadvertent or damaging outcomes. As proof, she pointed first to a global survey of top risk managers that identified the #1 method for identifying and assessing risk – senior management intuition and experience. And second, to the greatest recession of our lifetime –which many believe was caused by an inability to see and manage risk. To illustrate her point, Ms. Rometty cautioned that many of our decisions are subconsciously influenced by our biases – relying too heavily on a single piece of information we have internalized. For example, a doctor hears a patient disclose two or three symptoms out of many, and then makes a diagnosis while discounting those symptoms that do not fit into her predetermined category. The key point to this analytical decisions making model is that:
“[t]his isn’t just a change in tools. It’s a change in mindset and organizational culture. Which is also the greatest challenge it poses: the need to “unlearn” deeply engrained professional and leadership assumptions: . . . How you manage enterprise risk . . . and how you manage an enterprise.
Ms. Rometty believes the mentality will be not just to learn new skills, but to learn a whole new job. So will we be willing to do that? And how quickly can such predictive analysis be created? Will executives be willing and able to wait for that analysis – I personally don’t think we are there yet. It certainly seems that we all are relying upon gut instinct every day…this would certainly be a hard thing for me to overcome.
Principle 2: The social network is the new production line.
Create intellectual capital! What does that even mean? According to Ms. Rometty, the vast amount of data now produced, the power of the computers, and today’s shared connectivity have now created the means for the production of knowledge – with social networks as the new production line. “In a social enterprise, your value is established not by how much knowledge you amass, but by how much knowledge you impart to others.” So how do you produce knowledge?
The long-term objective is an enterprise expertise model where information is analyzed automatically, content is organized in relevant topics and personalized action plans are created – and where rewards are shaped by who contributes the most and best ideas.
The goal is not to just share information – the connectivity – but actually create experts in an organization. Anyone in an enterprise can become an expert. Could every company, however, hire, compensate, evaluate and promote employees based upon the concept of “shared and catalyzed knowledge”? Ms. Rometty believes most can and will. Every IBM employee now has a social network page, and access to vast amounts of internal and external information sources, blogs and wikis – the ability to create intellectual capital. According to Ms. Rometty, IBM is working toward a future -
in which all IBMers will be rated by their peers and profession, based on how good they are at sharing their knowledge . . . how good they are at making it useful, consumable . . . how well they contribute to the community and to [their] clients’ needs and experiences.
I certainly agree that the ability to communicate, contribute and share is going to be a key factor to success in future organizations!
Principle 3: Value will be created not for “market segments” or demographics, but for individuals.
The rapid emergence of Big Data, social networks, mobile communications, and location tracking software has lessened the inherent value of segmenting consumers – whether public consumers of government services or private consumers of business. “I” and “You” bear today’s fruit. It’s the age of the individual. Today’s technology has created the ability for enterprises to track individual wants, needs and desires, and then to encapsulate that into a good or service targeted to that specific consumer.
In her speech, Ms. Rometty gave the example of how President Barack Obama’s re-election campaign used Big Data analytics and behavioral science to understand how individual voters in key states might react.
Using dynamic modes powered by voter contact data, the campaign’s Analytics team ran 66,000 simulations each night to protect who was winning every battleground state. They used this data to allocate resources-funding, campaign workers, outreach – in real times. The final simulations of the Ohio vote were accurate to within 0.2 percent.
Companies now must recognize the emergence of this capability to remain competitive in the global market place. Forward-thinkers will use this data and computational ability to actually learn what “You” and “I” want – not what some organization deems “we” want. Ms. Rometty believes, in the end, that organizations and consumers will offer each other measurable value – information about “You” and “I” in exchange for a benefit in return.
Virginia Rometty concluded by saying:
[t]he challenge is not the technology. The challenge, as always, is culture . . . changing our entrenched ways of thinking acting and organizing. . . .We have, in Big Data, a vast new natural resource, as well as the means to mine it for value. And that is unleashing not only insight and knowledge, but new ways of creating business and societal value . . . and new ways of working that are more flexible, innovative, collaborative, humane.
Erik Brynjolfsson, director of the Center for Digital Business at MIT’s Sloan School of Management, echoed Ms. Rometty’s sentiments. (see New York Times, I.B.M.s Rometty on the Data Challenge to the Culture of Management). “The technology has been available for a few years now to create a management revolution based on big data, and now we’re beginning to see more and more companies undertake the much harder job of reinventing their business process and culture to take full advantage of those technologies.” Based upon the number of targeted ads that we are seeing, I am pretty confident a number of organizations have embraced this last concept!
So what does this mean for you as an individual or an organization? Do you agree that you should disregard your gut instinct and replace it with a “computerized” risk analysis? Do you share and create knowledge and information to increase your market share and demonstrate your expertise – whether via social media or otherwise? And finally, what do you think of the individually targeted culture being created by all of the data mined by organizations? I admit that I don’t know where I stand. As always, we welcome your input!
We are always pleased when colleagues send us posts for our blog. This week, Emily Duke, the Co-Chair of Fredrikson’s E-Discovery Resources and Franchise Groups, wrote about the threat of corporate raiding and loss of sensitive information in the medical device industry. Thank you Emily for the following post:
It seems as though some industries are prone to non-compete and trade secrets litigation, and the medical device industry is one of them. Earlier this month, I read an article about Abbott Laboratories suing Boston Scientific in a corporate raiding case. Abbott alleged that its competitor hired away a vice president of U.S. sales and leveraged the former division VP’s relationships with other employees to try and woo them away . . . something that Abbott claims violated his contract (which, by the way, Abbott says it shared with Boston Scientific once the executive jumped companies).
Frankly, given the close relationships that medical device salespeople can develop with purchasers, doctors, and surgeons – sometimes even going into operating rooms with them – it is not surprising to me that we regularly see these cases in the medical device industry. Abbott’s complaint also claims that some of the salespeople who switched companies emailed sensitive marketing, product launch, sales revenue, and customer information to their personal email accounts (always a bad sign). That information could be impossible, or take years, for any competitor to develop on its own. No wonder the stakes are big and companies are willing to spend time/money in court to protect against these actions!
For any organization, the sales force will be a prime target for competitors. In an industry where the sales cycle is a long one and/or special expertise is needed to understand the product, much less sell it or explain to customers how to use it, there are even bigger payoffs to competitors who can hire away key salespeople. So, the next time a salesperson or employee with key strategic information leaves the job, it might be worth taking some additional steps:
- Finding out where they are going (and take note if they refuse to tell you).
- Remind them of any lasting obligations to the company – be it contractual (non-compete, non-solicit, confidentiality) or implied in law (protection of trade secrets . . . which can include customer lists or company marketing or product development strategies).
- A little dose of skepticism also helps – check out the company’s network access logs to see if the departing employee was accessing information, or volumes of information, inconsistent with their prior patterns and unnecessary to their current projects.
- Keep your ear to the ground – if the employee lied about where they were going, they probably lied about other things.
Thanks again to Emily for reminding us that gathering information before key employees leave your company may help you to keep information from walking out the door. Have you had similar experiences? What have you done to protect your employees and data?
My colleague Steve Helland and I were talking this week about data privacy and security at a meeting of the firm’s Privacy group. Steve chairs the firm’s Internet, Technology & E-Commerce group and he recently co-chaired a full day conference Data Privacy and Security for In-House Counsel for the Minnesota State Bar Association. Our group discussed Steve’s takeaways from the conference and I asked whether we could post his summary of the event on the blog. As you can see, Steve agreed.
The following post and checklist were written by Steve Helland and adapted from his presentation on March 21, 2013 at the MSBA data privacy and security conference. Many thanks to Steve for his contributing post…
You can’t do it all, in a field as robust and evolving as data privacy and security. The purpose of this checklist is to describe the core oversight duties of those in the board room and the C-suite, as-of spring 2013. As such, this checklist is focused primarily on setting values and priorities, and the assignment of roles, structure, and process.
Please note: (1) There is no one-size-fits all, so consider the unique circumstances of your organization; (2) Although much has been written about privacy and security generally, law and scholarship specifically regarding the duties of the board and senior management regarding privacy and security issues is significantly less developed.
□ Decide, preliminarily, the relative importance of privacy and security issues to your organization.
Comment: Consider the following:
(1) Are you in a highly-regulated field such as finance or healthcare?
(2) Do you control or have access to large amounts of data?
(3) Are trade secrets or other proprietary information especially valuable assets?
(4) Importance of customer expectations and public perception?
(5) What are your competitors doing?
(6) Any known substantial and specific threats / risks?
Benchmark: Corporate directors (48%) and general counsel (55%) listed “data security” as their number-one concern (ahead of operational risk and company reputation). Source: 2012 Corporate Board Member / FTI Consulting, Inc., “Law and the Boardroom Study: Legal Risks on the Radar.”
□ Allocate reasonable financial, human, and technical resources.
(1) Do you have confidence in your IT team / CIO?
(2) Do they have a sufficient budget?
□ Philosophy: Treat trade secrets, “Big Data,” and other critical proprietary information with the same level of care and attention you devote to the preservation and growth of other core assets.
□ Appoint a [Chief Privacy Officer (CPO)][Chief Information Security Officer (CISO)][other management-level person with “privacy and security compliance” as an explicit or sole component of the job description].
(1) For this item, like virtually all others on the checklist, the minimum duty will vary with the size of the organization and the quantity and type of information and data held (including whether the industry or data-type is regulated, such health organizations under HIPAA or financial organizations under Gramm-Leach Bliley, or any entity collecting information from children on-line under COPPA.
(2) This person should monitor for compliance requirements: (a) applicable law; (b) contractual obligations (e.g., in NDAs or security provisions in other agreements); (c) your own policies; (d) certification / compliance programs in which you participate (e.g., EU Safe Harbor, TRUSTe); (e) industry norms, as following short may be negligence).
Benchmark: Among smaller and mid-size organizations, a dedicated Chief Privacy Officer is still relatively rare.
□ Retain [or at least identify] experienced legal counsel.
(1) Receive updates on legal developments from time to time.
(2) Involve in substantial transactions such as M&A and key vendors.
(3) If there is a substantial international component to your data and security issues, strongly consider retaining country-specific or region-specific legal counsel.
□ Retain [or at least identify] computer forensic consultants; other consultants such as PR.
(1) In the event of a breach and/or an event that may involve litigation, I recommend an outside computer forensic firm.
(2) This item may be most appropriate for larger organizations.
(3) This item is more appropriate to a CIO or General Counsel, and not the board-level.
□ Assign a committee of the board with oversight of privacy and security issues, and explicitly add responsibility for privacy and security to the committee’s charter. Consider creating a committee if no appropriate committee exists. (e.g., a “Risk Committee” (or similar) for which privacy/security could be one aspect of enterprise risk.)
Comment: Applicable for larger entities. This could also be housed in a Risk Committee, Compliance Committee, or other committee of the board. Smaller entities may prefer keep this function within the full board.
Benchmark: Among Global 2000 entities, 96% have an Audit Committee, 56% have a Risk / Security Committee, and 23% have an IT / Technology Committee. Source: “Governance of Enterprise Security: CyLab 2012 Report,” Jody R. Westby.
□ Receive information. The board and senior management should receive periodic reports and information from the CIO, IT and General Counsel regarding significant security risks, issues, breaches, and other items.
Comment: The board of directors and senior management should receive enough information to be familiar with the organization’s top privacy and security issues and how the organization is managing those items.
□ Conduct an audit. Include administrative, technical and physical elements.
(1) Oversight by full board or a committee such as the Audit Committee.
(2) Self-audit vs. outside audit?
(3) Brand-name audits such as (old) SAS70 (new) SSAE 16?
(4) If possible, benchmark your organization against similar organizations to avoid falling behind (negligence for failing to meet industry-standard).
(5) Do you know what your own policies are and do you follow them?
(6) Do you comply with contractual or similar obligations to others (e.g., abide by NDAs; Payment Card Industry requirements).
(7) Focus on the most important assets.
□ Written policies. Then communicate and train.
□ Agreement tool kit.
Comment: Make available solid templates for: NDAs or similar with employees, vendors, partners. Specialized agreements as required such as Business Associate Agreements under HIPAA. The agreement tool kit should be disseminated to appropriate personnel with contracting authority, along with training in how to use, plus report and track exceptional terms and requirements.
□ Diligence on key vendors and partners. How are their practices? Any breaches?
Comment: This may be as simple as a Google search: you don’t want to be partners with a known data-bungler. Include privacy and security diligence as part of M&A and other major transactions.
□ Review insurance coverage.
Comment: Is general liability, errors and omissions sufficient? Consider “cyber risk” or “privacy liability” coverage (there’s a difference between these two). Be cautious regarding exclusions, especially “force majeure” / “act of God/war,” in light of foreign-government-sponsored hacking.
Benchmark: Only 35% of public companies have cyber insurance. Source: Chubb 2012 Public Company Risk Survey.
□ Revisit privacy and security issues from time to time; stay current.
□ Insure at least one member of the board is knowledgeable in IT issues.
Comment: If your full board still isn’t sure what the Internet is and doesn’t use email, they will not be in a position to critique inputs on all of the above.
Thanks so much to Steve for his contributing post!
We are addressing data privacy and security with our clients on a regular basis in many different areas and industires (e.g. employment and trade secret – healthcare and financial services, and many more). So now that you have gone through Steve’s checklist, where do you all stand when it comes to data privacy and security? As always, we would love to hear from you.
We have been discussing the risks personal devices can pose for business data corruption, loss or theft quite a bit of late. These issues were also highlighted at the RSA Security Conference (a gathering of security industry experts) and we have focused our attention to online security, personal information privacy, and business data risks.
So, let’s review. In IBM’s Plan to Manage Smart Phone Security Issues – Not Just About “Is Siri and Apple Spy?”, we reviewed different protocols and procedures for managing employee use of personal electronic devices. We talked about the need for businesses to recognize and adapt to a corporate life with BYOD because – let’s face it – personal devices are here to stay. We firmly believe that with policies, education and training employees should at least gain a minimal understanding of the potential security danger of commingling personal and business data, the vulnerability of unauthorized electronic intrusions (See our post: And Yet Another Security Risk to Mobile Devices . . . Malware), and the ultimate cost to a business for lost or stolen data, including trade secrets. These steps can also protect your organization should you be required to remote wipe a device that is lost, stolen or “removed” by a departing employee.
What we have seen, unfortunately, is that even with the best policies, education and training, no service or device is fully secure – whether the result of state sponsored hacking of U.S. companies by other governments, or cyber intrusions by groups like Anonymous. Security vulnerabilities exist. This is but a short list of some of the recent security breaches: Google’s two-step login verification process was bypassed allowing control of a user’s account; Evernote, a Web-based note-sharing service, reset 50 million users passwords following an attack into users’ accounts; Facebook, Apple, Microsoft and Twitter have reported recent cyber-attacks; Like Evernote, Twitter reset the passwords for 250,000 accounts whose encrypted passwords may have been accessed; and Dropbox, an electronic storage service, reported a large loss of data for a number of subscribers. (For more information, see NBC News, Evernote resets 50 million passwords after hackers access user data, Google patches ‘loophole’ in two-factor verification system, and His firm accused China of hacking the US; now he awaits the consequences).
The problem is that once an employee removes corporate data from the network, protecting and securing that data becomes much harder. “My peers are killing me,” John Oberon, information technology chief for Mashery, a 170-employee company that helps other companies build applications, reported to the New York Times, Where Apps Meet Work, Secret Data Is at Risk. “[T]here’s only so much you can do to stop people from forwarding an e-mail or storing a document off a phone.” (This is still one of the main ways employees take data…) And employees will find their own ways to connect with one another. Indeed, Netflix recently found its employees using 496 applications for data storage, communications and collaboration. Yikes. “People are going to bring their own devices, their own data, their own software applications, even their own work groups,” said Bill Burns, director of information technology infrastructure at Netflix. The question becomes what are you doing as an organization to monitor, limit or otherwise control what employees are doing on their devices? Is it enough?
And what if the security dilemma is really not the employee’s fault? HTC America, a global manufacturer of devices, recently settled a complaint with the Federal Trade Commission. The FTC alleged that HTC America failed “to take reasonable steps to secure software” in its Android, Windows Mobile and Windows Phone smartphones and tablets. According to NBC News, HTC subject to 20 years of security reviews because of holes, the FTC reported that “[t]he company didn’t design its products with security in mind.” “HTC introduced numerous security vulnerabilities that malicious apps could exploit to gain access to sensitive data and compromise how the device worked.” Even worse, the FTC alleged “HTC pre-installed a custom app that could download and install apps outside of the normal Android permission process.” To settle the FTC matter, HTC America agreed to create and push software patches to millions of its mobile devices, and to accept independent security assessments for the next 20 years. This case represents the first time the FTC has pursued a mobile device company over security concerns, or ordered a company to create and push a software fix as part of a settlement.
In the end, whether caused by employees or by device manufacturers, security issues cost businesses money. Security concerns can waste valuable IT time and money, and more importantly hurt a business’ reputation with its customers. So, what are you doing? I have been talking with CIO’s and industry experts to gain different perspectives and options for addressing data protection and security concerns. I will post some conclusions and suggestions in the weeks to come. In the meantime, we would love to hear what you are doing.
We have talked in the past about whether use of social media during the workday increases employee productivity (see Time Suck or Morale Booster? How Does Social Media Impact Employee Productivity?) The question of technology and productivity was recently addressed in a little different light by Randstad, a global provider of HR and staffing services in its most recent Employee Engagement Index survey (see Does 24/7 Connectivity Equal Increased Productivity?). The survey looks at whether constant connectivity through technology equates to greater productivity for women workers. The survey shows that 42 percent of women and 47 percent of men believe that it is increasingly difficult to disconnect from work while at home. The majority (68 percent) of women and (59 percent) of men also did not believe that the work/home connectivity had increased their productivity.
“As enhanced technologies and increased access to information continues to blur the lines between our professional and personal lives, many workers mistake being busy for being productive,” said Linda Galipeau, Randstad CEO of North America. “These are two very different concepts that when looked at from an organizational standpoint – could have serious implications for a company’s bottom line. We are only productive if we’re producing the results that are most impactful to our goals. Being that we live in a multi-tasking world, it is important to work smarter and hone in on those high-impact efforts that will create more meaningful results. This is incredibility important, especially as women and men can now perform their jobs from almost anywhere.”
So what does this actually mean for you and me?
Whether men or women, we all certainly fall into the trap of a 24/7 work environment. I am sure you would agree that the clock is hard to turn off – whether at 5:00 p.m. on a regular workday, or while on “vacation” with the family. The reality is that technology has enhanced connectivity and increased the expectation of instant communication – peer to peer, business to client, supervisor to employee. Good or bad, business now moves at a rapid pace. Technology shapes our workplace and drives continuous access to the office. “There’s also a downside to this culture because sometimes workers feel that in such a fast-moving environment, they’re obligated to be available at all times and that by disconnecting, you risk falling behind at work.” Kristin Kelley, Randstad’s executive vice president for marketing reported to the Boston Globe, Does technology make us more productive workers?. But in the end, technology, like all things intense, can (if you let it) lead to burn-out, undue stress, health and wellness issues, and a poor work/life balance.
Can we unplug?
Certainly – the choice is ours. We, and I am as guilty as anyone, must recognize that by disconnecting once in a while we will achieve a greater work/life balance. When we do – we recognize that balance produces better work and home relationships, lowers the intensity of the work day, along with our stress levels, and refocuses our efforts at work (making the work we do more productive). Disconnecting, however, proves incredibly difficult to achieve. It’s easy to say I am not going to answer that work email at night, or look to see who is calling on a Saturday. The difficult part, like any addiction, is to put the proverbial rubber to the road. I try – admittedly only sometimes. But, more often than not, I answer that email, check that phone message, or see who just texted in the middle of the night – because my phone is right next to my bed. I am bound by and “addicted” to the power of instant communication. But the question remains whether the instant communication actually increases productivity, or whether I am simply lost in a world of “constant partial attention” (a term introduced to me by one of my clients, Paul DeBettignies, IT Recruiter and author of the Minnesota Headhunter Blog.) It’s a good question to ponder.
So, how do you unplug? When you do, does it increase your productivity and your work/life balance? Let us know what you think.
Question: What happens when a company “hijacks” a former employee’s LinkedIn profile? Answer: In some cases, that employee sues for identity theft and invasion of privacy. The bigger question right now is whether that employee will prevail – particularly when she pursued her case without the assistance of a lawyer. Some of you may recall the Linda Eagle v. Edcomm case – which centered on a former employee’s claims that the company wrongfully misappropriated her LinkedIn account after she left the company.
That lawsuit was tried to the United States District Court for the District of Pennsylvania in November 2012. The Court heard oral arguments on post-trial motions on Wednesday and promised to issue a decision soon. So, while we are waiting for that decision, let’s look back to the facts which prompted the lawsuit.
The lawsuit centered on the following allegations. Eagle worked for Edcomm in an executive position. When she was terminated, Edcomm took over Eagle’s account by using her username and password, replacing her picture with that of another employee, but leaving Eagle’s honors, awards, recommendations and connections. Eagle claimed she was wrongfully locked out of the account and that Edcomm hijacked her her identity and invaded her privacy.
Eagle admitted that she created and used her account to promote Edcomm’s banking education services; foster her reputation as a businesswoman; reconnect with family, friends, and colleagues; and build social and professional relationships. While she was employed with Edcomm, she admitted another employee assisted Eagle in maintaining her LinkedIn account and that employee had access to Dr. Eagle’s password.
Edcomm had a different story. Edcomm encouraged its employees to use LinkedIn. It further urged employees to create LinkedIn profiles, with Edcomm templates, and with Edcomm email addresses. Edcomm, you see, asserted at trial that its policies “claimed ownership” over any LinkedIn account created with an Edcomm email address; that is, the LinkedIn account (and everything contained there) was the property of Edcomm. (We are not privy to that policy so can’t comment on its effectiveness.)
Edcomm claimed that because of this policy, it could “mine” all of the contacts or information in a former employee’s LinkedIn account, so long as Edcomm did not steal that former employee’s identity. Eagle had created her LinkedIn account with an Edcomm email address and used Edcomm resources to maintain and supplement her LinkedIn profile. Finally, Edcomm asserted that when it took over Eagle’s LinkedIn profile, it replaced her picture, her experience, education, etc. and that no one would have been mistaken for that of Eagle’s. Edcomm also later gave Eagle back her account.
I have to admit that Edcomm’s side of the story sounds pretty valid. Yet, Eagle still sued, asserting the following claims: 1) violation of the Computer Fraud and Abuse Act; 2) violation of the Lanham Act; 3) invasion of privacy for misappropriation of identity and publicity; 4) identity theft; 5) conversion; 6) tortious interference with contract; 7) civil conspiracy; and civil aiding and abetting. Edcomm then asserted counterclaims for misappropriation, unfair competition and conversion (of a laptop computer).
In an October 4, 2012, Order, the Court dismissed the Computer Fraud and Abuse and Lanham Act claims, but permitted the state law claims to go to trial. In its post-trial submissions, Edcomm requested that the Court dismiss Eagle’s claims and further requested that the Court award Edcomm $41,000.00 in damages against Eagle. We will see how it turns out.
So from these facts, what could Edcomm have done better and what did Edcomm do right? Here are my takeaways:
1. Define (via agreements and policies) the difference between personal and business social media sites. If you want to retain the LinkedIn profile after an employee departs, make sure that employee knows he/she does not own that profile. Edcomm probably could have done a better job with this.
- If you do this, some employees will not choose to create accounts that you can later claim as your own. You may choose instead to do this on an individual basis for certain employees who have a big social media presence – those who are the “face” of your company.
- When in doubt, address the ownership as soon as you learn about a site that might impact both personal and business. Don’t wait until the employee departs the company.
2. Insure that you have administrative rights and passwords to all sites designated as “business.” Many lawsuits arise because employees leave and convert the sites for personal use, refusing to return the site or administrative access to the site. Edcomm had the administrative passwords, but there was a question about whether they were entitled to use them (see number 1 above)
3. Insure that you have defined (via agreements or policies) that the company not only has the right to access the site, but also owns all site content. That is, you want to preclude an employee’s right to claim ownership to content after the fact (other than clearly personal information, such as name, education, experience, awards, honors, etc.). It is not clear from Edcomm whether this aspect was appropriately defined.
4. Know that recent legislative movements may impact the right to access or otherwise demand access to sites that contain both personal and business-related information. (See Emerging Issues in Social Media – The Status of Social Media Password Legislation)
In short, it is always better to clearly define ownership of content and the social media site before a lawsuit is filed. If you have had issues with ownership of your social media sites, we would love to hear your story.
I had the pleasure of speaking at the Minnesota Mid-Market CIO Executive Summit, presented by Evanta, on January 31, 2013. The topic of the discussion – Every CIO’s Potentially Overlooked Responsibility: The Unknown Legal Risks of BYOD and How to Protect Your Environment. My presentation was sponsored by Renodis and I was joined in my presentation by Reynaldo Lyles, a Mobility Practice Leader at Renodis.
Reynaldo and I had met several months before to discuss how we could collaborate and present on the topic of Bring Your Own Device (”BYOD”). Reynaldo brings the technical expertise about how to best manage mobile devices, including controling data and information on mobile devices (See e.g. his blog post: The Real Costs of BYOD and How to Contain Them). I, on the other hand, am much more focused on the legal risks associated with the use of mobile devices in the workplace and the practical legal solutions to those risks (See e.g. Discovery of Information on Personal Devices Still At Issue In Trade Secret Disputes). Evanta’s CIO Executive Summit provided the perfect opportunity for Reynaldo and me to pair up to discuss this important issue.
I am certain that most of you either use a company provided mobile device (or several of them), or you use your own personal mobile device for work purposes. If you are an employer, you probably have employees that do one or both. So – what were some of the risks that Reynaldo and I talked about? Our presentation touched on:
- E-discovery and data preservation issues – what happens to critical/relevant data contained on a personal device should a key witness in a piece of litigation, or a potential claim, leave the company?
- Overtime considerations – permitting employees to use personal mobile devices will likely increase claims for unpaid overtime if employers have not thought about how best to track, record and pay for that work time.
- Harassment and discrimination – if employees are interacting with each other on personal devices, will this make it harder for employers to monitor that interaction to ensure that employees (and supervisors) are following the employer’s policies?
- Privacy concerns – with the use of a personal device, there will necessarily be a mix of personal and work information or data on the personal device. What policies do you have in place to insure that you have the right to access the data on the device and what precautions, if any, have you taken to protect the personal private information?
- Monitoring content on personal devices – do you have the right to monitor content on a personal mobile device?
- Confidentiality and loss of trade secrets – what right do you have to the personal device should the employee leave the company? If the employee leaves “in the middle of the night” and takes the personal device, with all your company data, do you have the right (and the ability) to remote wipe the device, or a portion of the data on the device?
Reynaldo and I agreed the first place to start with each of the legal risks above is a solid BYOD policy. However, that policy should relate closely with the IT procedures that are being used on any personal device (that is, HR and IT and Legal all need to work together!) The policy should touch on issues such as:
- Consent to remote wipe;
- Consent to audit/monitor;
- No expectation of privacy in the contents of the personal device;
- An acknowledgement that the use of the device is subject to other company policies, like anti-discrimination, codes of conduct, etc.; and
- What happens at termination of employment (spelling out how you get your data back).
Reynaldo offered the audience ideas about how to technically manage the data and information on the device. He noted that Renodis could provide the mobility management tools to audit devices, monitor content and activity (in real-time or not), protect data or limit access (such as geofencing – establishing a virtual fence to keep devices in a specific area or to trigger a warning or action if they enter or exit the fence; or sandboxing – keeping corporate information separate from personal information), as well as tools or proactive policies which would remote wipe a personal device if necessary. He noted, however, that before those mobility management tools are in place, you had better be sure to have your BYOD policy in place to help manage the legal risks!
Reynaldo and I had a great time talking about this topic and our audience had some great questions. What issues are you facing with BYOD? How are you dealing with them? We would love to hear from you.
Can the Government Seize Your Mobile Devices at the Border? If so, What Happens to Your Company’s Data?
The federal government currently enjoys, and has historically held, broad powers of search and seizure of persons and electronic devices at border crossings into the United States. The Fourth Amendment’s prohibition against unreasonable searches and seizures does not apply at the border – courts have based that governmental power on its interest in combatting crime and terrorism. Recently, however, several cases have been filtering through the federal courts challenging the government’s broad powers at the borders. According to the New York Times – Border Agents’ Powers to Search Devices Is Facing Increasing Challenges in Court, “several court cases seek to limit the ability of border agents to search, copy and even seize travelers’ laptops, cameras and phones without suspicion of illegal activity.”
As an individual or as a business, you might say: 1) my business does not take me (or my employees) outside of the United States; or 2) neither I (nor my employees) act like terrorists or associate with terrorist groups – so why should this concern me? For the most part you might be right – the number of such searches is fairly small. The New York Times reported that between October 1, 2011, and August 31, 2012, 11.9 million travelers were referred to secondary screening (an enhanced screening and interrogation process) upon entering the United States. Of those chosen for enhanced measures, 4,898 searches included electronic devices.
The Department Of Homeland Security disclosed to the New York Times its policy on electronic searches saying that “officers can keep these devices for a ‘reasonable period of time,’ including at an off-site location, and seek help from other government agencies to decrypt, translate or interpret the information contained. If travelers choose not share a password for a device, the government may hold it to find a way to gain access to the data.” So how long can the federal government hold your device and your data? That is an open question.
In one federal case, House v. Napolitano, border agents at Chicago O’Hare Airport confiscated a laptop, camera and USB drive from David House, a computer programmer, and kept his devices for seven weeks. The Complaint asserted the following:
Plaintiff challenges as a violation of the First and Fourth Amendments the prolonged seizure of his laptop computer and other electronic devices and the review, copying, retention, and dissemination of their contents. Plaintiff also alleges that the materials seized by the government contain confidential information identifying members and supporters of a political organization, the Bradley Manning Support Network, and that Defendants’ review, retention, and disclosure of that information intrudes on the right of associational privacy protected by the First Amendment. Plaintiff seeks a declaratory judgment that the search and seizure violated the First and Fourth Amendments, and an injunction requiring Defendants to return or destroy any seized data in their custody or control and to inform Plaintiff whether that data has been disclosed to other agencies or individuals.
(You might recall, Pfc. Manning is the former military intelligence analyst accused of leaking documents to the group WikiLeaks.) The Federal District Court in Massachusetts, already denied the government’s motion to dismiss the case. The judge ruled the government did not need reasonable suspicion to search someone’s electronic devices at the border, but the power did not strip Mr. House of his First Amendment rights.
In another example reported by the Times, Laura Poitras, a documentary filmmaker and recipient of a 2012 MacArthur Fellowship, estimated she had been detained at the U.S. border more than 40 times. After one trip abroad in particular, her laptop, camera and cellphone were seized by the government for 41 days, as well as having her notes and credit card copied.
The legal question remains whether confiscating an electronic device for days or weeks, and analyzing its data at an off-site location goes beyond a permissible border detention and search. For many individuals, this question might not matter. But companies who issue mobile devices to employees should care about this issue. Many employees go on vacation abroad… and how many of those employees take your company provided mobile devices with them on vacation – whether a laptop, smartphone, or tablet? Or maybe your company permits employees to bring their own device (“BYOD”) to work – and your confidential information is stored on your employees’ personal devices. I certainly take my mobile devices with me. And I would guess most, if not all, of your employees do the same.
What would happen if, for some unknown reason, the government seizes your employee’s work computer or mobile device for weeks or months? What personal or confidential business information might be compromised by such a detention and seizure? Although this issue arises with relatively small frequency, it’s always important to think about the confidential information we carry around with us on a daily basis – whether we travel outside of the U.S. for business or pleasure or are simply running an errand to the local store.
This reinforces the need to secure your mobile devices and have contingency plans in place if they go missing, or as these examples suggest – the government seizes them. Do you have a plan in place? Do you have the resources and tools in place to manage and control the information on those devices? Let us know what you have done. As always, we look forward to hearing from you.
In trade secret litigation, we often seek to uncover whether a former employee has taken confidential trade secret information and stored it on a personal device, such as a smartphone. We sometimes do so by seeking to obtain a forensic image of the device, and then we craft protocols to help discern personal information unrelated to the lawsuit from the relevant company information. Other times we craft broad discovery requests that cover any potentially relevant information on a personal device. Sometimes we seek to recover the smartphone itself, despite the fact there might be personal information contained on the device. As a result of these different approaches, discovery disputes continue to arise about the proper scope of such discovery.
For example, a New York trial court ordered a former employee to surrender his iPhone to the business firm’s attorneys in a trade secret dispute despite the former employee’s objection. In the discovery dispute, the trial court held the surrender allowed the firm the opportunity to collect its client information from the iPhone.
The former employee appealed and the Supreme Court disagreed with the trial court. The appellate court held that surrendering the phone itself exceeded the scope of permissible discovery; that discovery should be limited to the information “from” the smartphone, and not the iPhone itself. The appellate court found the initial temporary restraining order against the employee sufficiently dealt with the protection of the business’ confidential client information. Although not addressing it directly, the appellate court’s ruling seems to indicate that a demand for the employee’s call log would also be appropriate. The rationale behind the ruling centered on a finding that the technology and applications of today’s smartphones more resemble a personal computer, rather than a single-purpose telephone. The built-in computing application and internet access transforms the smartphone into a computer. The employee’s iPhone, therefore, may contain privileged and confidential information as would a personal computer. To guard against disclosure of personal confidential information, and to determine the discoverability of its contents, the Court then ordered an in-camera review of the employee’s iPhone.
Following the in-camera review, the district court ordered the former employee to surrender his iPhone to the forensic vendor hired by the firm. The forensic vendor was instructed to obtain an image of the iPhone’s contents, including, active and deleted call records, contact information, contacts lists, test messages, and emails. A forensic protocol, much like the one we regularly use, was then implemented which included running search terms against the image to produce lists of discoverable data. (This raises the question about whether running search terms is the best way to insure that all relevant data is uncovered, but that is a discussion for another day.)
The practical takeaway from the Court’s Order is to keep discovery requests geared to the information contained on a mobile device, not the smartphone itself – unless you have good cause to demand surrender of the phone (such as a policy that requires it). Without good cause, agreeing to appropriate forensic protocols or requesting an in-camera review will ensure that only non-privileged and relevant information is disclosed, and should negate the argument that discovery of information from the mobile device is inappropriate.
What, if any, examples of this type of discovery requests have you experienced? Have you experienced any discoverability disputes surrounding confidential information from a former employee’s personal smartphone? Drop us a line and let us know how the court handled this type of discovery dispute.
Discovery of Social Media Accounts Might Be a Toss-up if Requests are Too Broad – Two Conflicting Federal Points of View
Courts continue to ponder questions about how far reaching discovery of litigants’ social media accounts should be. You may recall that we wrote about this in Can the Court Force You to Turn Over Your Facebook Account? The Short Answer. Yes. Recently, a magistrate from the Central District of California issued an order in Mailhoit v. Home Depot U.S.A., Inc. which again analyzed this very issue. So why should we be interested in another social media discovery case?
Well, the case is strikingly similar to EEOC v. Simply Storage Mgmt., LLC., 270 F.R.D. 430 (S.D. Ind. 2010) – a case where the Court granted broad discovery of social media content. The two cases include similar allegations, similar claims of mental and physical injuries, and more importantly, almost identical social network discovery requests. In fact, counsel for Home Depot used the wording from the Simply Storage requests when drafting the defendant’s discovery requests. They are as follows:
- Any profiles, postings or messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) from social networking sites from October 2005 (the approximate date Plaintiff claims she first was discriminated against by Home Depot), through the present, that reveal, refer, or relate to any emotion, feeling, or mental state of Plaintiff, as well as communications by or from Plaintiff that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state;
- All social networking communications between Plaintiff and any current or former Home Depot employees, or which in any way refer [or] pertain to her employment at Home Depot or this lawsuit; or
- Any pictures of Plaintiff taken during the relevant time period and posted on Plaintiff’s profile or tagged or otherwise linked to her profile.
So then why is the Home Depot case noteworthy? Because the judges in each of these cases approached the discoverability issue in completely different ways. In Home Depot, the magistrate looked to restrict and limit the scope of social media discovery (refusing to compel production of documents from Request Nos. 1 and 3 above), while the magistrate in Simply Storage reasoned that discovery of information from social media sites must be “extremely broad” for the parties to acquire and/or refute evidence.
So what did each Court say about the discoverability of social network site content?
The Simply Storage Decision. The magistrate in Simply Storage found that discoverability of social networking sites (“SNS”) was novel, but that it was not “unique to electronically stored information or to social networking sites in particular.” The Court held “the challenge is to define appropriately broad limits (emphasis added) – but limits nonetheless – on the discoverability of social communications in light of a subject as amorphous as emotional and mental health, and to do so in a way that provides meaningful direction to the parties.”
Specifically, Simply Storage found that “it is reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.”
The Court rejected, as too restrictive, the EEOC’s view that the claimant should only have to produce communications that directly reference matters in the complaint. “This standard likely would not encompass clearly relevant communications and in fact would tend only to yield production of communications supportive of the claimants’ allegations. It might not, for example, yield information inconsistent with the claimants’ allegations of injury or about other potential causes of injury.” The magistrate remarked that not many claimants, if any at all, would post non-events, such as “My supervisor didn’t sexually harass me today,” on their social network sites. A definition of relevant SNS content must, therefore, be broader than that proposed by the EEOC, and subsequently by the Home Depot court. In short, Simply Storage ruled that any posts that “reveal, refer or relate to any emotion, feeling, or mental state, as well as communications that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state” should be discoverable.
The Court in Simply Storage did acknowledge that disclosure of SNS communications might reveal sensitive or private information. The Court, however, ruled that this release is inevitable – “this concern is outweighed by the fact that the production here would be of information that the claimants have already shared with at least one other person.” As one judge observed, “Facebook is not used as a means by which account holders carry on monologues with themselves.”
In short, the decision in Simply Storage is in line with how we would expect a Court to rule on discoverability issues. To the contrary, the Home Depot decision is not.
The Home Depot Decision. The magistrate in Home Depot seemed to have a preconceived view point on how discovery requests for the defendant should turn out, or she may have simply misunderstand the breadth and scope of the potential relevant information contained nowadays in social network communications.
Indeed, the Home Depot court brushed aside the Simply Storage holding relating to the breath of discovery in severe emotional or mental injury cases. The court never acknowledged the nebulous nature of this type of evidence, or the difficulty a party has in documenting a claimant’s mental or emotional health. It did recognize that some of the SNS communications would likely be relevant. Despite this, the court ruled that, although the defendants modeled their discovery requests upon Simply Storage, those requests were not precise enough for the claimant to determine the type and scope of the information requested – therefore, the discovery requests were overly broad and vague. As noted, the Court refused to compel production of requests Nos. 1 and 3 above.
The End Result? So how does it work then for discovery of social media communications when a claimant alleges emotional and mental injury? Well, both courts agree that social network content must be relevant to a claim or defense for discovery. And further, that the mere fact that a claimant has made social media communications “is not necessarily probative of the particular mental and emotional health matters at issue.” Rather, the Home Depot and Simply Storage courts both agreed that it’s the substance of the communication on a social network site, and to whom it was made, that determines relevancy.
So then what should the procedure be for requesting a claimant’s social network communications? Even with the contradictory rulings from various courts, we believe it is reasonable to start with the discovery requests laid out in Simply Storage. The scope, as with any discovery, should be as precise as possible, with an eye towards demonstrating why this type of information is relevant to the particular claims or defenses. You should be ready to defend why your client should be entitled to broad discovery of social media content.
Has anyone been down this road before? Let us know what the court held. This issue will certainly be an up and down process until higher courts delineate specific guidelines for the parties, and even lower courts, to follow.
Teresa is the Chair of Fredrikson’s Non-Competes and Trade Secrets Group, and an MSBA Certified Labor and Employment Law Specialist. She counsels business clients on risk management and policy development relating to employee use of technology, and also litigates their business and employment disputes. Teresa trains, writes and lectures extensively on legal issues arising from business use of technology and social media.