lexisnexis privacy implications webinar 6 25 final … privacy implicatio… · georgetown, she was...

Introduction

Privacy Implications for Smart Devices and Social Media in the Workplace, June 25, 2015

Privacy Implications for Smart Devices and Social Media in the Workplacey p p

A Complimentary LexisNexis® WebinarJune 25, 2015

Thallen Brassel, Associate, Nelson Mullins Riley & Scarborough LLPDavid F. Katz, Partner, Nelson Mullins Riley & Scarborough LLP

Heidi Wachs Special Counsel Jenner & Block LLPHeidi Wachs, Special Counsel, Jenner & Block LLPBrock Wanless, Assistant General Counsel, Groupon Inc.

About the Speakers

Thallen Brassel is an associate in the Nashville office of Nelson Mullins Riley & Scarborough LLP. She concentrates her practice in corporate, tax, and technology law. Ms. Brassel has experience advising clients on a range of gy p g gcomplex commercial transactions, including mergers and acquisitions, financing, and technology outsourcing, as well as matters of corporate strategy such as business formation, nonprofit status, marketing, and social media. Ms. Brassel has also led domestic and international research projects concerning matters of technology law and social media lawconcerning matters of technology law and social media law.

2Privacy Implications for Smart Devices and Social Media in the Workplace, June 25, 2015

About the Speakers

David Katz is a partner in Nelson Mullins Riley & Scarborough's Atlanta office where he leads the Privacy and Information Security Practice Group. He provides legal advice on matters related to the privacy laws affecting multiple sectors of thelegal advice on matters related to the privacy laws affecting multiple sectors of the economy including retail, financial services, education, healthcare, and technology. He counsels corporate clients on the development, management and oversight of privacy and compliance programs, vendor management programs and assists them in developing policies and procedures, education strategies, implementation of auditing and monitoring controls, reviews of disciplinary and enforcement activities, and risk assessments. His corporate practice includes providing privacy and security due diligence reviews for mergers and acquisitions. He represents client at all stages of incident response from investigation, notification, remediation and defense of litigation and regulatory inquiry.remediation and defense of litigation and regulatory inquiry.


About the Speakers

Heidi L. Wachs is a member of the firm's Privacy and Information Governance Practice. A nationally recognized leader in privacy, breach response and data security compliance her wealth of experience includes serving as a privacysecurity compliance, her wealth of experience includes serving as a privacy researcher and as chief privacy officer of a major university. Clients seek her counsel in data breach handling and recovery, information classification, information security and identity governance and administration. Ms. Wachs is a certified information privacy professional.

Ms. Wachs joined Jenner & Block after serving as an analyst for the identity and privacy strategies team with Gartner for Technical Professionals from 2012 to 2014. At Gartner, she researched, published and presented on issues of privacy and technology. Prior to her work as an analyst, Ms. Wachs founded and gy y ,developed Georgetown University’s privacy program, serving as the university’s first chief privacy officer and director of IT policy from 2007‐2012, and is recognized as a national leader on education privacy issues. Before serving at Georgetown, she was a government relations officer with EDUCAUSE, a nonprofit association whose mission is to promote the intelligent use of informationassociation whose mission is to promote the intelligent use of information technology in higher education.


About the Speakers

Brock Wanless is Assistant General Counsel at Groupon, with increased responsibility for global privacy/regulatory initiatives. He is the Chair of Groupon’s Global Privacy & Regulatory Working Group that coordinates and implements global privacy and& Regulatory Working Group that coordinates and implements global privacy and regulatory initiatives. Brock is charged with the oversight of Groupon’s US/EU Safe Harbor certification and on‐going compliance/audits and serves as their HIPPA privacy officer

Prior to his promotion to Assistant General Counsel, Brock was Senior Corporate Counsel for Government, Regulatory, and Privacy at Groupon.


SOCIAL MEDIA POLICY VS SOCIAL MEDIA STRATEGY ANDWHY YOU NEED BOTHSOCIAL MEDIA POLICY VS. SOCIAL MEDIA STRATEGY, AND WHY YOU NEED BOTH

Social Media Policy

• Social media policies tell employees and employers how social• Social media policies tell employees and employers how social media should be utilized as it relates to the company

• These policies walk a fine line – They must not be too restrictive of an employee's personal freedom of speech, but they should clearly outline and implement a company's goals regarding social media use


Social Media Strategy

• A social media strategy outlines how a company deals with issues or mitigates a crisis relating to social mediag g

• Issues may include using social media to increase customer interaction and satisfaction with the company; or chain of command when there is discrepancy about the appropriateness of potential posts (i.e., does it violate any pp p p p ( , yemployee or customer privacy)

• Crisis situations may include a disgruntled employee (or customer) posting disparaging remarks about the company, to a company's mistaken link to an inappropriate link on Twitter.


p y pp p

PRIVACY CONSIDERATIONS FOR THE USE OF SOCIAL MEDIA IN HIRING DECISIONSPRIVACY CONSIDERATIONS FOR THE USE OF SOCIAL MEDIA IN HIRING DECISIONS

The Law Regarding Social Media Searches

• There is no specific federal law to regulate employers' use of social media in hiring decisions, but there may be state laws implications

S t t i i t t i i f• Some states require companies to get permission from candidate before doing social media search

• Others require that information found from search be treated with the same privacy considerations as that of a credit report

• Many states require candidates be allowed to review and rebut information found through the search


rebut information found through the search

Equal Opportunity Laws

• Avoid discovering information about candidates that could lead to accusations of equal opportunity law violationslead to accusations of equal opportunity law violations

• One way to mitigate this problem is to create a separate HROne way to mitigate this problem is to create a separate HR function to review social media information; those making hiring decisions remain blind to only the relevant factors

• Another solution is to conduct the search after an in‐person interview has occurred; this eliminates the possibility of beinginterview has occurred; this eliminates the possibility of being accused of not following up with a potential hire for reasons related to gender or race


General Takeaways

• Consistency is key• Consistency is key• Conduct search at same point in hiring process for all

candidates• HR professionals should know all relevant state laws• Information found through search should not be the only

basis for hiring or not hiring a candidate; use with discretion


RECOGNIZING THE BOUNDARIES OF REGULATING EMPLOYEES' PERSONAL USEOF SOCIAL MEDIA

The NLRB and Social Media Speech

• Section 7 of the Act gives employees these rights:– To organize– To form, join, or assist any union– To bargain collectively through representatives of their own choice

– To act together for other mutual aid or protectionTo act together for other mutual aid or protection– To choose not to engage in any of these protected concerted activities.

• These rights apply to speech on social media


The NLRB and Social Media Speech

• Social media speech is protected when it is concerted activity i d i i k di iaimed at improving work conditions

• The NLRB says employers may not fire employees for speech• The NLRB says employers may not fire employees for speech that is simply critical of the employer, regardless of whether the speech occurs at the office or on social media.

• Workers can freely discuss work conditions; however other personal "rants" or venting that portray the companypersonal rants or venting that portray the company negatively may not be protected (i.e., name‐calling or defamatory statements)


Employee Speech That Does Not Relate to Work

• Employees are also allowed to post on their personal pages• Employees are also allowed to post on their personal pages about controversial topics, such as politics or religion

• These are protected freedom of speech


What is a Good Social Media Policy?

• Policies should be specific Instead of simply stating that employees may not disclose confidential information,

define confidential information and provide examplesdefine confidential information and provide examples

• Policies should remind employees to disclose their affiliation with the company whenever they post about the company

• Implement clear policies that protect employees' rights to discuss wages and working conditions

• Make clear that all communication on company owned devices may be monitored

• Prohibit inappropriate postings that may include discriminatory remarks, harassment and threats of violence or similar inappropriate or unlawful conduct.

• Consult labor and employment specialists before disciplining an employee for personal social media speech


media speech

IMPLEMENTING GUIDELINES FOR CORPORATE USE OF SOCIAL MEDIA, INCLUDING PLATFORM‐SPECIFIC PRIVACY CONSIDERATIONS

General Considerations for the Use of Social Media on Behalf of a Company

• A company's social media use is considered advertising and must therefore comply with all FTC requirements

R b th t ll i l di t h ld di l th• Remember that all social media posts should disclose the relation to the company promoted

• Companies should diligently review and monitor all online activity done on their behalf

• Implement policies for change control of passwords, etc.


General Considerations for the Use of Social Media on Behalf of a Company

• Define who can participate on behalf of company• Define who can participate on behalf of company• Define rules for managing content• Discuss trademark, copyright, logos and the rules for postingDiscuss trademark, copyright, logos and the rules for posting• Discuss use of confidential information and employee privacy


Platform Specific Privacy Considerations

• Companies must comply with all specific terms of use and user• Companies must comply with all specific terms of use and user agreements

• Each platform (Facebook, Twitter, Instagram, etc.) has different (and constantly changing) requirements and policies

• Consider outsourcing the monitoring of platform updates to ensure compliance (or add to an internal job description)


DEVELOPING EFFECTIVE CRISIS MANAGEMENT, RISK ANALYSIS AND PLATFORM MONITORING SYSTEMS

When Social Media is Used Improperly, Companies Need Proper Crisis Management

Example: AP Twitter feed hack suggesting White House had been attacked and President Injured and subsequent stock market drop of 152 points

http://insidecounselsurvey.com/2013/04/23/risk‐management‐in‐social‐media/

http://www.usatoday.com/story/theoval/2013/04/23/obama‐carney‐associated‐press‐hack‐white‐house/2106757/house/2106757/


Crisis Management

http://online.wsj.com/article/SB10001424127887324874204578437360241416842.html?KEYWORDS=Michael+ChertoffKEYWORDS=Michael+Chertoff

Example: Boston Police Department’s played in

i hcorrecting the misinformation that spread rapidly in the wake of the drama surrounding the frantic chase and apprehensionchase and apprehension of the Boston bombing suspects.


Where Does the Risk Come From?

• People• People– Studies show that sharing about oneself on social media has the

same sensation on the brain as earning money or eating food

• Hacking of social media accounts

• A lack of clarity regarding the purposes and goals of a company's social media presence


Platform Monitoring Systems

• When dealing with company‐owned social media– Employees' who manage these pages should be instructed to monitor

them regularly and report any inappropriate behavior to a superior– Remember: the company is generally responsible for all activity on the

company's social media account until it is closed or proven that account security was compromised due to no fault of that company

• When dealing with employees' personal social media pages– Employers should disclose the extent to which the company monitors

company‐owned pages, employees' social media use on company‐p y p g p y p yowned devices, or any personal equipment that connects to the company's systems


PRIVACY & SMART DEVICES IN THE WORKPLACEPRIVACY & SMART DEVICES IN THE WORKPLACE

One Size Does Not Fit All

• BYOD Bring Your Own Device• BYOD – Bring Your Own Device• COPE – Corporate Owned, Personally Enabled• No restrictionsNo restrictions• MDM

– Containers– Blacklisted/Whitelisted apps

• Required/Preferred apps


BYOD & COPE Fun Facts

• 90% of organizations support at least one mobile device per• 90% of organizations support at least one mobile device per employee

• 96% allow access to PIM from mobile devices• ~50% allow access to corporate apps and/or secure network

resources• 37% allow access to corporate file‐sharing accounts• 44% implement authentication policies• 40% implement MDM• 40% implement MDM


Why is Mobile Different?

PC ≠ LAPTOP ≠PC ≠ LAPTOP ≠


BYOD/COPE Program Considerations

• Participation eligibility• Participation eligibility• Enrollment• Data Capture/RetentionData Capture/Retention• Tech support• Technical controls


Participation Eligibility

• Who needs mobile access v who wants mobile access• Who needs mobile access v. who wants mobile access• Delineate by job role or function• Consider types of data required for job duties• Primary workspace may need to be considered• Field employee v. lab employee v. sales rep


Enrollment

• Application process• Application process• Manager approval• Formal acknowledgement and acceptance of BYOD policyFormal acknowledgement and acceptance of BYOD policy• Installation

– Screen shot‐by‐screen shot guide

• Policy requirements– Passcode length/complexity


Data Capture/Retention

• Location• Location – Device‐based– App‐basedApp based

• Email• SMS/Text• App profile


How far does your help desk extend?


Technical Controls

• Device wipe• Device wipe• MDM

– ContainerizationContainerization• Passwords• Geofencing


Data Capture/Retention

• Location• Location – Device‐based– App‐basedApp based

• Email• SMS/Text• App profile


Creating a Privacy‐Aware BYOD/COPE Program

• BYOD Policy• BYOD Policy – What is being captured– How it’s being capturedHow it s being captured– What can the help desk see– How and when information will be wiped

• Formal enrollment process– Clear instructions and resources– Acknowledgement and acceptance of BYOD policy


PRIVACY & MOBILE CONSUMER INTERACTIONPRIVACY & MOBILE CONSUMER INTERACTION

Practical Analysis for Global Platforms

• Location Where are your users located?• Location ‐Where are your users located?• Information ‐What information are you collecting about

users? • Purpose ‐Why are you collecting this information?• Notice ‐What are you telling your users about collection?• Choice – What choices, if any, do users have?


User Location

• Location of users obviously dictates applicable laws, if any, l i l i ki & i f i ll irelative to user location tracking & information collection

• Device level (iPhone, Android, etc…) – where is the user?• App level (consumer apps) – where is the user?• App level (consumer apps) – where is the user?• Merchant – for apps that interact or integrate with third

parties, are merchants collecting user location on your behalf?

• Challenging for global brands operating on heavily integrated and centralized platformsand centralized platforms– Exp. One app platform used for NA, EMEA, APAC, and LatAm poses a

myriad of unique considerations


Information Collection

• What are you collecting about users? Do you as counsel know? Does the client/business really know?know? Does the client/business really know?

• The type of information collected from the mobile device or app likely requires consent – is the information considered PII?

EU vs U S– EU vs. U.S.

• What about sensitive personal information that requiresWhat about sensitive personal information that requires affirmative consent?– Exp – precise location, third party cookies (NL), etc…


Purpose

• What is the information actually used for? Is it relevant for an existing business purpose/need?g p p– Exp. Purchase history, location history, app usage– Need to probe and discuss with multiple players– Does data collection align with data retention policies and usage guidelines? Do you have any?

• Do you explain (clearly) to users the purpose of information• Do you explain (clearly) to users the purpose of information collect? What does it mean to be transparent?

• Is this information being shared across borders?• Is this information being shared across borders? With third‐parties?


Notice

• Privacy and Other Consumer Facing Policies– Cookies policyCookies policy

• “Just in Time” Disclosures– Push notifications– In‐app notifications– In‐store Beacons

• Precision/prominence of notice vs. Mobile space constraints– What to do with wearable devices?


Choice

• Is notice sufficient? What about opt‐out options?• Is inaction or soft‐action consent?Is inaction or soft action consent?• Sensitive personal information may more affirmative consent,

i.e. opt‐in– Tick‐boxes or other affirmative action

• Geographic considerationsh “ h i ” i h S l diff h i– What “choice” means in the U.S. may greatly differ than in

the EU– Managing integrated systems/platforms to create globallyManaging integrated systems/platforms to create globally compliant choice options vs. balancing true business needs/risk


Managing Global Functions

• Groupon operates in 50+ countries across 6 continents– International operations grew quickly by acquisition, soInternational operations grew quickly by acquisition, so legacy systems, platforms, and cultural/language challenges

• Product development is led out of U.S., scaled in NA, then introduced globally

• Unique country‐by‐country solutions related to user privacyUnique country by country solutions related to user privacy requires close coordination


Managing Global Functions

• Tips on how to avoid cross‐border privacy problems with global platformsg p– Get to know your product teams and stay engaged– Get to know your international colleagues and speak often– Find good outside counsel that understands local enforcement risks…and have back‐up counsel!Put in place clear internal guidelines on how PII and other– Put in place clear internal guidelines on how PII and other sensitive user information is handled/used


PLUS answers to your questionsPLUS – answers to your questions


Question and Answer Session

Thank You!

Thallen J. BrasselNelson Mullins Riley & Scarborough LLP

[email protected]

David KatzNelson Mullins Riley & Scarborough LLP

[email protected]

Heidi WachsJenner & Block [email protected]

Brock WanlessGroupon Inc.

[email protected]


lexisnexis privacy implications webinar 6 25 final … privacy implicatio… · georgetown, she was...

Documents