MANDELBAUM SALSBURG€¦ · 613031 1 mandelbaum salsburg mandelbaum, salsburg, lazris & discenza, p.c. member of international society of primerus law firms attorneys at law founded

613031 1

MANDELBAUM SALSBURG MANDELBAUM, SALSBURG, LAZRIS & DISCENZA, P.C. Member of International Society of Primerus Law Firms

ATTORNEYS AT LAW FOUNDED IN 1930

- COUNSEL -

155 PROSPECT AVENUE BARRY R. MANDELBAUM

WEST ORANGE, NJ 07052-4204 YALE I. LAZRIS ALAN L. SUSSMAN3 LISA FACTOR FOX3

TEL. (973) 736-4600 - FAX (973) 325-7467 JOSEPH J. DISCENZA+ RICHARD I. MILLER, LLC3 LAUREN TOPELSOHN3

JOSEPH A. VENA MARC J. COMER5 MANUEL R. GROVA, JR. MIDDLESEX COUNTY OFFICE LYNNE STROBER MICHAEL L. KALMUS3 ANDREA L. ALEXANDER4

510 THORNALL STREET, SUITE 180 OWEN T. HUGHES2 JEFFREY E. GRABELLE1 DEBORAH A. CONCEPCION EDISON, NJ 08837 CHARLES S. LORBER TEL. (732) 628-0900 - FAX (732) 628-0920 ARTHUR D. GROSSMAN - OF COUNSEL - DEBORAH L. GREENE UNION COUNTY OFFICE MICHAEL A. SAFFER3 HON. MICHAEL K. DIAMOND (RET.) HON. ROBERT A. LONGHI (RET.) 75 ELIZABETH AVENUE STEVEN A. HOLT1 RICHARD H. STEINBERG2 HON. PAUL J. VICHNESS (RET.) ELIZABETH, NJ 07206 DENNIS J. ALESSI6 EDWIN R. RUBIN PAUL I. WEINER5 TEL. (908) 353-6764 - FAX (908) 353-6780 JOSEPH J. PETERS JOSHUA L. WEINER3 JOHN P. LITTLE3

CRAIG W. ALEXANDER3 DEVANSHU L. MODI SHAY S. DESHPANDE MONMOUTH COUNTY OFFICE WILLIAM S. BARRETT3 JAMES T. ELLIOTT3 GARY S. POPLASKI3 12 CHRISTOPHER WAY, SUITE 200 MARTIN D. HAUPTMAN EATONTOWN, NJ 07724 STUART GOLD3► TEL. (732) 933-1515 - FAX (732) 933-5551 CHERYL H. BURSTEIN4 - ASSOCIATES - ROBIN F. LEWIS3 FLORIDA OFFICE RICHARD I. SIMON3 MARA P. CODEY3 CASEY GOCEL3

10304 CROSBY PLACE STEVEN I. ADLER8 MICHAEL P. KOCHKA1▼ CONSTANTINA KOULOSOUSAS3

PORT ST. LUCIE, FL. 34986 PETER H. TANELLA JENNIFER E. PRESTI MICHAEL R. SARNO3 TEL. (772) 460-6356 - FAX (772) 460-6357 DAVID S. CARTON■ E-Mail: [email protected] GORDON C. DUUS7 JON FALLON▼

NEW YORK CITY OFFICE THOMAS W. ACKERMANN3 FELLOW OF THE AMERICAN ACADEMY OF MATRIMONIAL LAWYERS 7 WEST 36TH STREET, 16TH FLOOR ARLA D. CAHILL5 + DESIGNATED BY THE SUPREME COURT OF NEW JERSEY AS A CERTIFIED CIVIL TRIAL ATTORNEY

NEW YORK, NY 10018 LANCE N. OLITT3 ■ CERTIFIED BY THE SUPREME COURT OF NEW JERSEY AS A CERTIFIED MATRIMONIAL LAW ATTORNEY

TEL. (212) 776-1834 KHIZAR A. SHEIKH ►COURT APPOINTED MEDIATOR ▼ REGISTERED U.S. PATENT ATTORNEY DOUGLAS I. EILENDER3 1 MEMBER OF NJ & PA BAR 5 MEMBER OF NJ, NY & PA BAR Website: www.msgld.com IRVING MANDELBAUM (1906-1993) 2 MEMBER OF NJ & FL BAR 6 MEMBER OF NJ, NY & D.C. BAR E-Mail: RICHARD M. SALSBURG (1938-2011) 3 MEMBER OF NJ & NY BAR 7 MEMBER OF NJ, D.C. & CA BAR

ALL REPLIES TO: WEST ORANGE ROBERT W. GLUCK (1947-2013) 4 MEMBER OF NJ, NY & CA BAR 8 MEMBER OF NJ & D.C. BAR

REFERENCE FILE # RICHARD L. SLAVITT (RET.)

PRIMERUS BUSINESS LAW INSTITUTE SYMPOSIUM

ONE DAY CONTINUING LEGAL EDUCATION AND NETWORKING EVENT “CORPORATION IN CRISIS – PROTECTING THE COMPANY LINE”

Thomas Hall – 195 Broadway, 4th floor, New York, New York

May 14-15, 2014

FROM : Dennis J. Alessi, Esq., Co-Chair Employment Law Department TO: Attendees RE: The Many Legal Perils of “Bring Your Own Device” and Wage & Hour Laws in the Digital Age ___________________________________________________________________________ INTRODUCTION

A rapidly growing number of companies are adopting policies which allow employees to use their personal electronic mobile devices to create, store, and transmit work-related data. These policies have the effect of converting an employee‟s personal device into a dual use device for both personal and company data and activities. This trend is generally referred to as “bring your own device” or BYOD.

613031 2

Perils to a Company’s Intellectual Capital

From the perspective of getting the job done quicker, more efficiently and proficiently, there are

great advantages to a company in adopting BYOD. There are also many legal perils, some of

which are obvious and others not so. These perils fall into two broad categories.

The first is to the company's intellectual capital, essentially its trade secrets, proprietary and

other confidential information. This is because it is now being stored and transmitted over

devices which the employer does not own and cannot completely control with this dual use. This

loss of control is occurring simultaneously with increasing statutory and regulatory requirements

that companies must carefully protect the privacy and security of the personal, financial, and

health- related data of their employees, customers\clients, and others, which they store

electronically.

Perils of Liability from Employee Conduct

The second peril arises from the impact BYOD policies may have on the behavior of employees.

It is reasonable to conclude that employees will act quite differently when using their personal

devices for work, as opposed to using a company-provided one. With the latter device, the

company can adopt a blanket policy that it must be used only for work-related purposes; that all

the information on it, including the employee‟s personal information, is subject to the

company's monitoring\surveillance; and, therefore, the employee cannot have any expectation

of privacy in the use of this device.

With various federal and state laws which protect the privacy of an individual‟s electronic

communications and electronically stored data; with the common-law right of privacy; and with

some state constitutions providing a constitutional right of privacy enforceable against private

parties; such a blanket prohibition, and blanket right of monitoring/surveillance, is not legally

permissible with BYOD. Consequently a more nuanced BYOD policy is necessary.

Obviously, employers need to adopt one policy for company-provided devices and another for

BYOD. The very existence of two different policies further enhances the prospect that employee

conduct will differ when they are using their personal devices for work. This situation creates two

distinct legal perils for companies with regard to employee conduct. The first is the company vis-

à-vis the employee. For example, the company may inadvertently violate the employee's federal

or state statutory, state constitutional, or common-law right of privacy, for the private information

on his/her personal BYOD device.

The second peril is the company's liability to third parties for its employee's actions using his\her

personal device for work. An example is using it to sexually harass another employee, or to

disclose, either intentionally or negligently, confidential information of a company

client\customer. In these situations, vicarious liability may be imposed on the company even

when it was not aware of the employee's conduct.

613031 3

Because there are so many legal sources of liability for employers with BYOD, the following four

vignettes will address those we consider most important.

EXAMPLES OF LEGAL PERILS ABSENT A BYOD POLICY

1st Vignette; Protecting Trade Secrets The company has included in its Employee Handbook a fairly standard, broadly- written confidentiality policy which would clearly be enforced by any court. The company was also very diligent in numbering the handbooks; circulating copies to all current employees and new hires; having them sign an acknowledgment of receipt form specifically for the numbered copy each employee received; and maintaining these receipts in the company's permanent personnel files. However, the company has no BYOD policy; but employees are free to use their personal devices for work; many do so without any company oversight; the company is fully aware of the situation and does nothing. All the employees have access on their personal devices to all the company‟s electronically stored proprietary and confidential information, including its client lists and key suppliers. None of this information is encrypted; nor is it password-protected, except for whatever password the employee has adopted for his/her personal device. Employees routinely use their personal email accounts for company business, and client and supplier information is freely circulated electronically among the employees and to third parties with whom they deal in the industry. One employee or another, sometimes multiple employees, have “befriended” on Facebook essentially every contact person at the company‟s clients and suppliers. The company has actually encouraged employees to do so as a means of strengthening these important business relationships. As a result, discussions about work are freely exchanged among all these individuals on Facebook. The question is: whether these client lists and supplier contact information is protected under the Uniform Trade Secrets Act (UTSA), which has been adopted in 47 states. See, for example, N.J.S.A. section 56:15 – et seq for New Jersey.

2nd Vignette; Data Breach The company electronically maintains Personally Identifiable Information (PII), including the names, addresses, telephone numbers, Social Security card and credit card account numbers, for tens of thousands of individuals throughout the country. Again the company has no BYOD policy; but employees are free to use their personal devices at work; many do without any company oversight; the company is fully aware of the situation and does nothing.

613031 4

All the employees have access to all the company‟s electronic data\information through their personal devices. This PII is not encrypted, but it is password protected. Only a few key executives know the password; it is rather complex; is not maintained anywhere on the company's electronic systems; and it is not maintained on any executive‟s personal device. However, one of these executives has his device stolen. The question is: whether there has been a data security breach which the company must report to all the individuals whose PII is stored on the company's electronic system; provide them with free credit card security services; report the breach to various governmental entities and credit reporting services; and, depending on the number of individuals involved, report it to the media? 3rd Vignette; Invasion of Employee’s Privacy & Violation of Stored Communications Act (SCA) In this vignette the company does not have a BYOD policy, but it does permit employees to use company-owned mobile devices to access their personal email accounts. The company has a standard policy that all communications and information on its electronic systems\devices is subject to its accessing and monitoring. Even though employees are not using personal devices for work, for purposes of this vignette this situation should be considered akin to that of BYOD because the company and the employees are sharing the devices for their separate purposes. An employee returns a mobile device to the Company when she leaves employment, but inadvertently neglects to delete her email account. Her former supervisor then accesses thousands of her emails and discloses some personal information about her to other individuals. The question is: considering the employer‟s blanket reservation of rights to access and monitor all communications\information on the devices it owns, was the supervisor‟s actions an invasion of the former employee's privacy, and/or a violation of the SCA?

4th Vignette; BYOD & Compliance with e-Discovery In this vignette the company does have a BYOD policy which liberally permits employees to use their personal devices for work. The policy contains no prohibition on employees using their personal email accounts on their devices for work- related communications. Similarly, the policy does not prohibit employees from emailing key documents to their personal word processing systems, on their home computers, to work on redrafting these documents in the evenings. Employees are also permitted to use their own personal passwords for their devices, and they are not required to divulge them to the company. Finally, the company never makes any effort to retrieve any of its electronic data from employees when they leave the company, and never seeks to have them delete it from their personal devices and home computers. The company is hit with federal court litigation and receives a litigation hold letter. The company believes it is quite probable that some of the emails and drafts of documents on employee personal devices are relevant, actually perhaps even key, to the plaintiffs‟ claims. Nearly all the

613031 5

company's employees, who worked on the project which is the basis for the litigation, left the company several years before the litigation began. The question is: does the company have sufficient control over these emails and draft documents from the personal devices of these former employees, such that it is required to produce them under Rule 34 of the Federal Rules of Civil Procedure?

ESSENTIAL ELEMENTS OF A BYOD POLICY & LEGAL BASIS

In addition to providing insight into the most serious potential legal perils with a BYOD policy, the above four vignettes provide insight for some of the essential elements of a properly drafted policy. Such a policy not only seeks to minimize these perils, but also provides the necessary legal defenses and tools for a company to successfully address them when they do inevitably arise. There are both IT technical and legal components to a BYOD policy, with the technical supporting the legal. Digital Security To minimize the potential for third-party claims, and to protect the company's intellectual capital, security is obviously an essential element of any BYOD policy. The policy should specify what personal devices employees are, and are not, permitted to use, and, similarly, what personal apps they can, and cannot, have on the device. To be permitted to participate in the BYOD program, employees must agree to use a company-provided, complex password which must be attached to their devices at all times. Access to company data, through the employee's personal device, needs to be restricted to that which is minimally necessary for the employee's performance of his\her job. The fewest possible, and only the highest level, executives are to have access through their BYOD to the company's most sensitive data, and particularly that of its clients\customers which it possesses electronically. Obviously, this data needs to be encrypted, and the policy must emphasize that these executives cannot store the encryption code on their personal devices. Include in the BYOD policy a clear statement that the company reserves the right to monitor the personal devices of employees, and executives alike, for compliance with these security measures, and any others adopted by the company's IT Department. Also include in the policy that any noncompliance can result in the immediate, without prior notice, and remote, termination of the individual's access to company data, and having the device remotely wiped clean. In such situations both the company‟s and the employee‟s data on the device may be destroyed. The policy needs to advise employees of this possibility, and affirmatively state their acceptance of this risk of personal data loss in consideration for the company permitting them to use their personal devices for work.

613031 6

Risk of Personal Data Loss Specify in the BYOD policy those additional situations when employees are at risk of losing their personal data because of the company's security requirements. They include when the employee's personal device is lost or stolen, or when there is a security breach of the company's IT system which necessitates it taking this action. This loss of personal data can also occur when the employee is leaving the company. Finally, include in the policy the “catch-all": “such deletion of all personal data may also occur whenever the company determines, in its sole discretion, that such action is necessary to protect the security of its data, and that of its clients\customers, and/or the security of its IT systems.” In the BYOD policy advise employees of how they can secure and back up their own personal data to protect it from loss whenever the company has to take security measures which place their data at risk of deletion. It is also recommended that the policy advise employees of what support the company's IT Department will provide for this purpose. Integration With Acceptable Use Policy It is most important to integrate the BYOD policy with the company's established Acceptable Use Policy for the electronic devices it provides. For example, the same prohibitions in an Acceptable Use Policy on discriminatory, harassing or defamatory statements, violations of copyrights, and disclosure of company proprietary or confidential information, need to be applied to employee use of their personal devices under the BYOD policy. However, given the employee's right of privacy in this dual use situation of his/her personal device, some modification is warranted of the Acceptable Use Policy's integration into the BYOB policy. Just one example is that the Acceptable Use Policy most likely prohibits employees from using the company's systems and devices to make any statements about their personal religious or political beliefs or lifestyle preferences. Obviously, employees have the privacy right to address such issues through their personal devices in their own emails, blogs, chat rooms, tweets, or whatever. Consequently, the company„s Acceptable Use Policy for its devices needs to be modified to “fit” the dual use of employee-owned devices under BYOD. State Statutory & Constitutional Impacts on BYOD A number of states, including New York, Colorado and North Dakota, have adopted laws which, to one extent or another, prohibit employers from taking adverse employment actions against employees because of their lawful activities outside of work. In general, there are two exceptions to this prohibition. The first is when the employee‟s off-work activities violate his\her obligations to the company, such as the employee‟s duty of loyalty. The second general exception is when these off-work activities conflict with, or otherwise injure, the company's legitimate business interests, such as its reputation in the industry or the public‟s perception of it. See, N.Y.Lab.Law§201-d(2)(c), Colo. Rev.Stat.§24-34-402.5, N.D.Cent.Code§14-02.4-03 California has a statute which prohibits discharge or discrimination in employment based on the employees "lawful conduct occurring during non-work hours away from the employer's premises." Cal. Lab. Code, Section 96(k). While written very broadly, this statute has been

613031 7

interpreted as protecting only that employee off-duty conduct which involves "recognized constitutional rights" under the California state constitution. Barbee v. Household Auto. Fin. Corp., 113 Cal. App. 4th 525, 533-34 (Cal. Ct. App. 2004); Grinzi v. San Diego Hospice Corp., 120 Cal. App. 4th 72 (Cal. Ct. App.2004). California does have a constitutional right of privacy which is applicable to private parties, and it has been used in litigation as the basis for a claim of wrongful termination because of employee off-work, lawful conduct. Although plaintiffs‟ attorneys have not had much success to date with this claim, they will surely keep trying. Barbee, supra.

Clearly, for purposes of protecting the company's intellectual capital and preventing, or at least limiting liability, the most important sections of any BYOD policy are those which address the company's monitoring\surveillance of employee personal devices and employee consent to it. In addition to the common-law right of privacy there are federal and state statutes which must be considered in drafting these key sections of the policy. Federal Statutory Impacts on BYOD The Electronic Communications Privacy Act of 1986, 18 U. S. C. Section 2510 et seq (ECPA ), provides both criminal and civil penalties for the intentional interception of electronic communications. This may appear, on its face, as a broad prohibition against any company monitoring\surveillance of an employee's private electronic device, even when it contains, or has access to, company data and information. Moreover, the company does not own the electronic systems which the employee is using on this dual use device. This additional fact may further heightened concerns over a company violating the ECPA in monitoring\surveillance of an employee's use of their device. However, as a practical matter, judicial interpretation of the ECPA has limited its applicability to BYOD. A BYOD policy which complies with the various statutory exceptions to the ECPA's broad prohibition, further eliminates any serious concerns that a company's monitoring\surveillance of an employee's dual use device will run afoul of this prohibition. Specifically, to violate the ECPA a company's interception of the electronic communication must be contemporaneous with its transmission. United States v. Councilman, 385 Fed. 3rd 793 (1st Cir. 2004). Consequently, the ECPA would apply only when the company is monitoring the employee‟s communications on the dual use device in real time. The two exceptions to the ECPA are the employee's consent to such interceptions and the business extension exemption, which does not require consent. 18 U.S.C. Section 2511. Two prerequisites must be met for the business extension exemption to apply. Because the employee is the owner and the subscriber for the device on which the communications are being intercepted, the first prerequisite is met. The second prerequisite is that the interception must have occurred in the ordinary course of business (i.e. the intercepted communication must be business-related in its content). Watkins v. L. M. Barry Co., 704 F. 2d 577 (11th Cir.1983). Other circuit courts have applied a somewhat more stringent standard by declining to apply this exemption to all communications which have business-related content. They have imposed the additional requirement that the company must

613031 8

have a valid business purpose for the interception of the particular business content communication. Berry v. Funk, 146 F. 3d 1003 (D.C. Cir. 1998). Under the business extension exemption a company can also intercept employee personal communications, but only for the limited purpose of guarding against the unauthorized personal use of a company-owned device, or to determine whether the communication is, in fact, personal or business-related. In determining if it is the latter, the company must cease the interception as soon as it is determined that the communication is personal. Watkins, supra. Watkins is not very helpful in instructing a company on what actions it can legally take, under the ECPA, when it wants to monitor an employee‟s personal communications on a dual use device for a legitimate business purpose (e.g. to determine whether the employee is disclosing trade secrets or is harassing a fellow employee using a personal e-mail account on such a device.) However, as previously noted, the ECPA is applicable only when the interception occurs simultaneously with the transmission of the communication. This situation should rarely occur in the BYOD context, particularly since the company is in control of the timing when it conducts the interception. Consequently, this lack of guidance is not particularly problematic in fashioning a legally compliant BYOD policy. The Stored Communications Act (SCA) is another federal statute which must be considered in developing a legally correct BYOD policy. It similarly provides criminal and civil penalties for "whomever intentionally accesses without authorization a facility through which an electronic communication service is provided… and thereby obtains, alters, or prevents authorized access to, a wire or electronic communication while it is in electronic storage”, 18 U.S.C. Section 2701 (a) (1). The SCA does permit access to stored communications when consent is provided by the user, 18 U.S.C. Section 2701 (c) (2). Except for consent, there are not any other exceptions or exemptions for this seemingly all inclusive prohibition. Any company which provides an electronic system for its employees to access the internet, and to otherwise communicate via an electronic network, is considered an electronic communications service provider. Therefore, it is subject to the SCA prohibition. See, for example, United States v. Mullins, 992 F. 2d 1472, 1478 (9th Cir. 1993); Andersen Consulting LLP v. UOP, 991 F. Supp.1041, 1042 (N.D. Ill. 1998). The Computer Fraud & Abuse Act (CFAA), 18 U.S.C. Section 1030, provides criminal and civil penalties/damages for anyone who knowingly accesses a computer without authorization or exceeding authorized access, and, as a result of such actions, obtains information “from any protected computer.” “Protected Computer” is defined as a computer which is “used in a manner that affects interstate…commerce or communications.” 18U.S.C. Section 1020(e)(2). Given the broad definition of interstate commerce, and with the addition of interstate communications, there is doubtfully any computer in the country that is not covered by the CFAA. Nearly every state has a similar law, commonly known as “computer trespass laws; and some provide for statutory damages even absent proof of actual harm. See, for example, N.J.S.A. 2A:38A.3 (2011), for New Jersey.

613031 9

Here, again, the CFAA, like the ECPA and SCA, is all-inclusive in its prohibition and, like the SCA, the only exception or exemption is consent. The CFAA, with its prohibition on obtaining any information from any “protected computer” (i.e. essentially all computers), fills the gaps left by the ECPA and SCA. The ECPA has been interpreted as narrowly applying to unauthorized interception only at the very time when the communication is actually in transmission. The SCA only applies to electronic communications when they are in electronic storage. (e.g.; at least one court has held that an already opened e-mail is not in “storage”, and, therefore, is not protected by the SCA. See, Lazette v. Kulmatycki, 203 U.S. Dist., LEXIS 81174 N.D., (Ohio, June 5, 2013). Nevertheless, the combined effect of these three federal laws is that they clearly cover all unauthorized accessing of electronic information/data no matter when, or the circumstances in which, it occurs. From the breath of these three federal statutes, and comparable state statutes, it is abundantly clear that employers must proceed carefully when accessing employee electronic communications, particularly when they are on an employee‟s personal device using electronic systems which are not owned nor controlled by the company. Given that consent to monitoring is the only exception common to all three statutes, properly drafting this section of a BYOD policy is of paramount importance. Common Law Tort Impacts on BYOD The common-law tort for invasion of privacy is by far the most frequently used legal basis for employee lawsuits against employers for accessing, monitoring, or surveilling employee personal electronic communications. After reviewing quite a number of court decisions, a general observation is that even when the employee is found to have had a reasonable expectation of privacy, the company will still prevail provided that, in good faith, it had a legitimate business reason or justification for its actions; the "invasion" was conducted in a reasonable, non-offensive manner; and it was limited to what was necessary to fulfill the companies reason\justification for conducting the invasion. Restatement (Second) of Torts defines an invasion of privacy as one who "intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy if the intrusion would be highly offensive to a reasonable person, Restatement (Second) of Torts, Section 65 B. The intrusion must be substantial and highly offensive to the ordinary reasonable person. Borse v. Piece Goods Shop Inc., 963 F. 2d 611 (3rd Cir. 1992). At this point in time even the smallest companies are savvy enough to have adopted an Electronic Systems Policy which provides that employees have no expectancy of privacy in any communications or data which they send, receive, view, store or maintain on the company's electronic systems, including personal communications\data. In 2014 it would probably be a rare instance, indeed, for a court to find that an employee has a reasonable expectation of privacy while using a company system on a company device. Even when the company's policy affirmatively stated that employee e-mail communications over the company system would remain confidential and privileged; would not be intercepted by the company; and would not be used against employees as grounds for termination or a reprimand,

613031 10

a court still found that an employee had no expectation of privacy when he allegedly sent unprofessional comments to his supervisor over this system. Smyth v. The Pillsbury Company, 914 F. Supp. 97 (ED. Pa.1996). However, there is at least one case to the contrary. In Stengart v. Loving Care Agency, Inc., 210 N. J. 300 (2010), the employer did have a written policy that it had the right to access and monitor employee communications on the company's email system. Yet, the New Jersey Supreme Court still found that the employee had a reasonable expectation of privacy on this system. In Stengart the employee had created a personal, password protected, e-mail account which she accessed through the company email system; the employee had not disclosed this personal password to the company, and it was not retained on the system. Moreover, the company's policy did not address personal passwords, nor its right to monitor personal e-mail accounts accessed through the company's account. Based on all these facts the court in Stengart found an expectation of privacy, despite the employer‟s policy on its right to monitor its electronic systems. It is apparent that the Stengart decision was greatly influenced by the fact that the personal e-mails the company accessed were privileged communications between the plaintiff and her attorney regarding a possible discrimination lawsuit against the company. An opposite conclusion was reached in McLaren v. Microsoft Corporation, 1999 WL 339015, (Ct. App., Texas, 1999), where the plaintiff had created a personal folder on his company's computer system and had created a personal password. He had not provided the password to Microsoft, and it was not on the system. Nevertheless, the court found no expectation of privacy because the e-mails had to be transmitted over the company‟s system before McLaren could store them in his personal, password protected, folder. In most cases, even when the court finds a reasonable expectation of privacy, employers have prevailed when they did not use surreptitious means to access or monitor the employee's personal electronic communications (e.g. having an individual becomes a phony "friend'" of the employee on Facebook for this purpose). That the employer had a legitimate business justification or reason for accessing\monitoring the employee's personal communications was another factor in the courts finding no liability. Also, when no employer liability was found, the nature of the information which was accessed was related to its legitimate reason/justification for the intrusion and, conversely, the information was not of a highly private, sensitive nature, unrelated to the company's business interests; and the intrusion was limited only to that necessary to fulfill the reason/justification for the accessing. City of Ontario, California, et al v. Jeff Quon, et al, 550 U.S. 746 (2010); Borse v. Piece Goods Shop Inc., supra; Smyth v. The Pillsbury Company, supra. Key Model Provisions; Employer Access\Monitoring & Employee Consent Considering only what would afford the most legal protections for the company's intellectual capital and avoidance of liability; and not considering what may be contravening human resources concerns, like employee morale; and further not considering possible contravening

613031 11

operational needs of the business; the following are our recommendations for the key BYOD policy provisions on employer access, monitoring, and employee consent to the policy. (1) All work-related emails and other forms of communication, and all other company business conducted electronically, must be performed only on the company's electronic systems accessed through the employee‟s approved personal device. Company business is never to be conducted on the employee‟s personal email or other personal accounts/systems on this device. (2) Employees are prohibited from engaging in any personal communications, or other personal activities, on the company's electronic systems accessed through employee personal devices. Personal emails, other personal communications, and any other personal information/data, is not to be transmitted or maintained on the company‟s systems. 3) Employees are free to create passwords for their personal email and other personal accounts/ systems on their approved devices, and they are not required to disclose them to the company. Personal emails, other communications, and all other personal data/information is to be transmitted and maintained only on the personal email accounts and other personal accounts/systems on the employee‟s approved device. (4) The company–provided password or other security measures must be used on employee personal devices at all times for accessing the company's electronic systems. (5) Employees are subject to discipline, up to and including termination, for violating any of the requirements of paragraphs 1 through 4. (6) The company has the right to access and monitor all emails, and all other communications and activities which are conducted on the company's electronic systems accessed through employee personal devices. Employees do not have any expectation of privacy or confidentiality in such accessing and use of the company‟s systems. (7) Whenever the company has reason to suspect that an employee is violating the requirements of paragraphs (1) through (4), the company has the right to access employee personal email and other personal accounts/systems on their devices to determine if a violation has occurred. (The contents of personal emails, or other personal data\information on these employee accounts/systems, will be viewed only to the extent necessary for this purpose.) (8) The company has the right to access and monitor (i.e. examine the contents) of employee personal email and other personal accounts/systems on their devices whenever the company has reason to suspect that the employee‟s activities on them: (a) are affecting the employee‟s job performance or that of other employees; (b) are criminal or otherwise unlawful (e. g.; discriminatory or harassing); (c) are harming, or have the potential of harming , the company's business activities or any other legitimate company interests or concerns; or

613031 12

(d) are injurious, or have the potential of injuring, the company‟s reputation, standing, or image in its industry or with the public. The company will examine the content of an employee‟s personal accounts/systems only to the extent it deems reasonably necessary for these four purposes. By signing this BYOD Policy Statement the employee is consenting to the accessing and monitoring provide herein as a condition of being permitted to participate in this BYOD program. Three Underlying Concepts of Model Policy These model provisions are based on three underlying concepts. First, to draw a bright dividing line between the employee‟s use of only the company‟s electronic systems for the company‟s business, and the employee‟s use of only his/her systems for personal matters, all through the one, dual use device. This figuratively cuts it in two, effectively using it as if it were two devices instead of one. Secondly, by doing so the company retains an essentially unlimited right to access and monitor its half of the device, as if it were the company‟s own, separate device. Third, the company limits its right to review personal content, on the employee‟s half of the device, to only those situations where such review is probably not necessary for the policy‟s enforcement. (i.e.; to determine if the employee is breaching the dividing line, and/or is not complying with the company‟s security requirements. See sections (1) through (4) above.) Conversely, the company retains the right to review content, on the employee‟s half of the device, in all those situations where it probably will have a need to do so for enforcement purposes. (See sections (8) (a) to (d) above.) After considering all the federal and state statutes, and court precedents, we are satisfied that these model provisions, both on their face and in actual operations, will provide a company with the maximum possible access/monitoring rights to fully protect its interests, while still complying with all applicable legal requirements on employee privacy. ANSWERS: EXAMPLES OF LEGAL PERILS ABSENT A BYOD POLICY Answer: 1st Vignette; Protecting Trade Secrets The Model Uniform Trade Secrets Act, in Section 1(4), defines a “trade secret” as: information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means, by other persons who can obtain economic value from its disclosure or use; and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. Courts throughout the country have generally held that when a company has its employees sign confidentiality or non-disclosure agreements, or includes such a policy in an Employee Handbook, this is a sufficient action to protect the company‟s proprietary/confidential information under the Uniform Trade Secrets Act. See, for example, Conseco Finance Servicing Corp. v. North American Manufacturing Company, 381 Fed. 3rd 811, 819 (8th Cir. 2004); Merril Lynch,

613031 13

Pierce, Fenner & Smith, Inc. v. Dunn, 191 F.Supp. 2d, 1346, 1351 (M.D. FLA., 2002); Aries Information Systems, Inc. v. Pacific Management Systems Corp., 366 N.W. 2d 366, 369 (MINN. CT. APP. 1985). The author seriously questions whether the result would be the same under the 1st Vignette given all the conflicting facts of how the employer failed to take reasonable steps to protect the confidentiality of its client lists and supplier information from being widely circulated electronically outside of the company and particularly on Facebook. Answer: 2nd Vignette; Data Breach The Fair and Accurate Credit Transactions Act, 15 U.S.C. Ch. 41, does address the issues of identity theft prevention and particularly breaches of security with credit information, obviously including credit card numbers. However, its application is mostly limited to consumer reporting agencies, financial institutions, and creditors. In the 2nd Vignette, the company is not one of these. However, many states have adopted their own identity theft prevention statutes. New Jersey‟s is typical. The New Jersey Identity Theft Protection Act, NJSA 56:11-44, applies to “any business that conducts business in New Jersey” and which maintains “personal information” on “computerized records”. NJSA 56:8-163. The Statute‟s definition of “Personal Information” is, essentially, the same as the federal definition of Personally Identifiable Information. The Statute‟s applicability is all encompassing. Most interestingly, Personal Information does not have to be transmitted over the internet for the Statute to apply. Its applicability is to any business in New Jersey which simply stores personal information electronically. Under the Identity Theft Protection Act a breach of security is defined as “unauthorized access to electronic files containing personal information that compromises the security [of it] when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. (emphasis added) N.J.S.A. 56:8-161. Given this definition of a “breach of security”, it would appear that the company in the 2nd Vignette must take all the remedial actions required by this Statute, including notifying all the individuals of the security breach; providing them with credit card security services; notifying appropriate government authorities; and consumer credit reporting agencies, and the general media if over one thousand individuals are involved. However, the company may have actually “dodged a bullet” (figuratively, of course) because of another provision in the Statute. Specifically, N.J.S.A. 56:8-163 includes a “fail-safe” provision that: “disclosure of a breach of security to a customer shall not be required under this section if the business or public entity establishes that misuse of the information is not reasonably possible (emphasis added). Because the Personal Information was protected by a fairly complex password; the password was not contained on the company‟s computer system; nor on the executive‟s stolen device; the company could reasonably conclude that, notwithstanding the theft of the device, the misuse of the Personal Information was “not reasonably possible”. This is because the password‟s security

613031 14

was not compromised and it was complex. That the device was stolen (a break-in of the executive‟s car) might be considered further evidence supporting this conclusion, as opposed to a sophisticated hacking of the company‟s computer systems.

Answer: 3rd Vignette; Invasion of Employee’s Privacy & Violation of Stored Communications Act (SCA)

This 3rd Vignette is based on the fairly recent decision in Lazette v. Kulmatycki, 203 U.S. Dist., LEXIS 81174 N.D., (Ohio, June 5, 2013), in which the District Court Judge denied a motion to dismiss the plaintiff‟s complaint for invasion of privacy and violations of various federal laws including the Stored Communications Act (SCA). For the invasion of privacy claim, the key issue for the court was whether plaintiff‟s tacit consent to access and monitoring of her personal e-mail account on the company-owned mobile device (under its standard no- expectation- of -privacy Electronic Systems Policy) continued after plaintiff‟s employment had ended. The SCA prohibits the intentional, unauthorized accessing of electronic communications while they are in storage. 18 USC §2701(a)(1). As discussed in these materials, the only recognized exception to this all-inclusive prohibition is consent. Accordingly, under both the common law and the SCA the issue was the same; whether this former employee had an expectation of privacy, post-employment, in her personal e-mails contained on the company-owned mobile device. The court concluded that for both purposes plaintiff‟s tacit consent to monitoring terminated with her employment. At that point the device was no longer “shared”, and the plaintiff neither knew nor approved of the company‟s continued access to her personal information on the device post- termination. The court in Lazette was not troubled by the fact that the plaintiff had inadvertently failed to remove her personal e-mails from the device before returning it to the company at the time she left. The court‟s reasoning was that this negligent failure did not constitute an implied consent to continued access after leaving the company. In denying defendants‟ motion to dismiss both the claims for invasion of privacy and violation of the SCA, the court stated that it would be up to the jury to determine whether plaintiff had a reasonable expectation of privacy post- termination, considering the company‟s no-expectation- of- privacy Electronic Systems Policy. A criticism of the Lazette decision is that electronic communications are forever, and the company policy was silent on any expiration event of its right of access and monitor the devices it owned. There are obviously many situations in which a company, post- termination, may examine one of its electronic devices, including an employee‟s personal e-mails on it; for example, to determine any breach of company policies, or any criminal activities, during employment. The holding in Lazette could support the proposition that such post- employment accessing violates the employee‟s right of privacy. It appears that the court in Lazette may have been influenced by the fact that the accessing was not for any legitimate company interest; but rather, the private act of Lazette‟s former supervisor for his own personal interests.

613031 15

Answer: 4th Vignette; BYOD & Compliance with e-Discovery

Under Rule 34 of the Federal Rules of Civil Procedure, in discovery a party must produce responsive documents and electronically stored information which is in its possession, custody, or control. The Federal Rules, however, do not define “control”. The Circuit Courts for the District of Columbia, the First, Third, Sixth, Seventh, Eighth, Ninth, and Tenth Circuits, have all defined “control” as requiring that a party must produce information it has a legal right to obtain “on demand”. See, for example, Mercy Catholic Medical Center v. Thompson, 380 Fed 3rd 142, 160 (3rd. Circuit 2004). For the Second, Fourth, Fifth, and Eleventh Circuits, the definition of “control” is that a party must produce information it has the legal right to demand as well as the “ right, authority, or practical ability”, to obtain from a non- party. See, for example, Shcherbakovskiy v. DaCapo Al Fine, Ltd., 490 Fed. 3rd 130, 138 (2nd Cir. 2007). Obviously, in this 4th Vignette the company no longer has possession of these e-mails and documents; it no longer has control over its former employees; and similarly does not have control over this information which is now contained solely on the private devices of these individuals. However, because these e-mails and documents are the work product of the company‟s employees, it still may be considered as having ownership of them. The company can, obviously, exercise this ownership right by taking actions with its former employees to obtain possession and control over these materials. But, it is questionable how cooperative these former employees will be in returning it. There is also the issue of the lengths to which the company is required to go, under Rule 34, to obtain these materials. Accordingly, it is questionable whether the company has the legal right to obtain these materials “on demand”, and/or the “practical ability” to do so. This situation, then, may not fall within either of the above described definitions of “control” by the various Circuit Courts. (In this situation, many district courts would simply direct that the company notify the adverse party of the third parties who have possession of these materials. See, for example, In re WRT Energy Secs. Litig., 246 F.R.D. 185, 195 (S.D.N.Y., 2007)). WAGE & HOUR LAWS IN THE DIGITAL AGE “Suffering” Overtime Work Regardless of whether a company provides mobile devices for its employees or allows BYOD, the major wage and hour problem in the digital age is essentially the same; that is, employees working “off- the -clock” after their regular work hours have ended. Obviously, this is a boon for employers with exempt employees. However, such “off- the- clock” work by non- exempt employees will, with rare exception, require overtime pay. Specifically, the Fair Labor Standards Act, 29 U. S. C. Section 201, et seq (FLSA), and all state Wage and Hour Laws, require that non- exempt employees be paid for all hours worked,

613031 16

obviously, including overtime. The bottom-line is that if a non- exempt employee does actually perform work after- hours, the employer is required to pay overtime even when it did not direct that the employee do so, and possibly even when the employer has affirmatively ordered employees not to. In sum, employees who voluntarily perform extra work, on their own initiative after- hours, must be paid overtime, except in very rare circumstances. Work which is not requested by the employer, but which the employer “suffered or permitted to be performed” is work time. 29 U.S.C. §203(g), 207(a); 29C.F.R.§785.11. “If the employer knows or has reason to believe that work is being performed, the employer must count the time as hours worked” (emphasis added). 29 C.F.R.§785.12. Given these regulatory standards, it appears virtually impossible for an employer to claim, with any credibility, that it was unaware or had no reason to believe that its employees were working after- hours. There clearly will be an electronic record or trail of this after- hours work. This is because this situation commonly arises when non- exempt employees are reading, receiving, or responding to e-mails or phone calls during non- working hours. This situation is exacerbated by the fact that, regardless of whether it is a company or employee-owned mobile device, the tendency is to have these devices on your person at all times. With employers issuing personnel policies reserving the right to access and monitor employee use of their electronic communications systems at all times, it is hardly conceivable that an employer could credibly allege it had no “reason to believe” that after- hours work was being performed. Given the nature of e-mail communications, there will undoubtedly be a stream of e-mails during the workday, as follow-ups to those occurring during non- working hours, which will undermine any employer claim that it had no “reason to believe” overtime work was occurring. Strategies to End “Suffered” Overtime There are a few strategies employers can implement to avoid “suffered” overtime. All of them are closely related and are not mutually exclusive. The first is a personnel policy which prohibits employees from accessing work e-mails, or making and receiving work-related telephone calls, outside of regular work hours. Similarly, employees can be directed to turn off their company- provided devices, and to not access their work e-mail on their personal devices, after the end of the work day. This latter policy can also be coupled with requiring that employees leave their company- provided mobile devices at work at the end of the day. With the exception of this last suggested policy, the other two will probably not be effective unless the employer fully communicates them to its employees; enforces them; and disciplines employees for violations. Obviously, these are all relatively extreme measures. The benefit from them – avoiding overtime – may be far outweighed by the loss of employee responsiveness to clients/customers. In addition, the employer may suffer a significant loss if an emergency occurs during off-work hours, and employees are unaware of it because one of these policies has been implemented. Payment for Time Worked While on Unpaid Leave In addition to overtime, an often overlooked situation is when non- exempt employees are on an unpaid leave of absence (e.g. disability, maternity, family leave). It is probably a benefit for most employers to have these employees continuing to communicate electronically with clients,

613031 17

customers, and vendors, and with co-workers who are filling-in for them. However, employers must recognize that they have to pay their employees for this work time. (Remember that under the Fair Labor Standards Act non- exempt employees must be paid for all time worked.) Should an employer decide that this cost is not outweighed by the benefit of employees working from home while on leave, then it must take affirmative actions to eliminate the situation. The employer can require that the employee turn-in all company-provided devices at the commencement of the leave, and can prohibit all accessing of company e-mail accounts and other systems through the employee‟s personal devices and home-based computers. A complete solution is simply to also deactivate or block the employee‟s access from home to the company‟s electronic systems. In this situation the best practice is for the employer to revise all its personnel policies on these various types of leave to remind employees that they cannot perform any work while on leave. This action by itself will probably not be sufficient because electronic devices in the home are so ubiquitous. Consequently, such revisions of personnel policies should be coupled with the other actions recommended above for, in effect, electronically “disconnecting” the employee from the company when the leave commences. The Diminimus Rule If the incidents of employees working electronically after hours are so infrequent, and are of such limited duration, then the employer can take the position that this work is diminimus and need not be paid. Given the nature of electronic communications, with constant follow-ups back and forth, this is not likely a very effective defense to an overtime pay claim. Lindow v. United States, 738 Fed. 2nd 1057, 1063 (9th Cir. 1984), sets forth the three criteria used to make this determination.“In determining whether otherwise compensable time is diminimus, we will consider: (1) the practical administrative difficulty of recording the additional time; (2) the aggregate amount of compensable time; and (3) the regularity of the additional work. With the amount of compensable time being aggregated under the second criteria, if non-exempt employees engage in any after-hours, work-related communications, or any other work by electronic means, with any frequency at all, the diminimus rule will not be a usable defense. Recording Overtime Employers are required to maintain accurate records of all time worked by non- exempt employees, 29 C.F. R. §516.2. Because this overtime work will necessarily involve the use of electronic devices to one extent or another, this time recording requirement should not be problematic for most employers. In fact, in addition to enforcing its Electronic Systems Policy and its BYOD Policy, this FLSA time recording requirement is another reason why an employer‟s best employment practice is to routinely monitor its electronic systems.

613031 18

Conclusion The FLSA, state Wage and Hour Laws, and their implementing regulations, are decades out of date with the reality of work in America today. Consequently, the challenge for employment lawyers is to interpret and apply these archaic definitions, standards, and requirements in the modern work context.

613031 19

Dennis J. Alessi Partner

155 Prospect Avenue

West Orange, NJ 07052Tel: 973-736-4600 x151Direct Dial: 973-243-7968Fax: 973-325-7467Email:

[email protected]

Download vCard

Dennis J. Alessi, a director of the firm, is our lead attorney for representing clients in the health care

industry. Dennis has over two decades of experience in representing various types of health care and

related companies, as well as individual professionals, including management and billing service providers,

third party administrators, industry trade associations, group purchasing organizations, surgical and

imaging centers, medical groups, physicians, other health care professionals, and companies in the health

care and nutraceutical industries.

Dennis’s activities are wide-ranging, including structuring of health care businesses and transactions,

advising clients on compliance with complex health care and FDA regulations, arbitrating contractual and

other disputes between health care entities or individual providers, litigating health care-related issues in

federal and state courts, and representing health care and nutraceutical companies, medical groups or

individual professionals in various administrative procedures and before regulatory bodies and licensing

boards.

With an advanced Master of Law degree in employment law, and as Co-Chairman of the firm’s

Employment Law Group, Dennis has spent over thirty-five years representing employers in all aspects of

employment law and human resource management, specifically assisting employers in developing and

implementing comprehensive personnel management programs, including Employee Handbooks, anti-

harassment policies and all other employment policies and documents; conducting training and

educational seminars for managers on all aspects of personnel management; otherwise insuring employer

compliance with all federal and state employment-related laws; and counseling employers on personnel

problems to avoid lawsuits.

Dennis also has decades of expertise in traditional labor law, including conducting union avoidance

campaigns, negotiating collective bargaining agreements, grievance processing and arbitrations, wage and

hour disputes, and all forms of proceedings before the National Labor Relations Board (NLRB), federal and

state Departments of Labor.

When litigation is brought by employees, Dennis has defended employers before the New Jersey Division

on Civil Rights, the Equal Employment Opportunity Commission, and all other federal and state

employment regulatory agencies. Dennis has also defended employers in literally hundreds of employment

613031 20

discrimination/harassment, wrongful termination, and “whistleblower” cases in all federal and state

courts in New Jersey and New York, in administrative law hearings and arbitrations.

Areas of Practice

Health Care (Chair)

Employment Litigation Defense (Co-Chair)

Labor and Employment Law (Co-Chair)

Bar Admissions

New Jersey

New York

District of Columbia

United States District Court for the District of New Jersey, the Southern and Eastern Districts of

New York, and the District of Columbia

United States Court of Appeals for the Second and Third Circuits

Education

New York University School of Law

LL.M – (with honors), 1980

New England School of Law

J.D., 1976

College of William and Mary

B.A., Political Science, 1971

Professional Association Memberships

New Jersey State Bar, Health and Hospital Law and Employment Law Sections

American Bar Association, Health and Hospital Section