workplace strategies for protecting confidential and proprietary property
Post on 20-Oct-2014
1.418 views
DESCRIPTION
Workplace strategies for protecting confidential and proprietary property. Includes: Tracking and other IT surveillance tools, Telework/remote systems access policies and practices, Employee use of YOUR Information Technology Resources, Social Media, The Law, or ‘Getting “Dooced”’, etc.TRANSCRIPT
1
Workplace Strategies for Protecting Confidential and Proprietary Property
Presented by: Catherine Coultercatherine.coulter@fmc‐law.com
2
Tracking and other IT surveillance tools
3
Most of our guidance comes from the decisions of labour arbitrators in the
unionized environment and various Privacy Commissioners across the country
4
Most cases involving employee surveillance
relate to trying to ensure employee productivity,
rather than protecting and preserving company
confidential information
5
Types of Surveillance:
(i)
GPS (global positioning systems);
(ii)
video surveillance;
(iii)
keystroke monitoring; and
(iv)
RFIDs
(radio frequency identification
devices)
6
Video Surveillance
Video surveillance is generally not permitted for the purpose
of
ensuring
employee
productivity
or
supervising
employees;
however
it
may
be
permitted
if
the
employer
can show a bona fide safety or security justification
7
GPS
GPS is generally permitted for safety management and asset
management
(eg.
Tracking
stolen
company
vehicles)
but
again,
like
video
surveillance,
is
not
permitted
for
productivity management
8
Keystroke Monitoring
Keystroke
monitoring
may
be
permitted
to
manage
productivity
but
labour
arbitrators
have
stated
that
other
means
of
monitoring
productivity
should
be
used
if
at
all
possible
9
Surveillance may be permitted if:
(i)
employees
are
given
advance
written
notice
of
the
surveillance;
(ii)
there
is
no
less
intrusive
means
of
protecting
the
company’s property; and
(iii) the surveillance is reasonable in scope
10
•
Employees
should
be
given
notice
on
a
frequent
and
recurring basis in terms of how they’re being monitored
•
Computer
pop‐up
warnings
are
a
great
way
to
implement
frequent reminders
•
If you have a workplace computer use policy, check to make
sure
it’s
up‐to‐date
and
thorough;
if
you
don’t
have
a
computer use policy, what are you waiting for?
WHAT TO DO IF YOU DECIDE TO IMPLEMENT EMPLOYEE SURVEILLANCE:
11
Telework/remote systems access policies and practices
12
•
make sure that your employees and contractors ALWAYS sign
properly drafted and enforceable
Confidentiality Agreements
•
if your employees have a computer at home, help them to
ensure that it is password enabled, email encrypted and
firewalled
•
insist that your clients do their work through your company’s
internal network, or no amount of firewalls in the world will help
•
Also insist on passwords and other security devices that your
employees may use
WHAT TO DO ?
13
•
if your employees have hard copies of company confidential
information at home, make sure that it’s a requirement that
it be kept filed in a locked filing cabinet except when being
used
•
ensure that your employees (and their families) understand
that the offsite work area is for work purposes only
•
when projects come to an end, employees should be
contractually responsible to return documentation to the
office for proper storage
14
•
develop policies relating to the protection of confidential
information in a telework
setting, and train your employees on
related security issues
•
conduct periodic background checks to make sure that your
employees are actually following proper procedures
15
Employee use of YOUR Information Technology Resources
16
Employee Use of Company IT Resources
Remind your employees in writing that:
‐
You own the equipment and systems, and they’re just using it
‐
The equipment and systems that they’re using are supplied for business
purposes
‐
You have the ability to monitor their computer use and they should expect
to have no
expectation of privacy when using company‐owned equipment
and systems
‐
Freedom of expression is NOT unlimited, even off‐site and off‐hours
‐
They have a duty of good faith which operates 24/7 and post‐employment
‐
They can be terminated with cause for breaches of their duty of good faith,
their employment contracts and the company’s policies
17
Important Tools For Protecting Your Workplace & Technology
‐
Employment Agreements (non‐disparagement provisions;
agreement to be bound by company policies)
‐
Confidentiality Agreement (acknowledgement of continuing
duties post‐employment)
‐
Intellectual Property Agreement (acknowledgement of
assignment of IP to company; waiver of moral rights)
‐
Creation of various policies (Computer Use Policy; Facebook
&
Blogging Policy; Harassment Policy; Privacy Policy
18
Best Practices Computer Use Policy
A best practices company computer use policy will always include
the
following information:
‐
When the policy applies (to everyone, every time that they use the
company’s equipment and systems)
‐
Permitted uses & prohibited uses
‐
Consequences of improper use
‐
No expectation of privacy
‐
Compliance with licenses, laws and policies
‐
Where applicable, expectations regarding Open Source software
‐
Expectations of confidentiality and professional behaviour
‐
Non‐disparagement
‐
Ownership of intellectual property
19
Social Media
20
Why Do You Need A Facebook
Policy?
‐
has an 85% market share of 4‐year universities (your target audience for new
employees)
‐
The average amount of time spent by people on Facebook
each day is over 23 minutes‐
The fastest growing demographic of Facebook
users is ages 25 and up‐
operates in more than 75 languages, has over 550 million members, hosts over 15
billion photos on its site and people upload over 100 million more photos to Facebook
each
day
‐
Every minute of every day, over 1,700,000 actions are performed on Facebook, from
comments, to messages, to adding photos, to status updates, to wall posts, etc.
‐
2 million websites across the internet are integrated with Facebook
and 10,000 more websites
integrate with it each day
‐
As Time Magazine said in its December 27, 2010 issue “Facebook
has a richer, more intimate
hoard of information about its citizens than any nation
has every had”‐
However, Social Networking Sites can: (i) waste time at work; (ii) result in the disclosure of
company confidential information; (iii) damage an organization’s reputation; (iv) assist
employees who want to take part in “virtual harassment”; and (v) lead to breaches of
privacy legislation
21
Why Not Ban Facebook
At Work?
For all of the potential risks of allowing Facebook
use at work,
there are also good reasons to permit its use:
‐
is a fact of life for most younger employees, and
your organization may appear out of date and out of touch
without it‐
can permit your employees and your organization to
network for business purposes, marketing and fundraising‐
can assist HR with employee background checks
‐
can assist management with intelligence gathering
(ie. online ‘town hall’
meetings)
22
What About Blogging?
‐
As with Facebook, blogging can be an effective and
inexpensive means of company advertising
‐
Blogging can also provide a unique perspective on what it’s like
to work for a particular company, and can assist with recruiting
‐
As with Facebook
and other social media sites however, it is
often unmonitored and uncensored. That can lead to a range
of blogging from opinion to well‐meaning rambling to
intentional harm
‐
As with Facebook
and other social media sites, it can also lead
to misuse of company confidential information
23
What To Do?
Options Include The Following:
‐
Outright ban against social media and blogging in the workplace
‐
Prohibit access to social media and blogging at work, and place restrictions
on what employees can say outside of work when it comes to workplace
issues and people
‐
Prohibit access to social media and blogging at work but place no
restrictions on what employees can say outside of work when it comes to
workplace issues and people
‐
Permit social media to those who need it for their jobs (eg. HR; sales) and
place restrictions on it to everyone else
‐
No restrictions at all
24
What Should Your Social Media Policy Look Like?
‐
It should contain a clear statement that employees should not engage in: (i)
disclosure of company confidential information; (ii) workplace gossip; (iii)
posting offensive or discriminatory language or graphics; (iv) disparaging
coworkers, management, the company, vendors, suppliers or customers
‐
It should make clear to employees that their use will be monitored by the
company and that it may intervene in certain circumstances (eg.
disparagement, discrimination, misuse of confidential information)
‐
It should require workplace bloggers to identify themselves by name and
not under a pseudonym
‐
It should require bloggers to make it clear that the views which
they
express are theirs alone and are not necessarily the views of the company
25
What Should Your Social Media Policy Look Like, con’t.
‐
It should require bloggers to tell the truth
‐
It should
require employees to ensure that their activities will not interfere
with their work commitments
‐
It should require employees to confirm that their activities may
be
suspended for a period of time if required (eg. In the event of a black‐out
period during a pending corporate transaction)
‐
It should require employees to confirm their understanding that a breach
of the policy may lead to the termination of their employment on
a with
cause basis
‐
It should require staff who use social media for work purposes to use a
stand‐alone work dedicated account
26
The Law, or ‘Getting “Dooced”’
27
The Law
•
As held by the Honourable
Mr. Justice Blair of the Ontario Court of Appeal
in the case of Barrick
Gold Corporation v. Jorge Lopehandia
and Chile
MInteral
Fields Canada Ltd.:
“The internet represents a communications revolution. It makes
instantaneous global communication available cheaply to anyone with a
computer and an Internet connection. It enables individuals, institutions,
and companies to communicate with a potentially vast global audience. It
is a medium which does not respect geographical boundaries.
Concomitant with the utopian possibility of creating virtual communities,
enabling aspects of identity to be explored, and heralding a new
and global
age of free speech and democracy, the internet is also potentially a
medium of virtually limitless international defamation.”
28
Getting “Dooced”
•
www.dooce.com
was Heather Armstrong’s blog
‐
She was terminated from her job for writing about her
workplace on her blog. Getting “dooced”
has become
synonymous with getting terminated due to something that
you’ve written on your website
29
Delta Airlines
•
Ellen Simonetti, a flight attendant, posted suggestive photos of
herself in her work uniform on a company aircraft on her blog,
which was called “Diary of a Flight Attendant”
•
Once Delta found out about her blog, she was immediately
suspended. A month later, she was “dooced”.
30
Manitoba Health Services
•
Jeremy Wright, a Systems Administrator for Manitoba Health
Services, alleged that he was terminated from his job for
posting the following on his blog:– Getting to surf the web for 3 hours while being paid: Priceless– Getting to blog for 3 hours while being paid: Priceless– Sitting around doing nothing for 3 hours while being paid: Priceless– Installing Windows 2000 Server on a P2 300: Bloody Freaking Priceless
The Employer took the position that the employee had been
terminated for divulging company secrets.
31
West Coast Mazda v. UFCW
In this case, two employees posted offensive comments about
managers on Facebook
after hours on their home computers.
They were ultimately dismissed.
The B.C. Labour
Relations Board upheld the terminations as
their comments amounted to insubordination and a hostile
work environment. One of the factors which mitigated against
them was that they were key union organizers and had a
significant degree of influence over other employees.
32
Other Considerations
33
On‐Line Recruiting
Whether you plan to cyber‐recruit or to recruit the good old‐
fashioned way, the rules and issues remain the same:
‐
Ensure the information is up‐to‐date and accurate (remember
that the on‐line world can be inherently unreliable)‐
Consider human rights and remember that knowing certain
things that you shouldn’t otherwise know (eg. the potential
employee’s race or religion) can be risky‐
Consider privacy requirements and remember that you need
to have systems in place for the collection, use, disclosure,
storing and destroying of personal information
34
Best Practices For On‐Line Recruiting
‐
Let the potential employee know that you plan to check them
out on‐line; obtaining written consent on the application form
can be helpful
‐
Don’t search on‐line until after the interview process
‐
0nly search publicly available information
‐
Be cautious about what you retain and keep the information
secure. Destroy it 2 years after the hiring decision is made, or
sooner if it’s no longer needed for defensive purposes
35
Open Source Software
The basic principles of Open Source Software include:‐
Free redistribution
‐
Must allow modifications
‐
A single license to all users
Potential problems:‐
Bugs/unreliability
‐
No support
‐
No guarantee of updates
‐
Liability for intellectual property infringement (due to the fact
that the potential for infringing code is significant)
36
Open Source Software
‐
Considering the needs of your workplace and industry, you
also need to weigh the value of using open source software
against the risks associated with not using it
‐
is open source software an issue for your company?
‐
do you need it?
‐
do you know if, when and where your employees are
using it?
‐
how might your IP rights be compromised?
Presented by: Catherine Coultercatherine.coulter@fmc‐law.com
The preceding presentation contains examples of the kinds of issues companies looking to protect confidential information could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.