While our post today from our colleague, Ingrid Culp, is on a topic we don’t typically cover, it’s important for businesses with Minnesota employees to know about this new law. Thanks, Ingrid for this post!
On May 13, 2013, Minnesota Governor Mark Dayton signed a new law prohibiting Minnesota’s private employers from inquiring into, considering or requiring an applicant for employment to disclose his/her criminal history (1) until after the applicant has been selected for an interview or (2) if there is no interview, until after a conditional offer of employment has been made to the applicant. Minn. Stat. § 364.021.
Most public (governmental) employers have been subject to this requirement for some time. This new law takes effect January 1, 2014, for private (non-governmental) employers and is in keeping with Minnesota’s long stated public policy of encouraging and contributing to criminal offenders’ rehabilitation and return to the workforce. The new law includes some exceptions allowing for earlier inquiry into an applicant’s criminal history, including for employers who have a statutory duty to conduct a criminal background check or otherwise take into consideration an applicant’s criminal history during the hiring process.
If your company is like most, this new law will render your current employment application and/or hiring process unlawful. The new law means most Minnesota employers must remove all questions or “check-the-box” inquiries regarding an applicant’s criminal history from their employment applications. The law provides that an employer may, however, include a notice on its employment application that the company’s policy is to require applicants to disclose criminal history if selected for an interview, or if there is no interview, after a conditional offer of employment has been made, and may make employment decisions on this basis depending on the nature of the applicant’s criminal history and the position sought. It is possible such a notice will deter applicants with a criminal history from applying for employment, presumably saving the employer some time and resources in its hiring process.
Under the new law, if an employer wishes to ask applicants about criminal history after an interview has been granted, the employer should create a written communication to applicants confirming that an interview has been requested and making such inquiry with instructions for how to respond. If an offer of employment will be made without an interview, the employer should include language in the offer letter stating that the offer is conditioned on the applicant’s response to the employer’s inquiry as to criminal history, and include such inquiry with instructions for how to respond.
As has been the case for some time, we recommend that any such inquiry, whether coupled with an invitation for an interview or a conditional offer of employment, be uniformly applied company-wide (or for designated positions), be limited to convictions, and include a disclaimer that a conviction will not necessarily disqualify the applicant from employment. In addition, we continue to recommend that employers consider applicants’ criminal histories in conformance with the Equal Employment Opportunity Commission’s recent guidance on the topic. For more information on this issue, please see Anne Radolinski’s article, Arrest and Conviction Records - A Fresh Look.
For a review of how this new law affects your company’s application for employment, offer letter or hiring practices, please contact an attorney in Fredrikson & Byron’s Employment & Labor Law Group.
“Big Data” means different things to different people. In a March 7th, speech, Virginia Rometty, Chairman, President and CEO of IBM, provided her take on “Big Data” and I thought she relayed a number of interesting points. Her speech, entitled Competitive Advantage in the Era of Smart, describes a new way for private and public organizations to compete in an era of “Big Data” – data in the clouds, data on smart mobile devices and social networks, and corporations mining data for insights and the competitive edge. To her, “Big Data” is the next natural resource, like oil or electricity, to propel this country forward as everyone will have access to cloud infrastructures, mobile devices and social networks.
Ms. Rometty suggests three “principles of change” – change, not just in technology, but in an evolution of an organization – a cultural way of thinking and acting. All organizations make decisions about capital, people, products and services; create value for those individuals and entitles; and deliver value to its customers. Ms. Rometty laid her principles of evolution out as:
- Decisions will be based not on “gut instinct,” but on predictive analytics;
- The social network is the new production line; and
- Value will be created not for “market segments” or demographics, but for individuals.
Let’s look at each principal enunciated by Ms. Rometty.
Principle 1: Decisions will be based not on “gut instinct,” but on predictive analytics
In today’s global community, Ms. Rometty believes that enterprises should move to an analytical decision making model. Why is that? Because every two days we generate the equivalent of all of the data produced up to 2003. With the volume of this data and today’s raw computing power organizations can and should harness this duality to produce accurate and insightful knowledge-based decisions.
Ms. Rometty believes that organizations must use analytical decision-making models to reduce errors, and inadvertent or damaging outcomes. As proof, she pointed first to a global survey of top risk managers that identified the #1 method for identifying and assessing risk – senior management intuition and experience. And second, to the greatest recession of our lifetime –which many believe was caused by an inability to see and manage risk. To illustrate her point, Ms. Rometty cautioned that many of our decisions are subconsciously influenced by our biases – relying too heavily on a single piece of information we have internalized. For example, a doctor hears a patient disclose two or three symptoms out of many, and then makes a diagnosis while discounting those symptoms that do not fit into her predetermined category. The key point to this analytical decisions making model is that:
“[t]his isn’t just a change in tools. It’s a change in mindset and organizational culture. Which is also the greatest challenge it poses: the need to “unlearn” deeply engrained professional and leadership assumptions: . . . How you manage enterprise risk . . . and how you manage an enterprise.
Ms. Rometty believes the mentality will be not just to learn new skills, but to learn a whole new job. So will we be willing to do that? And how quickly can such predictive analysis be created? Will executives be willing and able to wait for that analysis – I personally don’t think we are there yet. It certainly seems that we all are relying upon gut instinct every day…this would certainly be a hard thing for me to overcome.
Principle 2: The social network is the new production line.
Create intellectual capital! What does that even mean? According to Ms. Rometty, the vast amount of data now produced, the power of the computers, and today’s shared connectivity have now created the means for the production of knowledge – with social networks as the new production line. “In a social enterprise, your value is established not by how much knowledge you amass, but by how much knowledge you impart to others.” So how do you produce knowledge?
The long-term objective is an enterprise expertise model where information is analyzed automatically, content is organized in relevant topics and personalized action plans are created – and where rewards are shaped by who contributes the most and best ideas.
The goal is not to just share information – the connectivity – but actually create experts in an organization. Anyone in an enterprise can become an expert. Could every company, however, hire, compensate, evaluate and promote employees based upon the concept of “shared and catalyzed knowledge”? Ms. Rometty believes most can and will. Every IBM employee now has a social network page, and access to vast amounts of internal and external information sources, blogs and wikis – the ability to create intellectual capital. According to Ms. Rometty, IBM is working toward a future -
in which all IBMers will be rated by their peers and profession, based on how good they are at sharing their knowledge . . . how good they are at making it useful, consumable . . . how well they contribute to the community and to [their] clients’ needs and experiences.
I certainly agree that the ability to communicate, contribute and share is going to be a key factor to success in future organizations!
Principle 3: Value will be created not for “market segments” or demographics, but for individuals.
The rapid emergence of Big Data, social networks, mobile communications, and location tracking software has lessened the inherent value of segmenting consumers – whether public consumers of government services or private consumers of business. “I” and “You” bear today’s fruit. It’s the age of the individual. Today’s technology has created the ability for enterprises to track individual wants, needs and desires, and then to encapsulate that into a good or service targeted to that specific consumer.
In her speech, Ms. Rometty gave the example of how President Barack Obama’s re-election campaign used Big Data analytics and behavioral science to understand how individual voters in key states might react.
Using dynamic modes powered by voter contact data, the campaign’s Analytics team ran 66,000 simulations each night to protect who was winning every battleground state. They used this data to allocate resources-funding, campaign workers, outreach – in real times. The final simulations of the Ohio vote were accurate to within 0.2 percent.
Companies now must recognize the emergence of this capability to remain competitive in the global market place. Forward-thinkers will use this data and computational ability to actually learn what “You” and “I” want – not what some organization deems “we” want. Ms. Rometty believes, in the end, that organizations and consumers will offer each other measurable value – information about “You” and “I” in exchange for a benefit in return.
Virginia Rometty concluded by saying:
[t]he challenge is not the technology. The challenge, as always, is culture . . . changing our entrenched ways of thinking acting and organizing. . . .We have, in Big Data, a vast new natural resource, as well as the means to mine it for value. And that is unleashing not only insight and knowledge, but new ways of creating business and societal value . . . and new ways of working that are more flexible, innovative, collaborative, humane.
Erik Brynjolfsson, director of the Center for Digital Business at MIT’s Sloan School of Management, echoed Ms. Rometty’s sentiments. (see New York Times, I.B.M.s Rometty on the Data Challenge to the Culture of Management). “The technology has been available for a few years now to create a management revolution based on big data, and now we’re beginning to see more and more companies undertake the much harder job of reinventing their business process and culture to take full advantage of those technologies.” Based upon the number of targeted ads that we are seeing, I am pretty confident a number of organizations have embraced this last concept!
So what does this mean for you as an individual or an organization? Do you agree that you should disregard your gut instinct and replace it with a “computerized” risk analysis? Do you share and create knowledge and information to increase your market share and demonstrate your expertise – whether via social media or otherwise? And finally, what do you think of the individually targeted culture being created by all of the data mined by organizations? I admit that I don’t know where I stand. As always, we welcome your input!
We’re extremely pleased to have another guest blogger this week – our colleague, Karen Schanfield. Karen is a shareholder in Fredrikson & Byron’s Employment & Labor Law Group, and, among other accolades, has been named by her peers as one of the Top 40 Labor and Employment Law Attorneys and one of the Top 50 Women Attorneys in Minnesota. Thank you, Karen, for this post!
In its most recent ruling on the subject, the National Labor Relations Board again concluded that terminating non-union employees for postings on Facebook violated the National Labor Relations Act. The case, Design Technology LLC dba Bettie Page Clothing, had a couple of interesting twists.
First, the employer argued that it had been “trapped” into firing the employees (the theory being that the employees were deliberately trying to get fired), a claim the NLRB found “nonsensical.” Second, the NLRB learned in the course of the proceedings that the company had a rule prohibiting employees from discussing their salaries with one another, a clear violation of the Act. Consequently, the NLRB not only ordered reinstatement with backpay for the three employees, but required the employer to rescind or replace the policy and post a notice prepared by the NLRB at all locations where the policy applied.
So, what actually happened? Well, an employee at one of Bettie Page Clothing’s stores in San Francisco asked the store manager if the store could close at 7 p.m. like other stores in the area, rather than 8 p.m., saying that employees felt unsafe in the neighborhood after other stores had closed. When the request was denied, the employees complained to one another and others on Facebook. In addition to comments like “bettie page would roll over in her grave” and “It’s pretty obvious that my manager is as immature as a person can be and she proved that this evening even more so,” one of the employees posted:
“hey dudes, it’s totally cool, tomorrow I’m bringing a California Worker’s Rights book to work. My mom works for a law firm that specializes in labor law and BOY will you be surprised by all that crap that’s going on that’s in violation [sic] see you tomorrow!”
All three employees were terminated. The Board concluded that two of the employees were engaged in protected concerted activity when they presented their concerns to the store manager and owner and that the Facebook postings were a continuation of that effort. It also went a step further, holding that the postings among all three employees would have been protected concerted activity even without the prior conversations with management.
The Board also made short shrift of the employer’s “discharge conspiracy” theory. Not only did the Board find that there was no evidentiary support for the argument, it held that even if the employees were acting with the hope of being fired, Bettie Page had not shown that their actions were not protected.
The takeaway? The NLRB remains keenly interested in social media and its impact on the rights of both non-union and union employees. Employers are well advised to review their handbooks, social media policies, and practices to ensure that they do not inadvertently run afoul of the NLRA.
We are always pleased when colleagues send us posts for our blog. This week, Emily Duke, the Co-Chair of Fredrikson’s E-Discovery Resources and Franchise Groups, wrote about the threat of corporate raiding and loss of sensitive information in the medical device industry. Thank you Emily for the following post:
It seems as though some industries are prone to non-compete and trade secrets litigation, and the medical device industry is one of them. Earlier this month, I read an article about Abbott Laboratories suing Boston Scientific in a corporate raiding case. Abbott alleged that its competitor hired away a vice president of U.S. sales and leveraged the former division VP’s relationships with other employees to try and woo them away . . . something that Abbott claims violated his contract (which, by the way, Abbott says it shared with Boston Scientific once the executive jumped companies).
Frankly, given the close relationships that medical device salespeople can develop with purchasers, doctors, and surgeons – sometimes even going into operating rooms with them – it is not surprising to me that we regularly see these cases in the medical device industry. Abbott’s complaint also claims that some of the salespeople who switched companies emailed sensitive marketing, product launch, sales revenue, and customer information to their personal email accounts (always a bad sign). That information could be impossible, or take years, for any competitor to develop on its own. No wonder the stakes are big and companies are willing to spend time/money in court to protect against these actions!
For any organization, the sales force will be a prime target for competitors. In an industry where the sales cycle is a long one and/or special expertise is needed to understand the product, much less sell it or explain to customers how to use it, there are even bigger payoffs to competitors who can hire away key salespeople. So, the next time a salesperson or employee with key strategic information leaves the job, it might be worth taking some additional steps:
- Finding out where they are going (and take note if they refuse to tell you).
- Remind them of any lasting obligations to the company – be it contractual (non-compete, non-solicit, confidentiality) or implied in law (protection of trade secrets . . . which can include customer lists or company marketing or product development strategies).
- A little dose of skepticism also helps – check out the company’s network access logs to see if the departing employee was accessing information, or volumes of information, inconsistent with their prior patterns and unnecessary to their current projects.
- Keep your ear to the ground – if the employee lied about where they were going, they probably lied about other things.
Thanks again to Emily for reminding us that gathering information before key employees leave your company may help you to keep information from walking out the door. Have you had similar experiences? What have you done to protect your employees and data?
We haven’t seen a lot of Facebook firing cases coming out of the National Labor Relations Board (“NLRB”) recently, but on April 3, 2013, the NLRB’s General Counsel released an advice memorandum that discusses one such case. In that case, the charging party worked as a hostess at a bar/restaurant called Character’s Pub. After new owners took over, the transition did not go well. Two servers were terminated; another staff member quit; and others were upset over a new rule that servers were prohibited from discussing the menu with cook staff and could only discuss menu issues directly with the head chef.
Meanwhile, the employees had a private group Facebook page where they “talked” about work. After the new owners took over, complaints on the private page increased. A few days before the Charging Party was fired, she posted, “I just want to cry right now. Depressing … no regulars, no staff, no fun!! I miss everyone. I didn’t think they’d f*** it up this badly!!!”
When the employee got to work a few days later, the owners of the restaurant met her outside the restaurant. They told her, “We saw the Facebook page,” and terminated her employment. The employee then brought an unfair labor practice charge alleging the comments on the private group Facebook page were protected concerted activity under the National Labor Relations Act (“NLRA”). The charge was submitted to the General’s Counsel office for advice.
The General Counsel found that the posts were protected because:
- The employee complained about the terms and conditions of her work;
- She directed the complaints to a group of employees; and
- The complaints were “part of their continuing discussion of shared workplace concerns revolving around changes in the employee’s terms and conditions of employment caused by the new ownership.”
While perhaps there aren’t any particularly new or unusual facts in this case, this decision confirms that the NLRB is taking a consistent line – when an employee is terminated for complaining about management or changes in the workplace and the complaints are made to other employees who respond in some way – the NLRB will find the social media posts to be protected and the termination unlawful. The case is also a good reminder that the NLRB is still focused on social media discipline and discharge cases and that employers need to be careful when taking action against an employee based on social media posts.
Perhaps more importantly, while the case doesn’t explain how the employer happened to see the posts, since they were on a private group page, the case serves as another reminder that making employment decisions based on information on a private site is extremely risky. There also could have been privacy implications caused by the employer’s viewing of the posts.
Have you disciplined or discharged an employee due to social media posts? If so, what steps did you take to analyze whether the posts were protected or to determine whether you should have had access to the posts in the first place? As always, we would love to hear from you.
My colleague Steve Helland and I were talking this week about data privacy and security at a meeting of the firm’s Privacy group. Steve chairs the firm’s Internet, Technology & E-Commerce group and he recently co-chaired a full day conference Data Privacy and Security for In-House Counsel for the Minnesota State Bar Association. Our group discussed Steve’s takeaways from the conference and I asked whether we could post his summary of the event on the blog. As you can see, Steve agreed.
The following post and checklist were written by Steve Helland and adapted from his presentation on March 21, 2013 at the MSBA data privacy and security conference. Many thanks to Steve for his contributing post…
You can’t do it all, in a field as robust and evolving as data privacy and security. The purpose of this checklist is to describe the core oversight duties of those in the board room and the C-suite, as-of spring 2013. As such, this checklist is focused primarily on setting values and priorities, and the assignment of roles, structure, and process.
Please note: (1) There is no one-size-fits all, so consider the unique circumstances of your organization; (2) Although much has been written about privacy and security generally, law and scholarship specifically regarding the duties of the board and senior management regarding privacy and security issues is significantly less developed.
□ Decide, preliminarily, the relative importance of privacy and security issues to your organization.
Comment: Consider the following:
(1) Are you in a highly-regulated field such as finance or healthcare?
(2) Do you control or have access to large amounts of data?
(3) Are trade secrets or other proprietary information especially valuable assets?
(4) Importance of customer expectations and public perception?
(5) What are your competitors doing?
(6) Any known substantial and specific threats / risks?
Benchmark: Corporate directors (48%) and general counsel (55%) listed “data security” as their number-one concern (ahead of operational risk and company reputation). Source: 2012 Corporate Board Member / FTI Consulting, Inc., “Law and the Boardroom Study: Legal Risks on the Radar.”
□ Allocate reasonable financial, human, and technical resources.
(1) Do you have confidence in your IT team / CIO?
(2) Do they have a sufficient budget?
□ Philosophy: Treat trade secrets, “Big Data,” and other critical proprietary information with the same level of care and attention you devote to the preservation and growth of other core assets.
□ Appoint a [Chief Privacy Officer (CPO)][Chief Information Security Officer (CISO)][other management-level person with “privacy and security compliance” as an explicit or sole component of the job description].
(1) For this item, like virtually all others on the checklist, the minimum duty will vary with the size of the organization and the quantity and type of information and data held (including whether the industry or data-type is regulated, such health organizations under HIPAA or financial organizations under Gramm-Leach Bliley, or any entity collecting information from children on-line under COPPA.
(2) This person should monitor for compliance requirements: (a) applicable law; (b) contractual obligations (e.g., in NDAs or security provisions in other agreements); (c) your own policies; (d) certification / compliance programs in which you participate (e.g., EU Safe Harbor, TRUSTe); (e) industry norms, as following short may be negligence).
Benchmark: Among smaller and mid-size organizations, a dedicated Chief Privacy Officer is still relatively rare.
□ Retain [or at least identify] experienced legal counsel.
(1) Receive updates on legal developments from time to time.
(2) Involve in substantial transactions such as M&A and key vendors.
(3) If there is a substantial international component to your data and security issues, strongly consider retaining country-specific or region-specific legal counsel.
□ Retain [or at least identify] computer forensic consultants; other consultants such as PR.
(1) In the event of a breach and/or an event that may involve litigation, I recommend an outside computer forensic firm.
(2) This item may be most appropriate for larger organizations.
(3) This item is more appropriate to a CIO or General Counsel, and not the board-level.
□ Assign a committee of the board with oversight of privacy and security issues, and explicitly add responsibility for privacy and security to the committee’s charter. Consider creating a committee if no appropriate committee exists. (e.g., a “Risk Committee” (or similar) for which privacy/security could be one aspect of enterprise risk.)
Comment: Applicable for larger entities. This could also be housed in a Risk Committee, Compliance Committee, or other committee of the board. Smaller entities may prefer keep this function within the full board.
Benchmark: Among Global 2000 entities, 96% have an Audit Committee, 56% have a Risk / Security Committee, and 23% have an IT / Technology Committee. Source: “Governance of Enterprise Security: CyLab 2012 Report,” Jody R. Westby.
□ Receive information. The board and senior management should receive periodic reports and information from the CIO, IT and General Counsel regarding significant security risks, issues, breaches, and other items.
Comment: The board of directors and senior management should receive enough information to be familiar with the organization’s top privacy and security issues and how the organization is managing those items.
□ Conduct an audit. Include administrative, technical and physical elements.
(1) Oversight by full board or a committee such as the Audit Committee.
(2) Self-audit vs. outside audit?
(3) Brand-name audits such as (old) SAS70 (new) SSAE 16?
(4) If possible, benchmark your organization against similar organizations to avoid falling behind (negligence for failing to meet industry-standard).
(5) Do you know what your own policies are and do you follow them?
(6) Do you comply with contractual or similar obligations to others (e.g., abide by NDAs; Payment Card Industry requirements).
(7) Focus on the most important assets.
□ Written policies. Then communicate and train.
□ Agreement tool kit.
Comment: Make available solid templates for: NDAs or similar with employees, vendors, partners. Specialized agreements as required such as Business Associate Agreements under HIPAA. The agreement tool kit should be disseminated to appropriate personnel with contracting authority, along with training in how to use, plus report and track exceptional terms and requirements.
□ Diligence on key vendors and partners. How are their practices? Any breaches?
Comment: This may be as simple as a Google search: you don’t want to be partners with a known data-bungler. Include privacy and security diligence as part of M&A and other major transactions.
□ Review insurance coverage.
Comment: Is general liability, errors and omissions sufficient? Consider “cyber risk” or “privacy liability” coverage (there’s a difference between these two). Be cautious regarding exclusions, especially “force majeure” / “act of God/war,” in light of foreign-government-sponsored hacking.
Benchmark: Only 35% of public companies have cyber insurance. Source: Chubb 2012 Public Company Risk Survey.
□ Revisit privacy and security issues from time to time; stay current.
□ Insure at least one member of the board is knowledgeable in IT issues.
Comment: If your full board still isn’t sure what the Internet is and doesn’t use email, they will not be in a position to critique inputs on all of the above.
Thanks so much to Steve for his contributing post!
We are addressing data privacy and security with our clients on a regular basis in many different areas and industires (e.g. employment and trade secret – healthcare and financial services, and many more). So now that you have gone through Steve’s checklist, where do you all stand when it comes to data privacy and security? As always, we would love to hear from you.
In an update to our recent post, Hijacked Identity or Legitimate Business Practice? LinkedIn Lawsuit Soon To Be Decided By Court, we now have the Judge’s Order in the Eagle v. Edcomm case. As you’ll recall, when the plaintiff, Linda Eagle, was terminated, her former employer, Edcomm, took over her LinkedIn account by using her username and password, replacing her picture with that of another employee, but leaving Eagle’s honors, awards, recommendations and connections. Eagle claimed she was wrongfully locked out of the account and that Edcomm hijacked her identity and invaded her privacy.
Eagle, representing herself at trial, managed to prevail on three of her claims – misappropriation of identity, invasion of privacy, and violation of a Pennsylvania statue prohibiting unauthorized use of someone’s name – but she was not able to prove that she suffered any damages.
Her theory of damages was creative – she used her average sales per year divided by the number of contacts she maintained on LinkedIn to arrive at a dollar figure per contact, per year. She then divided that figure by 4 to represent that for one-quarter of the year she did not have full access to her LinkedIn account. Based on those calculations, Eagle claimed she had suffered damages in excess of $248,000.
The court, however, was not convinced. Creative math aside, the court noted that Eagle “failed to point to one contract, one client, one prospect, or one deal that could have been, but was not obtained during the period she did not have full access to her LinkedIn account.” As a result, she couldn’t prove her damages with the required level of certainty.
In addition to the damages issue, one of the other interesting aspects of this case was the question of who actually owned Eagle’s LinkedIn account?
The Court noted that Edcomm did not have a policy in place informing the employees that their LinkedIn accounts were the property of the employer, and (as one of our commenters to our previous post noted), it was questionable whether such a policy would have been binding in the first place because it contravenes LinkedIn’s “User Agreement” which states that the account belongs to the individual (“If you are using LinkedIn on behalf of a company or other legal entity, you are nevertheless individually bound by this Agreement even if your company has a separate agreement with us.”).
Additionally, take a look at these emails Edcomm sent internally (with Eagle as one of the recipients) discussing ownership of Eagle’s LinkedIn account:From: Cliff Brody Sent: Tuesday, March 2, 2010 1:36 PM To: Linda Eagle; David Shapp; Kathy Luczak Subject: few loose ends David…. Can you look into what our requirements/responsibilities are as far as LinkedIn accounts and former employees. CB Clifford G. Brody Founder & Chief Executive Officer The Edcomm Group Banker’s Academy From: David Shapp Sent: Tuesday, March 2, 2010 2:17 PM To: Cliff Brody; Linda Eagle; Kathy Luczak Subject: few loose ends I think we can leave it up forever and mine the information contained within as long as we do not pretend to be her. The company/employer owns all data on its hardware, including email archives. The employee has no rights at all in his email identity. Ordinarily, as a courtesy, employers tend to keep old accounts active for a limited time in order to avoid rejecting business-related communications, and forward personal emails to the former employee. There would potentially be an issue if the employer used the former employee’s email to perpetuate a false impression that the employee remained with the company, but simply mining the incoming traffic is certainly within the employer’s rights. David David Shapp Partner & Senior Vice President The Edcomm Group Banker’s Academy From: Cliff Brody Sent: Tuesday, March 2, 2010 3:23 PM To: David Shapp; Linda Eagle; Kathy Luczak Subject: few loose ends What about LinkedIn – not on our hardware. The question is who really owns that account? Ideally it would be us. We could leave it up as-is and she would have to create a new one. CB Clifford G. Brody Founder & Chief Executive Officer The Edcomm Group Banker’s Academy From: David Shapp Sent: Tuesday, March 2, 2012 3:53 PM To: Cliff Brody; Linda Eagle; Kathy Giola Subject: few loose ends We do. It was created with an email account that is ours, on our computers, on our time and at our direction. She cannot use that account because she does not own the email address that opened it. I think as long as we just read from it and do not write to it, we are not breaking any laws. Same thing with her email account – as long as we only read and do not write, we are within our rights to do so. David David Shapp Partner & Senior Vice President The Edcomm Group Banker’s Academy
Finally, to add one more wrinkle, Mr. Brody, who seems to have understood the bigger issue regarding who actually owned the account, appears to have left Edcomm at some point because he is now Eagle’s business partner and he testified on her behalf at trial regarding Eagle’s damages theory. An interesting case.
Do you have a plan in place to address ownership of social media accounts, or the content contained on those accounts – including contacts/connections? Do your policies and agreements give you the right to the busines content (vs. purely personal content) on the site, even if you do not have the right to take the account over from the employee? If you have social media accounts being managed and run by one employee, have you taken steps to insure that you will control that site once the employee leaves? This case demonstrates that a proactive approach to managing social media sites used to promote your business will go a long way to protecting your investment after an employee departs.
We have been discussing the risks personal devices can pose for business data corruption, loss or theft quite a bit of late. These issues were also highlighted at the RSA Security Conference (a gathering of security industry experts) and we have focused our attention to online security, personal information privacy, and business data risks.
So, let’s review. In IBM’s Plan to Manage Smart Phone Security Issues – Not Just About “Is Siri and Apple Spy?”, we reviewed different protocols and procedures for managing employee use of personal electronic devices. We talked about the need for businesses to recognize and adapt to a corporate life with BYOD because – let’s face it – personal devices are here to stay. We firmly believe that with policies, education and training employees should at least gain a minimal understanding of the potential security danger of commingling personal and business data, the vulnerability of unauthorized electronic intrusions (See our post: And Yet Another Security Risk to Mobile Devices . . . Malware), and the ultimate cost to a business for lost or stolen data, including trade secrets. These steps can also protect your organization should you be required to remote wipe a device that is lost, stolen or “removed” by a departing employee.
What we have seen, unfortunately, is that even with the best policies, education and training, no service or device is fully secure – whether the result of state sponsored hacking of U.S. companies by other governments, or cyber intrusions by groups like Anonymous. Security vulnerabilities exist. This is but a short list of some of the recent security breaches: Google’s two-step login verification process was bypassed allowing control of a user’s account; Evernote, a Web-based note-sharing service, reset 50 million users passwords following an attack into users’ accounts; Facebook, Apple, Microsoft and Twitter have reported recent cyber-attacks; Like Evernote, Twitter reset the passwords for 250,000 accounts whose encrypted passwords may have been accessed; and Dropbox, an electronic storage service, reported a large loss of data for a number of subscribers. (For more information, see NBC News, Evernote resets 50 million passwords after hackers access user data, Google patches ‘loophole’ in two-factor verification system, and His firm accused China of hacking the US; now he awaits the consequences).
The problem is that once an employee removes corporate data from the network, protecting and securing that data becomes much harder. “My peers are killing me,” John Oberon, information technology chief for Mashery, a 170-employee company that helps other companies build applications, reported to the New York Times, Where Apps Meet Work, Secret Data Is at Risk. “[T]here’s only so much you can do to stop people from forwarding an e-mail or storing a document off a phone.” (This is still one of the main ways employees take data…) And employees will find their own ways to connect with one another. Indeed, Netflix recently found its employees using 496 applications for data storage, communications and collaboration. Yikes. “People are going to bring their own devices, their own data, their own software applications, even their own work groups,” said Bill Burns, director of information technology infrastructure at Netflix. The question becomes what are you doing as an organization to monitor, limit or otherwise control what employees are doing on their devices? Is it enough?
And what if the security dilemma is really not the employee’s fault? HTC America, a global manufacturer of devices, recently settled a complaint with the Federal Trade Commission. The FTC alleged that HTC America failed “to take reasonable steps to secure software” in its Android, Windows Mobile and Windows Phone smartphones and tablets. According to NBC News, HTC subject to 20 years of security reviews because of holes, the FTC reported that “[t]he company didn’t design its products with security in mind.” “HTC introduced numerous security vulnerabilities that malicious apps could exploit to gain access to sensitive data and compromise how the device worked.” Even worse, the FTC alleged “HTC pre-installed a custom app that could download and install apps outside of the normal Android permission process.” To settle the FTC matter, HTC America agreed to create and push software patches to millions of its mobile devices, and to accept independent security assessments for the next 20 years. This case represents the first time the FTC has pursued a mobile device company over security concerns, or ordered a company to create and push a software fix as part of a settlement.
In the end, whether caused by employees or by device manufacturers, security issues cost businesses money. Security concerns can waste valuable IT time and money, and more importantly hurt a business’ reputation with its customers. So, what are you doing? I have been talking with CIO’s and industry experts to gain different perspectives and options for addressing data protection and security concerns. I will post some conclusions and suggestions in the weeks to come. In the meantime, we would love to hear what you are doing.
We have talked in the past about whether use of social media during the workday increases employee productivity (see Time Suck or Morale Booster? How Does Social Media Impact Employee Productivity?) The question of technology and productivity was recently addressed in a little different light by Randstad, a global provider of HR and staffing services in its most recent Employee Engagement Index survey (see Does 24/7 Connectivity Equal Increased Productivity?). The survey looks at whether constant connectivity through technology equates to greater productivity for women workers. The survey shows that 42 percent of women and 47 percent of men believe that it is increasingly difficult to disconnect from work while at home. The majority (68 percent) of women and (59 percent) of men also did not believe that the work/home connectivity had increased their productivity.
“As enhanced technologies and increased access to information continues to blur the lines between our professional and personal lives, many workers mistake being busy for being productive,” said Linda Galipeau, Randstad CEO of North America. “These are two very different concepts that when looked at from an organizational standpoint – could have serious implications for a company’s bottom line. We are only productive if we’re producing the results that are most impactful to our goals. Being that we live in a multi-tasking world, it is important to work smarter and hone in on those high-impact efforts that will create more meaningful results. This is incredibility important, especially as women and men can now perform their jobs from almost anywhere.”
So what does this actually mean for you and me?
Whether men or women, we all certainly fall into the trap of a 24/7 work environment. I am sure you would agree that the clock is hard to turn off – whether at 5:00 p.m. on a regular workday, or while on “vacation” with the family. The reality is that technology has enhanced connectivity and increased the expectation of instant communication – peer to peer, business to client, supervisor to employee. Good or bad, business now moves at a rapid pace. Technology shapes our workplace and drives continuous access to the office. “There’s also a downside to this culture because sometimes workers feel that in such a fast-moving environment, they’re obligated to be available at all times and that by disconnecting, you risk falling behind at work.” Kristin Kelley, Randstad’s executive vice president for marketing reported to the Boston Globe, Does technology make us more productive workers?. But in the end, technology, like all things intense, can (if you let it) lead to burn-out, undue stress, health and wellness issues, and a poor work/life balance.
Can we unplug?
Certainly – the choice is ours. We, and I am as guilty as anyone, must recognize that by disconnecting once in a while we will achieve a greater work/life balance. When we do – we recognize that balance produces better work and home relationships, lowers the intensity of the work day, along with our stress levels, and refocuses our efforts at work (making the work we do more productive). Disconnecting, however, proves incredibly difficult to achieve. It’s easy to say I am not going to answer that work email at night, or look to see who is calling on a Saturday. The difficult part, like any addiction, is to put the proverbial rubber to the road. I try – admittedly only sometimes. But, more often than not, I answer that email, check that phone message, or see who just texted in the middle of the night – because my phone is right next to my bed. I am bound by and “addicted” to the power of instant communication. But the question remains whether the instant communication actually increases productivity, or whether I am simply lost in a world of “constant partial attention” (a term introduced to me by one of my clients, Paul DeBettignies, IT Recruiter and author of the Minnesota Headhunter Blog.) It’s a good question to ponder.
So, how do you unplug? When you do, does it increase your productivity and your work/life balance? Let us know what you think.
According to a recent survey by Symantec, roughly “half of employees who left or lost their jobs in the last 12 months kept confidential corporate data” and “40 percent plan to use it in their new jobs.”
That headline should be enough to stop any employer in their tracks. But there’s more. Not only did employees take confidential information from their employers, they apparently didn’t even feel guilty about it. On the contrary, 51% said it was “acceptable to take corporate data because their company does not strictly enforce policies” and 62% said that it is “acceptable to transfer work documents to personal computers, tablets, smartphones or online file sharing applications” with a majority saying they never delete such data “because they do not see any harm in keeping it.”
Clearly, companies need to be doing more to protect their data and intellectual property. Confidentiality and data security policies, while an important first step, are only the foundation to protecting confidential and trade secret information.
As with many things in life, actions speak louder than words. In addition to implementing appropriate policies, businesses need to back up those policies with actions. It’s important that employees (and managers) receive training on what information is confidential, why it’s confidential, and why confidentiality matters to the company. It is also critical that companies actually treat confidential information like it’s confidential, by, for example, implementing appropriate security protocols (i.e. passwords, restricted access, monitoring, etc.). While these are basic steps, they are important and, according to the Symantec study, they are still too often being overlooked.
Another tool to protect your company’s confidential and trade secret information is to have your employees sign confidentiality and nondisclosure agreements. Those agreements should be updated to reflect today’s technological advances, as well as to address new employee uses of technology. Too often, employers don’t think about confidential or trade secret data stored on personal mobile devices or personal computers until after an employee has resigned or been terminated. By then, it can be too late to get that important data back.
So what does this all mean to you? In short, if appears from the Symantec survey that employees are still not getting the message about who owns your company’s data. Therefore, if you don’t take additional steps to educate your employees and protect your confidential or trade secret information, it may just walk out the door. What have you been doing to protect your data? As always, we would love to hear from you.
Teresa is the Chair of Fredrikson’s Non-Competes and Trade Secrets Group, and an MSBA Certified Labor and Employment Law Specialist. She counsels business clients on risk management and policy development relating to employee use of technology, and also litigates their business and employment disputes. Teresa trains, writes and lectures extensively on legal issues arising from business use of technology and social media.