by ·0 Comments

No, it’s not an acronym advising you to come to dinner with your favorite vintage of pinot noir.  BYOD stands for Bring Your Own Device, a movement that’s changing the landscape of information technology at workplaces across the globe.  In the “old days,” companies issued electronic equipment to employees for work use.  Today, employees want to use the latest electronics of their own choice for both work and play.  Surveys consistently show that companies are giving in to such requests, citing the benefits of increased productivity and morale, as well as cost savings from not having to buy the equipment themselves.  However, BYOD programs also create legal risks for companies, including:

  • Violation of labor laws like the Fair Labor Standards Act due to the ability of workers to rack up overtime by doing work on personal devices practically anywhere and at any time, whether or not such overtime is authorized by management
  • Violation of laws prohibiting disclosure of the private information of customers, clients, or patients, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act
  • Inadvertent disclosure of proprietary company information, which jeopardizes their confidentiality, and as a result, their status as protected trade secrets
  • Complicating the e-discovery process, because electronic data that fall within the scope of a discovery request may reside on devices besides those under the direct control of the company

In light of these risks, the knee-jerk response of management might be to forbid BYOD entirely, but that is not necessarily the best approach.  BYOD is more prevalent than one might think.  A form of BYOD is in play whenever someone stores work data on a personal cloud storage account, uses a personal laptop to draft a memo for work, or forwards work-related word processing files to a private email account for easy access from home.  A company need not officially adopt a BYOD program to have one, which is all the reason why management should be proactive about putting BYOD policies in place.

Learn about the specific risks that a BYOD program creates for your company.  Develop guidelines on acceptable and unacceptable use of personal devices for work-related purposes.  Notify employees of the policies in writing and provide training.  Don’t wait until it’s too late!

Want more tips on BYOD?  Come to the Advanced Employment Issues Symposium in Las Vegas from November 13-15, where I’ll be giving a presentation on “BYOD Challenges: When Employees Bring Their Own Devices to Work.”  Registration information is available at www.aeisonline.com.

Related articles
Enhanced by Zemanta

by ·0 Comments

Text message failed to give employer sufficient notice of intention to take FMLA leaveLanier v. University of Texas Southwestern Medical Center, 2013 WL 2631316 (5th Cir. June 12, 2013)

sms-textLanier reminds me of a conversation I had with a friend who manages a local restaurant.  He was bemoaning the lack of professional courtesy displayed by his twentysomething employees.  “They don’t call in to say they’ll be late to a shift.  They text me!”

My friend now can say that the courts agree with him.  At least when it comes to invoking rights under the Family Medical Leave Act (FMLA), a federal appellate court recently ruled that a text message doesn’t do the job.  Chrisanne Lanier was scheduled to be on call when her father fell ill.  She sent a text message to her supervisor saying that her father was in the emergency room and that she would be unable to be on call that night.  Her supervisor responded that another employee would cover her shift.

Lanier failed to log in for her make-up call rotation several weeks later.  This led to a confrontation between Lanier and her supervisor and Lanier abandoning her job duties.  After Lanier was asked to resign, she sued her employer under various theories of recovery, including interference with her FMLA rights.

At issue was whether Lanier gave proper notice to her employer of her intention to take FMLA leave.  The Fifth Circuit held that she did not.  Although an employee doesn’t need to say the words “FMLA leave,” she must give notice that sufficiently gives her employer notice that her request to take time off could fall under the FMLA.  The employer may have a duty to inquire further if the employee’s statements warrant it, but “the employer is not required to be clairvoyant.”

In Lanier’s case, a text message saying that her father was in the emergency room was not sufficient notice of her intention to take FMLA leave, the court said.  Lanier argued that her supervisor should have inquired further because she had previously told him about her father’s advanced age, his poor health, and that he was having breathing problems that morning.  Even with these facts, the court ruled that it would be unreasonable to expect Lanier’s supervisor to know that she meant to request FMLA leave.  Lanier had taken FMLA leave before and was familiar with the proper way to request it, and yet she did not take those steps.  Finding that no reasonable jury could conclude that Lanier’s text message was sufficient to notify her supervisor of her intent to request FMLA leave to care for her father, the court granted summary judgment to the employer on the FMLA interference claim.

by ·1 Comment

A New York court overturns the termination of a public school teacher for posting offensive comments on social mediaRubino v. City of New York, 106 A.D.3d 439 (May 7, 2013)

The New York Supreme Court, Appellate Division recently ruled that the firing of a fifth-grade public school teacher for making inappropriate comments on social media was too harsh of a penalty.  After a difficult day at class, the teacher posted comments alluding to a tragedy involving an unknown student at a different school.  The court’s opinion is sparse on details, but according to a Huffington Post article, the teacher wrote: “After today, I am thinking the beach sounds like a wonderful idea for my 5th graders!  I HATE THEIR GUTS!”  The beach reference alluded to the drowning of a 12-year old girl on a school trip to Long Island beach the day before.  The comments were only visible to the teacher’s private network of friends, who did not include any of her students or their parents.  The teacher deleted the comments three days after posting them.  She denied making the comments when she was initially confronted about them, but later confessed at her disciplinary hearing.

The court agreed that the comments were “clearly inappropriate” but it noted that the purpose of the comments was just to vent.  The teacher did not intend the public to see her comments, and she expressed remorse over making them.  She had no prior disciplinary history in her 15-year career.  Given the record, the appellate court found the termination to be “shocking to one’s sense of fairness.”  The appellate court upheld a lower court order setting aside the termination and sending the case back down for imposition of a lesser penalty.

LegalTXTS Lesson: Not all courts have been as kind toward teachers who vent on social media as the New York Appellate Division.  In fact, in In re O’Brien, a court in neighboring New Jersey upheld the firing of a first-grade teacher under similar circumstances earlier this year.  One difference might be that the teacher in Rubino expressed remorse for making the comments whereas the teacher in O’Brien did not.  Whether that factor alone accounts for the different outcomes is questionable.  One thing the cases do share in common is that the teachers in both thought that no one outside of their network of “friends” would see their comments.  With apologies to Las Vegas, Rubino and O’Brien teach that what happens in an employee’s social network doesn’t always stay in his or her social network.

Related articles
Enhanced by Zemanta

by ·0 Comments

Supervisor snoops into former employee’s personal Gmail account after she returns company-issued BlackberryLazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)

Verizon BlackBerry Tour 9630The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets.   Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns.  The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.

Verizon issued a Blackberry smartphone to its employee, Sandi Lazette.  Lazette set up a personal Gmail account on the phone with Verizon’s permission.  Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee.  Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not.  Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.

Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy.  A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions.  The court also allowed Lazette’s privacy claim to move forward.

LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.

1.  Don’t read your employees’ personal messages—even if they are readily accessible.  Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent.  A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA.  Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry.  Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails.  The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.

2.  Construe grants of access narrowly.  If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account.  In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account.  Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him.  Years later, the supervisor logged into the account to read emails about the status of the company.  In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial.  Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.

3.  Thoroughly purge personal data from company-issued electronic devices before reusing them.  Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired.    Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like.  Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.

4.  Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools.  One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised.  MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device.  To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.

Related articles

Enhanced by Zemanta

by ·1 Comment

Employer sues ex-employee for not updating his LinkedIn profileJefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).

What would you do if your ex-employee told everybody he still works for you?  One company’s response was to sue.  In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.

Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer.  Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud.  JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee.  A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile.  At most, JAVS alleged that the profile tricked others.  Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.

LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging.  Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization.  Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:

1.  Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.

2.  Specify who owns Internet accounts handled by the ex-employee for the organization’s  benefit and the information stored in the accounts.  This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data.  As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.

3.  Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization.  Limiting access helps to prevent theft of trade secrets and proprietary information.  Many CFAA lawsuits have been spawned by a failure to take this precaution.

4.  Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”

5.  Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.

6.  Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.
Enhanced by Zemanta