Browsing articles in "Technology"

$25 Million Jury Verdict Highlights Dangers of Entrusting Third Parties With Trade Secrets

LBDS is a Texas developer of cardiac MRI technology.  ISOL Technology Inc. is a manufacturer of MRI systems based in South Korea.  According to a federal court complaint (LBDS Holding Company, LLC v. ISOL Technology Inc. et al., 6:11-cv-00428, (E.D. Tex. Aug. 16, 2011)), LBDS contracted with ISOL in 2008 to purchase MRI systems with ISOL agreeing to integrate LBDS’s proprietary technology into those systems. The agreement contained a non-disclosure provision and LBDS disclosed its technology to ISOL to assist with the integration project.

The relationship turned south in 2010 at a convention for the Radiological Society of North America.  LBDS’s CEO attended the convention and saw a competitor’s booth displaying LBDS’s proprietary cardiac technology.  To make matters worse, he saw ISOL management and engineers manning the competitor’s booth.

LBDS sued for breach of the non-disclosure provision, unfair competition, and misappropriation of trade secrets.  LBDS alleged that ISOL took the cardiac technology and integrated it into the competitor’s system, even helping to market the new product in South Korea and, brazenly, at the trade convention. A Texas jury agreed with LBDS and awarded the company $25 million in damages.

While trade secret theft may conjure up images of rogue employees or shady outside actors, the LBDS case reminds us that trade secret theft can also occur when a company invites a contractor through the door.

When contracting with third parties it is important to:

  • Review contracts to ensure information is protected by appropriate non-disclosure provisions;
  • Perform due diligence on contractors, particularly those operating overseas;
  • Carefully monitor projects that require the disclosure of trade secrets to third parties.

Although LBDS obtained a sizeable jury verdict, it couldn’t unring the bell – the competitor still received highly confidential information. The lesson is clear: be careful who you let in the door.

What steps does your company take to protect trade secrets when contracting with third parties?

Authored by David G. Waytz, Associate, Fredrikson & Byron, P.A.  Thanks, David for the guest post!

Are Your Corporate Policies Keeping Up With Technology?

As you may recall, we recently posted about the potential business impact of the relatively new app Confide (Confide – a New App Touted for “Off-the-Record” Business Discussions – Good or Bad for Business?).  We promised we would follow up with some practical reminders about why you should insure that your policies are keeping abreast of technology.  Corporate policies and employee education are often two of the most effective means of placing employees on notice of company expectations of behavior, communication, use of electronic resources, and protection of confidential information – just to name a few.  But what happens when those policies don’t even contemplate certain employee behavior because they don’t address the technology behind the behavior?  Will those policies be effective in light of emerging technology?

Let’s evaluate some of the policies and training regimes that could be implicated, and might need to be reviewed, in light of new technology, or apps, like Confide and Snapchat:

BYOD Policies

If you permit employees to access company systems on personal devices and those employees keep company contact information on that personal device, you might want to consider whether your BYOD policy should prohibit the use of certain applications that require access to that information.  Permitting employees to use apps, which require the User to grant access to the User’s entire address book, could later impact your ability to prevent the employee, or others, from using or disclosing that contact information.  We have raised this issue in the past when talking about the ease with which LinkedIn makes uploading your entire contact database (See Who Owns Your Company’s Social Media Profiles, Contacts and Content?).

Confidentiality Policies

You likely have a policy that prohibits improper use or disclosure of confidential or sensitive information (such as client or patient information).  Those policies could be updated to specifically reference that disclosure of confidential or sensitive information via any app or text message is prohibited – including taking or sending pictures of such information.  The policy should remind employees that all company information, whether generated through a personal or corporate device, belongs to the employer – not to the employee – and is subject to company policies limiting use and disclosure of such information.

Software/Application Policies

Stakeholders from HR, IT and corporate legal should discuss which apps the company will prohibit on corporate owned devices.  Those prohibited applications should be spelled out in the company software/application policies.  There are many reasons for preventing the use of certain apps (think possible malware) but companies should also think about how employee use of an application which automatically destroys the data being transferred will impact employer obligations to control or retain such information, particularly those in highly regulated areas, such as financial services or health care.

Code of Conduct

An organization’s Code of Conduct often addresses an employee’s obligation to prevent theft of trade secret information.  Such policies often discuss how trade secret theft occurs and how employees can actively assist the company in protection of its trade secret information.  Such policies – which also often prohibit the unauthorized use or disclosure of trade secret information – should specify whether the use of apps, like Confide or Snapchat, to transfer trade secret information is prohibited by the Company.

Electronic Monitoring/Electronic Use Policies

A company’s electronic monitoring and/or electronic use policies often provide notice to employees that the company will monitor employee conduct while using company provided electronic resources.  Such policies should address whether sending text messages or any similar communications to prevent detection of that communication is a violation of company policy, and that the company will take disciplinary action should it learn that employees are engaging in unauthorized text messages or other interactions.  Additionally, employees should further be reminded they have no reasonable expectation of privacy in their communications – whether sent via an app or via work email.  As with other policies, an employee should sign off on, consent to and acknowledge an understanding of this as a condition of employment.

Training

As we have often said in the past, training and education is key to preventing unauthorized behaviors, as well as insuring employees understand what is or is not appropriate use of electronic devices that access your systems.  Your training could address, for example, appropriate business communications for your industry (e.g. via business email) and possible inappropriate business communications (e.g. via personal email, or via apps, like Confide and Snapchat).  I have found that demonstrating the potential negative consequences of using a particular mode of communication provides employees a better understanding of why that communication is prohibited, could result in harm to the company, or might be viewed as unprofessional in your industry.

Litigation Holds/Employee Claims/E-Discovery Policies

Businesses must also recognize that certain applications, like Confide, could pose problems for e-discovery and data retention in the event of litigation or a potential claim.  Employee use of certain apps could also impact an employer’s ability to fully investigate employee/supervisor harassment and discrimination, or to monitor illegal or unethical conduct by employees.  If employees are using non-company supported means of communicating business information, a policy should require those employees to disclose that fact to IT and/or legal to insure the company can later meet any legal or compliance-related obligations to store and retain certain data.

Think back to when your company did not need a social media policy because social media did not exist – and no one ever thought that employees would share company information to 500 of their closest friends…but now most companies have policies to address employee use of social media.  Emerging technologies certainly make it difficult for IT, HR and corporate legal departments to keep on top of employee behavior and to keep company information safe.  What are you doing to keep abreast of technology?  As always, we welcome your input. 

Confide – a New App Touted for “Off-the-Record” Business Discussions – Good or Bad for Business?

In early 2013, Snapchat, an app that allows users to send self-destructing photos, became the second-most popular iPhone app with approximately 50 million snaps a day.  While Snapchat is aimed at a younger non-business audience (think teens sending “selfies” to their friends), we had recently been talking about the potential legal implications arising from employee use of Snapchat.  In the midst of that discussion, along comes Confide.  Confide is a free text-based iOS app that permits users to send text/email messages to others which disappear as soon as they are read by the receiving party (the app requires iOS 7.0 or later and is optimized for the iPhone 5).

Confide targets its service to professionals who want to discuss personal, business or legal issues without the fear of an evidentiary trail.   In the “Frequently Asked Questions” section of its website, Confide provided its “good use cases for Confide” as follows:

1. Anytime you send an email or text saying “Confidential — don’t forward”

2. Anytime you respond to an email or text with “I’ll call you”

3. Anytime you say “Can you send me your personal email; I’d prefer this conversation not be on work servers”

The FAQ’s go on to state that good uses could include discussions about “[j]ob referrals, HR issues, deal discussions, and even some good-natured office gossip.”

I admit the thought of business messages being sent purposefully so that employees (including management) can have “off-the-record” discussions – that immediately disappear – causes some level of anxiety for the employment lawyer side of me.  But, let’s look at how this app works before I provide any thoughts on its business use.

On a basic level, Confide’s interface operates like other message sending apps (it contains a recipient, subject line and a message), except that when users open a message, the text is covered by a colored box that only disappears when the user runs a finger over the words.  The box reappears after the user passes on to new words.  According to Confide’s website, this “wanding” ability is supposed to provide screen shot protection.  The app also sends a notification to the sender if the recipient tries to screen shot the message.  Confide also boasts “end-to-end” encryption, which means the key to deciphering the incoming message lies only on the recipient’s mobile device, not Confides’ servers.  Confide claims that it does not have the ability to read, or even retrieve, the user messages (this also means that no one else could later retrieve the message).  Confide does, however, require complete access to the user’s Address Book on the device used to access Confide.  Confide stores the Address Book data in order to provide the service.  (See Confide’s Privacy Policy).  By using the app, users agree to Confide’s access to that Address Book.

So – in light of all of those features, what do businesses need to be thinking about in deciding whether to embrace or reject this new technology?

Potential Benefits

  • Confide grants users the ability to engage in private communications that won’t be stored anywhere.  This could be used for communications that really don’t need to be permanently recorded, such as where to meet for lunch, whether you are attending a particular meeting, or the like.
  • The impermanence might be also be good if employees are simply venting to each other about the workplace – providing an outlet for employees to let off harmless steam without those remarks coming back to haunt them, or their employer.

Potential Cons

  • Confide grants users the ability to engage in private communications that won’t be stored anywhere.   This feature and the app’s impermanence might raise problems for businesses required by law to retain certain types of records or preserve documents or data for litigation purposes, or which are are prohibited from engaging in certain types of communications.
  • From an employment standpoint, these ultra-private communications could lead to inappropriate discussions between employees – leaving the employer left with trying to work out a “he said, she said” situation without any concrete evidence.
  • Confide requires the user to grant complete access to their Address Book.  This should raise concerns for companies seeking to protect certain contact information – such as client information.  Clients too might not appreciate their contact information being shared freely with Confide.
  • Employees may also make improper use of the app – whether to share confidential information, to make plans to go work for a competitor to name just a few, to share confidential information with that competitor, to discuss important internal matters that really ought to be recorded in some fashion, and the list goes on.

In light of the pros and cons above, businesses will have to decide whether they want to encourage “off-the-record” discussions between employees and permit the use of apps like Confide.  At the very least, the advent of apps like Confide should serve as a reminder for business to take affirmative steps to keep current with all new technologies to protect business interests, trade secrets, and regulatory and legal obligations.  Our next post will address some affirmative actions you can take to stay on top of new technologies.

Does your business or its employees use applications like Confide?  If so, how do you regulate the use, and the disappearing nature of the documents?  As always, we are interested in your thoughts.

Will Your Online Employment Application Hold Up to Minnesota’s Ban the Box Legislation?

We are always pleased to present posts from our colleagues in Fredrikson & Byron’s Employment & Labor group.  This week, we are happy to re-post our colleague Krista Hatcher’s article relating to an employer’s inquiry into an applicant’s criminal history in light of Minnesota’s recent “Ban the Box” law.  We thought her commentary relating to online applications may be of particular interest to our readers – so please do read on!

New Guidance from MDHR on “Ban-the-Box” Law, by Krista Hatcher

Minnesota’s new “Ban the Box” law prohibits most employers in Minnesota from inquiring into an applicant’s criminal history until after selecting the applicant for an interview or making a conditional offer of employment. The Minnesota Department of Human Rights, which enforces the new law, recently presented a Ban the Box webinar and published a Technical Guidance document. Although the MDHR’s interpretation is not binding on courts, which may disagree with the agency and construe the law differently, there are a few takeaways that employers may find instructive.

Compliance Will Not Insulate Employers from Discrimination Claims

Minnesota’s Ban the Box law regulates the timing of criminal history inquiries. Even if an employer complies with Ban the Box, however, its use of criminal history information may result in liability if it discriminates against individuals in protected classes. The MDHR suggests employers review the EEOC’s Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964, which says that employers should either: (1) have their criminal history screening practices validated in accordance with EEOC Uniform Guidelines on Employee Selection Procedures; or (2) develop a targeted screening process that takes into consideration at least the nature of the crime, time that has elapsed, and nature of the job for which the individual is applying, and provides for an individualized assessment. Employers that fail to comply with one of these two methods may face claims that their exclusion of applicants based on a criminal record is discriminatory.

Multi-state Employers May Use a Single Electronic Application That Contains a Clear and Unambiguous Disclaimer

According to the MDHR, employers that have operations in multiple states may continue to use a single electronic application, but must clearly and unambiguously inform Minnesota applicants that they need not answer criminal background questions on the application. The MDHR recommends that such language be in bold text and a different font, and cautions that if a Minnesota applicant does answer a criminal background question on the application the employer should not use or track the information. Although the MDHR did not discuss the use of paper applications by multi-state employers, the implication seems to be that a disclaimer on the application would be insufficient and multi-state employers should use a separate paper application in Minnesota that does not include any criminal history inquiries.

For more information on this issue, please see Ingrid Culp’s article, “New Minnesota Law Will Render Most Employment Applications Now In Use Unlawful.” For assistance with complying with the Ban the Box law or other questions related to background checks, please contact an attorney in Fredrikson & Byron’s Employment & Labor Law Group.

IT Professionals Walk a Tightrope When Dealing With Illegal Activity of Employees on Company-Owned Devices

In our November 8, 2013, post No Hall Pass for School Officials in School Texting Scandal, we discussed the impact of inappropriate and possibly illegal employee activity on company-owned electronic devices for both employees and organizations.  Now, we turn our attention to the company’s IT staff, and the professional, legal and ethical dilemmas many might face when dealing with the improper conduct of employees.

The Importance of IT Protocols

Employee misconduct comes in many forms – the conduct might simply amount to a violation of company policy or it might amount to a criminal act.  Regardless, organizations should consider implementing protocols for IT staff to follow when reporting and/or investigating the possible misconduct.  For example, chain-of-command – to whom will IT staff report possible misconduct?  Is there a direct line to a supervisor, or does the IT professional report these incidents to a senior level manager?  What happens if, as in the Coatsville case, the IT staffer believes the supervisor is involved in the illegal conduct?  Does corporate protocol anticipate these circumstances?  These questions should be discussed with all stakeholders so that the IT protocol includes a procedure that works for the organization.  So, what are the important takeaways relating to IT protocols?

  • The protocol should tell IT staffers what to do with evidence of possible misconduct.  For example, who is responsible for and/or authorized to report possible misconduct to senior management and/or law enforcement personnel.
  • Organizations should train IT staff on the protocol so that they know how to respond when confronted with possible misconduct.
  • The protocol should outline to IT staff when to engage with inside or outside legal counsel to insure that preservation obligations of the company are met.  IT staff should not be forced to make this important decision in a vacuum.

As we often say, a good protocol should tell employees what responsibilities that each employee holds, and the obligations of those employees to perform certain duties when they are faced with employee misconduct.

What to do When Law Enforcement Becomes Involved

Another issue that should be addressed for your IT professionals is what to do when, as in Coatsville, law enforcement personnel become involved.  For example, in the Coatsville matter, the IT Director was first told by the District Attorney to preserve the integrity of the computer system and its content as evidence of an alleged illegal act.  Then, the Acting Coatsville Superintendent directed the IT Director to give-up the computer codes to an outside computer firm.  The IT staffer walks a tightrope in complying with the directives of a supervisor while simultaneously following the legal requirements to preserve data and records for criminal prosecution.  What can a company do?

  • Have a protocol in place that clearly delineates how IT personnel should react to involvement of law enforcement.
  • Supervisors or managers too should know how to respond to reports of misconduct.  For example, supervisors and managers should know that intimidation of IT professionals is not appropriate following a report of possible misconduct.  For a good example, see dailylocal.com, More details in alleged harassment of texting scandal whistleblowers, October 1, 2013.  (The Acting Superintendent’s email to the IT Director ordering compliance with his demands lest he be slapped with insubordination regardless of what the county’s district attorney ordered).

According to the District Attorney involved in the Coatsville matter, an organization facing a criminal investigation should map out a clear strategy for preserving any computer evidence, backing up files with minimal disruption to the organization’s operations, and then a plan to communicate the strategy to law enforcement personnel to prevent any inference of company interference in the investigation.  See edweek.com, Pa. Texting Scandal Highlights Complexities for IT Leaders, October 16, 2013.  “The IT director really at that point has a double set of duties,” Mr. Hogan said.  “They have to preserve any data that might be related to the investigation from the standpoint of the government.  They also have a duty to follow any lawful orders of the [enterprise] regarding that data.”  As noted above – thinking about this upfront so that IT professionals have a protocol to follow would have alleviated some of the strain on the IT Director in this case – as well as the possible conflict with local law enforcement.

Do you Hire an Outside Forensic Vendor?

Finally, another big issue commonly faced by organizations is when to hire an outside forensic firm to preserve computer evidence and the integrity of the entire computer systems. The retention of an outside firm can help negate any inference that the business is involved in covering-up, or worse, destroying, evidence.  A well thought out and documented protocol might include a section addressing when to hire a forensic computer firm, how that firm will be retained, and who will be responsible for working with the firm.  Preservation of evidence is an important component of any potential legal action – criminal or civil.  As a result, having a clear road map of how an organization responds to preservation of evidence can help save the organization from the threat of sanctions if litigation later develops.

Have you dealt with employee misconduct on employee devices?  Were you equipped to respond?  As always, we welcome your insight.

No Hall Pass for School Officials in School Texting Scandal

The texting/tweeting scandals just keep coming – and once again this one is all true.  This unfortunate episode comes from the Coatsville Area School District in Pennsylvania.  The scandal highlights technology, ethics and employment issues, as well as the complexities that IT staff must navigate when dealing with evidence of alleged immoral and illegal activities on company-owned devices.  In this first post, we will look at the issues businesses face when employees engage in nefarious activity on company-owned electronic devices.

So, let’s take a look at some of the facts.  The Coatesville, Pa., School District Superintendent Richard Como and Coatsville Area High School Athletic Director Jim Donato recently resigned following the disclosure of their inflammatory texting conversation.  The pair had exchanged a myriad of racist and sexist slurs directed at students, faculty, and administration officials on district-owned cell phones.  In one appalling exchange, Como and Donato used fourteen slurs using the “n” word.  In another text, the pair allegedly discussed financial misdealing within the district and monetary kickbacks.

The district’s IT Director (Hawa) discovered the racist slurs while performing a routine data transfer on Athletic Director Donato’s district-owned cell phone.  Mr. Hawa reported the incident to the district’s deputy superintendent, and then to the district’s attorney.  News reports confirm that Hawa ultimately sent the transcript to the Chester County District Attorney after he became concerned that some Coatsville school board members and their attorney were attempting to cover-up the texting scandal.  See Daily Local News, Coatsville school officials sighted at courthouse, dailylocal.com, October 18, 2013.  The District Attorney initiated a grand jury proceeding into the texting scandal, the alleged financial kickbacks, and other alleged improper activities of the school employees.  See abclocal.go.com, Grand jury investigation into Coatsville texting scandal, October 15, 2013.  The NAACP also conducted its own hearing into the incident revealing additional claims that the district discriminated against low-income and minority families, as well as disabled children.  The NAACP plans to investigate the claims made at the hearing for possible legal action against the district.  See philly.com, Coatsville school board denies accusation of bias, October 18, 2013.

So, what are the lessons learned from this scandal?  First, there are lessons for anyone who uses social media, electronic devices, etc.:

  • In the digital age, everyone must understand that electronic communications will NOT remain private.
  • Emails and texts – whether good or bad – do not disappear.  As discussed in prior posts, forensic experts can often easily retrieve “deleted” information from a cell phone or computer.  If you would not say what you are saying in front of a judge (or your grandmother) – don’t post it!
  • Don’t use your work provided device as if it were your own device.  As happened here, what happens if you turn in that device for a routine data transfer?  What will someone find?  Company officials and IT staff – under appropriate policies and procedures – will have the right to investigate information contained on company-owned cell phones and computers.  Employees must understand that even though they might be permitted to use a company-owned device for business and personal purposes, that device, and the content on that device, still remain the property of the business.

Second, there are important lessons for private and public corporate entities:

  • Implement policies and procedures that permit you to monitor, inspect and act upon inappropriate text messages or interactions.
  • Implement policies and procedures that outline the circumstances and procedures for reporting alleged illegal activities.  These policies could spell out the appropriate chain-of-command for reporting this activity, as well as the individual in the organization who has the authorization to discuss company matters with outside law enforcement officials.
  • Implement policies and procedures on appropriate and inappropriate use of company provided devices.   Then, train your employees on what that means – clearly not everyone understands this concept yet.

Third, evidence obtained from a company-owned device might be used in a termination decision, however, there could be consequences beyond loss of employment for inappropriate text messages:

  • For example, the former Coatsville Superintendent may find out his conduct might negate the school district’s obligation to pay-out his retirement pension.  I bet that Como never thought that his texts with the Athletic Director could ever jeopardize his reputation, career, and ultimately his retirement pension.
  • Depending on the content of the inappropriate exchanges, district attorneys could use employee text messages to prosecute employees or their employers under criminal statutes.  Just think of what may face the Superintendent – “Theft by deception or extortion, theft of services, tampering with public records or information, are a few stated crimes listed under the forfeiture act that could cause Como to forfeit his pension.”  See Daily Times News, delcotimes.com, Former Coatsville schools chief at center of racist text saga files for pension, November 6, 2013.
  • The EEOC, local departments of human rights or the NAACP may use those text messages to support claims of discrimination, retaliation or unequal treatment against the employer.

In short, employees need to exercise some modicum of restraint in their communications.  Employers, knowing that employees may not do so, need to have policies in place to respond to inappropriate and possibly illegal conduct by employees.  Are you prepared?

New Security Platforms Help Dig Out CyberVillains From Your Company Networks

Remember the days when a simple firewall and anti-virus software protected a corporate network?  Unfortunately, to thwart today’s computer villains (often sponsored by foreign governments), companies may require a more “James Bond” type of defense.  For this reason, investors have pumped hundreds of millions of dollars into advanced cybersecurity platforms – betting that businesses will finally get their heads into the security game.  “Rare is the corporation whose network has not yet been breached,” Sameer Gandhi, venture capitalist with Accel Partners reported to USAToday, Crowdsourcing, data mining help stop hackers, (Sept. 11, 2013).  “The reality is that these threats are becoming more sophisticated, and we can expect them in higher volume in the future.”  (Of course, Accel Partners has an interest in businesses beefing up their security protocols, since Accel recently invested millions into a new security company – CrowdStrike – to further develop its anti-hacking platform.  See Danny Yadron, Firm that Tracks Foreign Hackers Gets $30 Million Funding Round, Wall Street Journal (Sept. 9, 2013)).

So, let’s take a look at CrowdStrike’s new security business model.  CrowdStrike uses big data and “crowdsourcing” analytics to identify and map cyber-criminal behavior within a corporate network.  It then purges the intruders from a corporate network before a compromise occurs.  The system becomes “smarter” each time it sees how hackers break in to steal information.  See USAToday, Crowdsourcing, data mining help stop hackers.  To complement these new advanced software tools, CrowdStrike also focuses on the human aspect.  Its investigative team, which is trained to collect, investigate and decipher data on threatening groups and corporate security risks, includes a former cybersecurity official from the F.B.I., as well as many others from the defense, intelligence and law enforcement communities.  The investigators and forensic experts give businesses the ability to track and hunt those cyber-villains on the network, and to understand why and how the threats occurred.    

Other security business firms have been busy increasing their cybersecurity platforms as well.  Cisco recently purchased Cognitive Security, a security firm that uses artificial intelligence techniques to detect cyberthreats, and Sourcefire, a leader in intelligent cybersecurity systems.   According to recent news releases, Cisco, with these acquisitions, hopes to accelerate its “security strategy of defending, discovering, and remediating the most critical security threats across the attack continuum.”

It certainly appears that these new security platforms are trying to help businesses be proactive with their security protection and detection – that is, to discover a threat before it is too late.  What is the old saying – it takes a whole village to raise a child?  Well, in today’s hyper-competitive and global marketplace you might need a whole team of highly skilled investigators and forensic experts to safeguard corporate data.  However, businesses still need to recognize that their own employees play a big role in security of the company’s data.  Businesses should consider looking to external resources, such as these new security platforms.  However, they should also be looking at their own internal policies, procedures, training and best security practices to insure they are meeting the quickly changing world of data security and protection.

As the world evolves at a supersonic pace, businesses might need to rethink the importance of their security efforts.  As these new business ventures demonstrate, cybersecurity is becoming a critical and necessary function to remain globally competitive.  From state-sponsored cyberterrorism and theft to corporate infiltration and espionage, the disappearance of a business’ competitive advantage might be one stolen secret away.

Have you invested in these new security platforms, or are you aware of others that might be of interest to our readers?  As always, we would love to hear from you.

Who is Watching You When You BYOD?

With all the news lately regarding the NSA’s surveillance program, it is not surprising that people are concerned, and even a little apprehensive, regarding what information others can view on their personal electronic devices.  With the recent surge of BYOD, the clash between personal and corporate data is even more apparent.  But what can an employer really view on an employee’s BYOD smartphone or tablet?  And when it comes to the use of personal devices, do employees trust their employers?

Recently, MobileIron, a mobile device management software developer, conducted a survey (MobileIron Trust Gap Survey) of 3000 workers across the United States, United Kingdom and Germany.  Of those 3000 workers, 80% now use personal smartphones and tablets for work related functions.  But only 30% surveyed “completely trust their employer to keep personal information private.”  41% of employees surveyed did not think their employer could see anything on their mobile devices – and 15% were not sure what the employer could see.  “There’s a ton of confusion out there, and so the trust gap has widened.  Employees don’t really know what their employer can and can’t see.”  Ojas Rege, vice president of strategy at MobileIron, told CIO.com, What Can Employers Really See on a BYOD Smartphone or Tablet.  “They’re just guessing.”

With a well-crafted BYOD policy, however, an employee should not be surprised about what an employer can see on a personal device.  Notice is important, so you might consider telling employees what information the organization needs to see and why.   By way of example:

  • Apps:  An employer has a stake in regulating what applications an employee can use on their personal devices for security purposes (e.g. protecting against outside access to client information, and to prevent the loss of proprietary information.) 
  • Litigation or Pre-Litigation:  In the event of litigation or pre-trial investigation personal devices may be subject to search and review for evidentiary reasons.  A BYOD personal device becomes just like any other evidentiary tool that may contain relevant information.
  • Corporate Information.  Regardless of what an employee may think, all corporate information, whether generated through the use of personal or corporate devices, or personal emails and data, belongs to the employer.  The device may not belong to the company, but the information certainly does.  Employees ought to understand this before using their personal devices for work purposes.

When looking at BYOD, employers should also consider what information employees don’t want them to see.  The survey illustrated the type of personal information and activities most workers were concerned about – personal emails, text messages, photos, videos, voicemails and Web activities.  Not surprisingly, younger employees, ages 18-34, were far more concerned about personal privacy than workers over the age of 55.  Depending on how the organization manages their mobile devices – it may or may not have access to this kind of information.  To make an informed decision about using a personal device, employees should know whether this information will be accessible to and/or monitored by the employer.

The survey certainly demonstrated there is a “trust gap” with employee use of personal devices for work purposes.  So how should an employer bridge the trust gap?  Unfortunately, the survey really demonstrated that no matter what a company does, whether it places employees on notice of all monitoring activity in writing, asks an employee permission to review a personal device or explains in written detail the purpose behind the surveillance, only 30% of workers believed these measures would increase their level of trust.  Roughly 30% of the respondents stated that there was nothing an employer could do to increase their level of trust in the company. 

Yet, a complete BYOD policy that spells out what information is needed and why should give an employee some measure of comfort in knowing the circumstances around which a personal device may be investigated or monitored.  Armed with that information, the employee can then decide whether they want to use their personal device for work purposes.  From the company perspective, a solid and tailored BYOD policy might dispel some of the negativity surrounding monitoring activity on corporate and/or BYOD personal devices.

Has your organization run into concerns over access to information on personal devices?  If so, what actions have you taken to bridge that “trust gap”?

Stealing Trade Secrets? Go Directly to Jail / Do Not Pass Go / Do Not Collect $200*

Many companies have increased their attention to prevention of theft of trade secrets, as well as the prevention of many other kinds of data loss these days.  Indeed, in February 2013, the White House released its Strategy for combating the theft of trade secrets in the United States.  Kicking off the report, President Obama stated:

“We are going to aggressively protect our intellectual property. Our single greatest asset is the innovation and the ingenuity and creativity of the American people. It is essential to our prosperity and it will only become more so in this century.”

Part of the Administration’s strategy focused on enhancing domestic law enforcement’s ability to combat theft of trade secrets and improving domestic legislation, such as the Economic Espionage Act of 1996, 18 U.S.C. §§1831-1839.  (For a good discussion of the Administration’s Strategy report, see my colleague Emily Duke’s article, Administration Releases Strategy to Prevent Theft of U.S. Trade Secrets). 

Most companies who depend upon the ability to protect their trade secrets to maintain a competitive edge in the market are watching closely to see what happens now.  A Criminal Complaint issued on June 4, 2013, in the United States District Court, for the District of New Jersey, against a former employee of Becton, Dickinson & Company (“BD”) certainly demonstrates that law enforcement is taking theft of trade secrets seriously.

In United States of America v. Ketankumar Maniar, the government alleges that Maniar (the former BD employee) had access to BD’s trade secret information and that while still employed took actions to steal that trade secret information.  The Complaint further alleges that Maniar took the information in many different ways including, downloading close to 8,000 BD files containing BD trade secret information to multiple external hard drives and thumb drives and emailing BD trade secret information to his personal email account.  Apparently, there is evidence that Maniar was planning to take the BD trade secret information with him to India – although that action has been thwarted by his arrest.

In addition to the former employee’s actions relating to how he took information, what might also be of interest to our readers is the focus by the government on the steps BD had taken to protect its trade secret information.  The government focused on the following:

  • BD had a Code of Conduct that addressed protection of trade secret information which Maniar had signed off on and acknowledged was a condition of his employment with BD.
  • BD required that Maniar sign an Employee Agreement which acknowledged his obligation to protect trade secret information. 
  • BD maintained a Trade Secret Protection Policy that was incorporated into the Employee Agreement.
  • BD maintained physical and electronic security of its trade secret information, including, with limited or restricted access to certain information.
  • BD conducted training to remind employees of their responsibilities to protect trade secret information.

This case serves as a reminder that taking affirmative steps to protect trade secret assets will provide a greater opportunity in either a civil or criminal context to obtain relief from the legal system.  It also serves as a reminder that companies should be mindful that some employees will disregard their obligations to the company and take information to benefit themselves or others.  We have been advising clients, as well as writing, about this for years (See e.g. Recent Survey Shows That Employee Theft of Confidential Information is Rampant).  Technology certainly makes it easier for employees to walk out the door with confidential information.  When in doubt about what to do – contact your legal counsel, or one of the lawyers in our Trade Secret group.

In the meantime, we will keep on eye on what is happening.  As always, we welcome your input.

(*Monopoly is a trademark of Hasbro)

I.B.M.’s CEO on Management, Big Data, and the Power of Today’s Technology

“Big Data” means different things to different people.  In a March 7th, speech, Virginia Rometty, Chairman, President and CEO of IBM, provided her take on “Big Data” and I thought she relayed a number of interesting points.  Her speech, entitled Competitive Advantage in the Era of Smart, describes a new way for private and public organizations to compete in an era of “Big Data” – data in the clouds, data on smart mobile devices and social networks, and corporations mining data for insights and the competitive edge.  To her, “Big Data” is the next natural resource, like oil or electricity, to propel this country forward as everyone will have access to cloud infrastructures, mobile devices and social networks.

Ms. Rometty suggests three “principles of change” – change, not just in technology, but in an evolution of an organization – a cultural way of thinking and acting.  All organizations make decisions about capital, people, products and services; create value for those individuals and entitles; and deliver value to its customers.  Ms. Rometty laid her principles of evolution out as:

  1. Decisions will be based not on “gut instinct,” but on predictive analytics;
  2. The social network is the new production line; and
  3. Value will be created not for “market segments” or demographics, but for individuals.

Let’s look at each principal enunciated by Ms. Rometty. 

Principle 1:  Decisions will be based not on “gut instinct,” but on predictive analytics

In today’s global community, Ms. Rometty believes that enterprises should move to an analytical decision making model.  Why is that?  Because every two days we generate the equivalent of all of the data produced up to 2003.  With the volume of this data and today’s raw computing power organizations can and should harness this duality to produce accurate and insightful knowledge-based decisions.

Ms. Rometty believes that organizations must use analytical decision-making models to reduce errors, and inadvertent or damaging outcomes.  As proof, she pointed first to a global survey of top risk managers that identified the #1 method for identifying and assessing risk – senior management intuition and experience.  And second, to the greatest recession of our lifetime –which many believe was caused by an inability to see and manage risk.  To illustrate her point, Ms. Rometty cautioned that many of our decisions are subconsciously influenced by our biases – relying too heavily on a single piece of information we have internalized.  For example, a doctor hears a patient disclose two or three symptoms out of many, and then makes a diagnosis while discounting those symptoms that do not fit into her predetermined category.  The key point to this analytical decisions making model is that:

“[t]his isn’t just a change in tools.  It’s a change in mindset and organizational culture.  Which is also the greatest challenge it poses: the need to “unlearn” deeply engrained professional and leadership assumptions: . . . How you manage enterprise risk . . . and how you manage an enterprise.

Ms. Rometty believes the mentality will be not just to learn new skills, but to learn a whole new job.  So will we be willing to do that?  And how quickly can such predictive analysis be created?  Will executives be willing and able to wait for that analysis – I personally don’t think we are there yet.  It certainly seems that we all are relying upon gut instinct every day…this would certainly be a hard thing for me to overcome.

Principle 2:  The social network is the new production line.

Create intellectual capital!  What does that even mean?  According to Ms. Rometty, the vast amount of data now produced, the power of the computers, and today’s shared connectivity have now created the means for the production of knowledge – with social networks as the new production line.  “In a social enterprise, your value is established not by how much knowledge you amass, but by how much knowledge you impart to others.”  So how do you produce knowledge?

The long-term objective is an enterprise expertise model where information is analyzed automatically, content is organized in relevant topics and personalized action plans are created – and where rewards are shaped by who contributes the most and best ideas.

The goal is not to just share information – the connectivity – but actually create experts in an organization.  Anyone in an enterprise can become an expert.  Could every company, however, hire, compensate, evaluate and promote employees based upon the concept of “shared and catalyzed knowledge”?  Ms. Rometty believes most can and will.  Every IBM employee now has a social network page, and access to vast amounts of internal and external information sources, blogs and wikis – the ability to create intellectual capital.  According to Ms. Rometty, IBM is working toward a future -

in which all IBMers will be rated by their peers and profession, based on how good they are at sharing their knowledge . . . how good they are at making it useful, consumable . . . how well they contribute to the community and to [their] clients’ needs and experiences.

I certainly agree that the ability to communicate, contribute and share is going to be a key factor to success in future organizations!

Principle 3:  Value will be created not for “market segments” or demographics, but for individuals.

The rapid emergence of Big Data, social networks, mobile communications, and location tracking software has lessened the inherent value of segmenting consumers – whether public consumers of government services or private consumers of business.  “I” and “You” bear today’s fruit.  It’s the age of the individual.  Today’s technology has created the ability for enterprises to track individual wants, needs and desires, and then to encapsulate that into a good or service targeted to that specific consumer. 

In her speech, Ms. Rometty gave the example of how President Barack Obama’s re-election campaign used Big Data analytics and behavioral science to understand how individual voters in key states might react.

Using dynamic modes powered by voter contact data, the campaign’s Analytics team ran 66,000 simulations each night to protect who was winning every battleground state.  They used this data to allocate resources-funding, campaign workers, outreach – in real times.  The final simulations of the Ohio vote were accurate to within 0.2 percent.

Companies now must recognize the emergence of this capability to remain competitive in the global market place.  Forward-thinkers will use this data and computational ability to actually learn what “You” and “I” want – not what some organization deems “we” want.  Ms. Rometty believes, in the end, that organizations and consumers will offer each other measurable value – information about “You” and “I” in exchange for a benefit in return.

Virginia Rometty concluded by saying:

[t]he challenge is not the technology.  The challenge, as always, is culture . . . changing our entrenched ways of thinking acting and organizing. . . .We have, in Big Data, a vast new natural resource, as well as the means to mine it for value.  And that is unleashing not only insight and knowledge, but new ways of creating business and societal value . . . and new ways of working that are more flexible, innovative, collaborative, humane.

Erik Brynjolfsson, director of the Center for Digital Business at MIT’s Sloan School of Management, echoed Ms. Rometty’s sentiments.  (see New York Times, I.B.M.s Rometty on the Data Challenge to the Culture of Management).  “The technology has been available for a few years now to create a management revolution based on big data, and now we’re beginning to see more and more companies undertake the much harder job of reinventing their business process and culture to take full advantage of those technologies.”  Based upon the number of targeted ads that we are seeing, I am pretty confident a number of organizations have embraced this last concept! 

So what does this mean for you as an individual or an organization?  Do you agree that you should disregard your gut instinct and replace it with a “computerized” risk analysis?  Do you share and create knowledge and information to increase your market share and demonstrate your expertise – whether via social media or otherwise?  And finally, what do you think of the individually targeted culture being created by all of the data mined by organizations?  I admit that I don’t know where I stand.  As always, we welcome your input!  

Pages:1234»

Contributing Authors

Teresa Thompson

Teresa Thompson Teresa is the Chair of Fredrikson’s Non-Competes and Trade Secrets Group, and an MSBA Certified Labor and Employment Law Specialist. She counsels business clients on risk management and policy development relating to employee use of technology, and also litigates their business and employment disputes. Teresa trains, writes and lectures extensively on legal issues arising from business use of technology and social media.

LinkedIn Profile   Email me

Norah Olson Bluvshtein

Norah Olson Bluvshtein Norah is an employment law attorney representing businesses both in and out of the courtroom on employee issues from hiring, to firing, and everything in between. She writes, speaks, and consults on employee use (and misuse) of the Internet, social media, and technology.

LinkedIn Profile   Email me

Categories

Best Law Firms
Minnesota Certified
MCB Speaker

Genisis II

Archives