A recent case caught my eye this week regarding the personal use of a company-issued smartphone. Smartphones are everywhere, in the possession of nearly everyone, and can do just about anything! Anything, except – - erase your personal email account all by itself when you forget!
In the case of Lazette v. Kulmatycki (N.D. Ohio 6/5/13), that is just what happened. Lazette was issued a Blackberry by her employer. She was told that she could use the company-issued phone for personal email. She had an account with Gmail, and believed she had deleted that account from the phone before giving it to Kulmatycki, her supervisor, upon exiting the company. She had the understanding that her phone would be “recycled” to another employee. After leaving the company, she learned that instead of deleting her email account, her former supervisor had been accessing her Gmail account, reading 48,000 emails over a period of eighteen months! Among the contents of the accessed emails were communications about Lazette’s family, career, financials, health, and other personal matters.
Lazette has filed suit alleging the company and her former supervisor violated the Stored Communications Act, which prohibits the unauthorized access of electronic communications. Lazette presented sufficient evidence that will allow her suit to proceed to discovery.
How can an employer manage this type of risk? Here are a few suggestions:
- Have a communications policy. The policy should explain that employees should have no expectations of privacy related to electronic communications sent or received on a company-issued/owned mobile device, including personal accounts. Include a statement prohibiting employees from accessing the personal email or internet accounts of fellow coworkers.
- Wipe the device clean. It is a common practice to reuse electronic equipment within a company. Instruct IT personnel to remove all personal data of the former employee upon the return of any electronic equipment.
- Isolate the device first. Prior to wiping the device completely, make sure information stored on the device is not needed for legal proceedings in an ongoing or potential lawsuit.
- Never, ever, ever read your employees’ personal email no matter how tempting it may be!
Need help drafting a policy or employee handbook? See www.hrnonline.com
Source: Hyman, Jon. “Who Owns Personal Email on an Employer-Issued Smartphone?” The Practical Employer. Available online at www.workforce.com/blogs/3/post/9222
I have been reading about Google’s new mobile device, Glass. Glass can attach to a pair of eyeglasses and the results are interesting, yet somewhat frightening! The hands-free capabilities of Glass may be activated by either voice commands or moving the head up. It will take pictures, text, browse websites, view maps, record activities the wearer experiences and can transmit them live! One has to admit that it is a very creative and potentially powerful tool. The next admission may give you pause – - your employees may one day embrace Glass!
The implications of Glass in the workplace can call into question the ability to keep proprietary information confidential. Suppose an employee wears this device all day on their prescription glasses. You never know whether the employee is discretely recording what you are saying in a company financial outlook meeting, a disciplinary meeting, or a project planning meeting. Their coworkers likely will not be as open and forthcoming with their thoughts if they think there is a remote possibility they are being recorded. It could bridle collaboration and creativity, as well as threaten one of your most critical assets, your competitive edge.
While Glass is still in the prototype phase, it is expected to be available to the public in 2014. As with all new technology, employers will need to weigh the pros and cons of allowing such a device in the workplace. A careful review of company policies regulating personal mobile devices will become a high priority to continue safeguarding confidential company information.
Need help with your employment policies? We can help!
What does an employer needs to do if it wants to reject an applicant for employment based on credit or criminal conviction history? The main governing federal law is the Fair Credit Reporting Act (FCRA). Some states also have laws that govern this issue, so check for them too. The FCRA is enforced by the Federal Trade Commission (FTC). The FTC has issued a clear guidance for employers on this point, click here. The FTC guidance notes that employment background checks done by third parties “also are known as consumer reports. They can include information from a variety of sources, including credit reports and criminal records.” The FTC explains, “When you use consumer reports to make employment decisions, including hiring, retention, promotion or reassignment, you must comply with the Fair Credit Reporting Act (FCRA).” The FTC guidance then explains the three main steps (outlined below) an employer must follow to comply with the FCRA in this process. Because the FTC guidance on these three steps is so clear, I have included it below almost verbatim.
Since early spring, it seems one of the hottest topics I’ve been hearing about in HR has been the idea that potential employers want everyone’s Facebook password. I first talked about it in March, when the story was reported by the AP. The trend was apparently pervasive, and everyone was doing it (or would soon be).
I’ve always believed that people (and employers) will, as a whole, follow the “Golden Rule.” I also think that even in a company that doesn’t subscribe to that mantra, decision-makers know that hiring smart people who get the job done equals higher profit. If employers are running around compelling applicants and employees to fork over their passwords or disclose private information, they’re going to alienate everyone – especially the individuals they really want.
The ACLU (and a few others, it turns out) doesn’t agree with me. Late last month, the Social Networking Online Privacy Act (SNOPA) was introduced into Congress. Maryland wasted no time in getting a state law on the books, and several other states have jumped on the bandwagon. Then, last week, Senator Richard Blumenthal (D-CT) and Representative Martin Heinrich (D-NM) filed the Password Protection Act of 2012 (PPA). The ACLU describes the legislation as having highlights and drawbacks:
- “Sweeping in scope” – Extends to any situation that an employer might attempt to strong-arm an applicant or employee into providing access to information.
- “Technology-neutral” – It is not limited to social networking, which could be obsolete in a few years.
- “Glaring omissions… lack of coverage for students” – ACLU argues that SNOPA provides coverage for students.
- “Fishing expedition” – They believe it allows too many unnecessary exemptions.
After reading this news, I was confused. It seemed that everyone I talked to and every commentary or blog writer agreed it was a despicable practice to ask someone for this private information. This morning, I came across this blog at TLNT by Eric Gaydos. He presents four common-sense reasons why he believes employers will not ask applicants for the Facebook passwords, including that it’s just a plain old bad idea on an employer’s part. I appreciated his point of view and I think he speaks for leaders that still have a good dose of common sense running through them.
What do you think? Are SNOPA and PPA necessary, or are employers smart enough to avoid this pitfall?
Surprisingly, this is an acronym for the workplace and no, it’s not “Bring Your Own Drink”. BYOD stands for “Bring Your Own Device”. With the smartphone revolution over the past three years, more and more personal smartphones are being used for work with the lines blurring between personal and work use of mobile devices.
Why are employees bringing their own mobile devices to work? For many, it is because they are not happy with the functionality of employer-provided mobile devices. For others, it may be that they just simply prefer using their own.
Whatever the reason, employers need to review their employee communications use policy. The primary issue raised by business use of personal mobile devices and use of social media is the “privacy gap”. The employee and employer expectations need to be defined as to what should be private and who should control use of communications.
The usage policies should address the following items:
- What is acceptable within your company culture in terms of reasonable expectations of privacy?
- What access does the employer have to retrieve data, such as work-related emails?
- Will you reimburse for work-related use of personal mobile devices? Determine the reimbursement policy, if any.
- What are the system requirements? In order to be compatible with company requirements, connectivity and data security standards by the employer should be established.
- What if the device is lost or stolen? Determine what will happen with the contents of the mobile device if this should happen.
Managers and employees should receive regularly training on the policy, which should be revisited at least annually. Because, as we know, technology changes frequently…and rapidly.
Since the onset of the current recession, police departments all over the United States are reporting increased instances of theft, burglary, and robbery. According to the Police Executive Research Forum, 44 percent of police departments have reported such increases.
If you are at all like me or most people if they would admit it, you leave personal belongings out in the open at least occasionally. Have you walked away from your work computer for any length of time without locking it? Are you certain your office building secure from outside visitors? This gives criminals easy access to walk in to your office, and walk out with a variety of stolen goods.
In addition to the company’s laptop that disappears, consider the loss to the company’s intellectual property – proposals, proprietary notes and reports, and other confidential information. Consider, too, your employee’s sense of safety and trust that their employer can take care of them.
Many of these thieves watch office buildings and know when the opportunity is just right. Using common sense and training your employees on what to do can go a long way in preventing these thefts.
- Don’t let someone “tailgate” (follow behind you) to gain access to your building. Card readers are there for a reason: to prevent unauthorized people from getting in.
- Leave your personal items (purse, keys, etc.) in a locked drawer – be sure to take the keys with you! If you don’t need something, leave it at home.
- Use visitor badges to identify strangers that are supposed to be in your office, such as the telephone maintenance person. Anyone without a badge will stick out and raise suspicion. Keep it simple – the badges don’t have to be anything special, just something that identifies individuals as visitors.
- If you see a stranger in your office, you don’t have to confront him or her yourself. Call the police or your security officer. If you choose to confront him or her, asking something as simple as “Can I help you?” is sometimes enough to deter the person.
- If you are the last person to leave your office at the end of the day, check your co-workers’ computers, copiers, and critical files to be sure they are all secure.
Above all, communicate this to your employees and explain the reasons for your safety measures. If everyone is held to the same standards, this could help them recognize a shady character lurking about. For more information, and a security quiz, check out the USDA’s Office of Procurement and Property Management, http://www.dm.usda.gov/physicalsecurity/theft.htm.
On November 1, 2008, new identity theft regulations go into effect, some of which apply to employers who are users of consumer reports, i.e. background checks, performed by third parties under the Fair and Accurate Credit Transactions of 2003 (FACTA). The new regulations require users to implement a written policy to respond to any notices of address discrepancy received from a credit reporting agency (CRA). The policy must be designed to help a user form a reasonable belief that the report from the CRA matches the person about whom the background check was performed.
A recent news article noted that the workplace is the site of much identity theft, notably re: financial information, driver licenses, Social Security numbers, and medical information. Employers should develop and implement a policy and plan to protect such information and reduce the risk they will be held liable if/when identity theft occurs.