N S T I T U T E
I
C L E
N Y C L A
N EW Y ORK B RIDGE THE
G AP S ESSION A:
U SING P ERSONAL
D EVICES IN THE
W ORKPLACE ;
M ANAGING Y OUR L AW
F IRM ’ S I NTERNET
P RESENCE
Prepared in connection with a Continuing Legal Education course presented
at New York County Lawyers’ Association, 14 Vesey Street, New York, NY
scheduled for Wednesday, September 10, 2014
Faculty: Jason Habinsky and Jason Juceam, Haynes and Boone LLP;
Andrew Cabasso, JurisPage
This course has been approved in accordance with the requirements of the New York State Continuing Legal Education
Board for a maximum of 4 Transitional and Non-Transitional credit hours; 1 Skills; 1 Professional Practice/Law Practice
Management; 2 Ethics.
This program has been approved by the Board of Continuing Legal education of the Supreme Court of New Jersey for 4
hours of total CLE credits. Of these, 2 qualify as hours of credit for ethics/professionalism, and 0 qualify as hours of credit
toward certification in civil trial law, criminal law, workers compensation law and/or matrimonial law.
ACCREDITED PROVIDER STATUS: NYCLA’s CLE Institute is currently certified as an Accredited Provider of
continuing legal education in the States of New York and New Jersey.
Information Regarding CLE Credits and Certification
New York Bridge the Gap Session A: BYOD—Using Your Personal Devices in
the Workplace; Managing Your Firm’s Internet Presence
September 10, 2014; 5:30 PM to 9:00 PM
The New York State CLE Board Regulations require all accredited CLE
providers to provide documentation that CLE course attendees are, in fact,
present during the course. Please review the following NYCLA rules for
MCLE credit allocation and certificate distribution.
i.
You must sign-in and note the time of arrival to receive your
course materials and receive MCLE credit. The time will be
verified by the Program Assistant.
ii.
You will receive your MCLE certificate as you exit the room at
the end of the course. The certificates will bear your name and
will be arranged in alphabetical order on the tables directly outside
the auditorium.
iii.
If you arrive after the course has begun, you must sign-in and note
the time of your arrival. The time will be verified by the Program
Assistant. If it has been determined that you will still receive
educational value by attending a portion of the program, you will
receive a pro-rated CLE certificate.
iv.
Please note: We can only certify MCLE credit for the actual time
you are in attendance. If you leave before the end of the course,
you must sign-out and enter the time you are leaving. The time will
be verified by the Program Assistant. Again, if it has been
determined that you received educational value from attending a
portion of the program, your CLE credits will be pro-rated and the
certificate will be mailed to you within one week.
v.
If you leave early and do not sign out, we will assume that you left
at the midpoint of the course. If it has been determined that you
received educational value from the portion of the program you
attended, we will pro-rate the credits accordingly, unless you can
provide verification of course completion. Your certificate will
be mailed to you within one week.
Thank you for choosing NYCLA as your CLE provider!
New York County Lawyers’ Association
Continuing Legal Education Institute
14 Vesey Street, New York, N.Y. 10007 • (212) 267-6646
Bridge the Gap Session A
BYOD: Using Personal Devices in the Workplace;
Managing Your Firm’s Internet Presence
Wednesday, September 10, 2014 5:30 PM to 9:00 PM
Faculty:
Jason Juceam, Haynes and Boone LLP
Jason Habinsky, Haynes and Boone LLP
Andrew Cabasso, JurisPage
AGENDA
5:00 PM – 5:30 PM
Registration
5:30 PM – 7:10 PM
BYOD: Using Personal Devices in the Workplace
Jason Juceam, Haynes and Boone LLP
Jason Habinksy, Haynes and Boone LLP
7:10 PM – 7:20 PM
BREAK
7:20 PM - 9:00 PM
Managing Your Firm’s Internet Presence
Andrew Cabasso, Jurispage
9/5/2014
Bring Your Own Device
(“BYOD”)
Best Practices & Worst-CaseScenarios Surrounding EmployeeOwned Devices in the Workplace
© 2013 Haynes and Boone, LLP
What is BYOD?
• The practice whereby employers permit
employees to bring their own personal
mobile devices – typically smartphones or
tablets – into the workplace and
encourage employees to use these
devices for business-related tasks.
2
© 2013 Haynes and Boone, LLP
1
9/5/2014
BYOD Statistics – the Good
• By 2016, 80% of employees will be eligible to use their
own devices (Gartner)
• And 38% of employers will stop providing devices to
employees (Gartner)
• Employees are willing to spend an average of almost a
$1,000 on their devices and over $700 on internet data
plans (CloudTweaks)
• 89% of IT professionals support BYOD and 85% agree
that it increases company efficiency (CDW)
3
© 2013 Haynes and Boone, LLP
BYOD Statistics – the Bad
• 54% of employers either are still developing BYOD
policies or have none in place
• Only half of IT Managers said their companies “had a
strategy in place to effectively manage and secure the
additional, personally-owned devices” (CDW)
• 51% of employees connect to unsecured wireless
networks with their personal devices (Cisco)
• 53% of employees use unsupported software or Internetbased services on their personal devices to do work
(Forrester)
4
© 2013 Haynes and Boone, LLP
2
9/5/2014
What Does This Mean?
• BYOD is here to stay
– By 2017, 50% of employers will require
employees to supply their own devices for
work purposes (Gartner)
• Many employers are unprepared and lack
sophisticated policies and procedures
5
© 2013 Haynes and Boone, LLP
What Does This Mean cont’d?
• Employees are performing unauthorized
activities, or simply lack formal consent
• Employers are vulnerable to security &
privacy issues and increasingly
susceptible to lawsuits
6
© 2013 Haynes and Boone, LLP
3
9/5/2014
What Should Employers Do?
• Develop a strategy for safely and effectively
managing BYOD
• Implement a clear and effective policy, which
includes an Acceptable Use Agreement
• Educate employees about BYOD policy and
provide effective training
• Perform periodic audits to ensure compliance
7
© 2013 Haynes and Boone, LLP
The Rise of BYOD
• Traditionally, enterprise IT drove consumer
technology and trends. Employers provided
employees with IT; e.g. Blackberry; Palm PDAs
• Today, tech-savvy employees are adopting
consumer-focused and business-oriented
technologies – e.g. iPhones & Androids –
thereby consolidating their personal and work
devices for enhanced productivity and
convenience
8
© 2013 Haynes and Boone, LLP
4
9/5/2014
The Rise of BYOD cont’d
• As of 2013, it was estimated that mobile
devices outnumber people (Cisco)
• With the influx of devices that have the
ability to communicate, as well as track
and maintain data, there is a greater
likelihood that employees will utilize
personal devices with dual functionality
9
© 2013 Haynes and Boone, LLP
The Benefits of BYOD
• Cost-Savings
– Employers save $ since they no longer
provide employees with device
– Upwards 20% savings on IT
• Improved morale
• More sophisticated and efficient equipment in
the workplace leading to increase in productivity
10
© 2013 Haynes and Boone, LLP
5
9/5/2014
The Benefits of BYOD cont’d
• Employees possess better understanding of
their own devices thereby reducing the need for
training and support
• Employees treat their own property better than
employer owned property
11
© 2013 Haynes and Boone, LLP
BYOD Risks
• Employer Security
– Public exposure of employer’s confidential &
proprietary information
• Employees take their devices wherever
they go, which means company data goes
where employees go
• Potential for outside users to access data
-Leakage: employer data inadvertently
spills out to the public domain
-Lost or Stolen Devices
12
© 2013 Haynes and Boone, LLP
6
9/5/2014
BYOD Risks cont’d
• Employer Security
– Public exposure of employer’s confidential &
proprietary information
• Employees sending work email or
documents to their personal email account
through their own devices bypassing
employer security channels
13
© 2013 Haynes and Boone, LLP
BYOD Risks cont’d
• Employee use of unencrypted third-party
file-hosting services
• Data stored on iCloud is potentially
susceptible to hackers
14
© 2013 Haynes and Boone, LLP
7
9/5/2014
BYOD Risks cont’d
• Employer Security
– Threats to employer’s network
• Data breaches
• Network Invasions e.g. malwares and
viruses that harm employer’s network by
collecting data (e.g. mechanisms that target
shared folders as well as internal File
Transfer Protocol (FTP) sites)
15
© 2013 Haynes and Boone, LLP
BYOD Risks cont’d
• Employee Privacy
– Protection of employee’s personal information
– Because its their device, employees may possess
greater expectation of privacy
– The protective measures employers implement to
combat security threats often implicate privacy
concerns
– The use of biometrics for security purposes (e.g.
scanning of finger prints and voices), could lead to
privacy and discrimination claims
16
© 2013 Haynes and Boone, LLP
8
9/5/2014
BYOD Risks cont’d
• Employee Privacy cont’d
• E.g. Tracking or monitoring employee
devices; wiping devices when lost or stolen
• Reviewing an employee’s device upon
departure from company and sometimes
the potentially awkward situation where an
HR or IT Professional reviews employee
owned device
• These policies must be made clear
17
© 2013 Haynes and Boone, LLP
BYOD Risks cont’d
• Liability for employee conduct on devices
– Because they’re using their own devices,
employees might be inclined to bring
unacceptable “after-hours” behavior into the
workplace
– Texts, social media, and tweets sent in the
office of through an employer’s network can
lead to sexual harassment lawsuits and
bullying
18
© 2013 Haynes and Boone, LLP
9
9/5/2014
BYOD Risks cont’d
• Liability for employee conduct on devices
– Possibility that employees may use their
personal devices to bully their co-workers
– 35% of working adults claim to have been
bullied at work (Workplace Bullying Institute)
– If an employer, knows or should know about
such harassment and does not remediate the
situation, it could face liability
•
19
© 2013 Haynes and Boone, LLP
BYOD Risks cont’d
• Privacy Concerns
– An employee’s expectation of privacy on a personal device used
for work-related purposes can be impacted by a company’s
BYOD policy and Acceptable Use Agreement, as well as
whether an employer pays for the device
• In Mintz v. Bartelstein & Assoc., Inc., 885 F. Supp. 2d 987 (2012),
the Court denied plaintiff’s motion to quash a subpoena seeking
records from plaintiff’s cellular phone provider, holding that the
employee had a limited expectation of privacy because the
company’s employee manual provided that electronic
communications could be reviewed. The company also paid for a
portion of the cellular phone bill.
20
© 2013 Haynes and Boone, LLP
10
9/5/2014
BYOD Risks cont’d
• Privacy Concerns
– Privacy rights can potentially be dictated by the posture of the
litigation.
• In Kamalu v. Walmart Stores, Inc. 119 Fair Empl. Prac. Cas. (BNA)
1223 (E.D. Ca. 2013), the court held that for discovery purposes,
there was no expectation of privacy with respect to phone records
such as date, time, and duration of phone calls and text messages,
but that privacy rights attached to the substance of the
communications thereby preventing disclosure .
21
© 2013 Haynes and Boone, LLP
BYOD Risks cont’d
• Harassment and Discrimination
– Employers have a duty to put a stop to discrimination or
harassment transpiring in the workplace when the employer
knows or has reason to know of such conduct
• Summa v. Hofstra University, 708 F. 3d 115 (2d Cir. 2013)
– A female graduate student who worked as team manager for the
Hofstra football team brought state and federal sexual harassment
claims against the school stemming in part from the creation of an
inappropriate Facebook page by members of the football team.
– The court granted Hofstra’s motion for summary judgment because the
school promptly took remedial action: disciplining the players involved
with page and ordering them to take the page down. The school also
addressed all of the employee’s complaints and provided adequate
training concerning harassment and discrimination.
22
© 2013 Haynes and Boone, LLP
11
9/5/2014
BYOD Risks cont’d
• Harassment and Discrimination
• In contrast, Espinoza v. County of Orange, 2012 WL
420149, the employer was held liable for harassment by
employees towards a fellow-employee on a non-work blog
after the employer learned of the conduct and failed to take
remedial action.
23
© 2013 Haynes and Boone, LLP
BYOD Risks cont’d
• Harassment and Discrimination
• Employers may be liable for discrimination or harassment
perpetuated through an employee’s personal device that
occurs outside the workplace if there is a sufficient link with
the workplace
• Amira-Jabbar v. Travel Services, Inc., 726 F. Supp. 2d 77 (D.
Puerto Rico 2010)
• Employee sued employer for hostile work environment. The
claim stemmed from a racist comment made on a Facebook
picture from a work event by a co-worker. The court found
this to be a sufficient nexus to work-related activity
regardless of whether the racist comment was made during
or after work.
24
© 2013 Haynes and Boone, LLP
12
9/5/2014
BYOD Risks cont’d
• Safety Concerns
– Chatman-Wilson v. Cabral and Coca-Cola
Refreshments USA, Inc., 2013 WL5756347
• Coca-Cola, Inc. ordered to pay $21.5M for employee’s car
accident resulting from talking on her personal cell phone
while driving
• Coca-Cola employee violated company’s hands free cell
phone policy while using cell phones for work purposes
• Coca-Cola found vicariously liable
25
© 2013 Haynes and Boone, LLP
BYOD Risks cont’d
• Safety Concerns
– Potential for respondeat superior to trigger liability
• Clo White Co. v. Lattimore, 590 S.E.2d 381 (Ga. Ct. App.
2003)
– Accident victim sued employer following car accident
with employee because employee used personal cell
phone to call work at the moment he got into a car
accident.
– Summary judgment denied; the court noted the
employee would regularly use his personal cell phone for
work-related tasks
26
© 2013 Haynes and Boone, LLP
13
9/5/2014
BYOD Risks cont’d
• Potential wage & hour lawsuits
– Employees’ use of smartphones to respond to
work-related matters outside of business hours
can blur the line between personal & work time
– Creates potential for overtime claims, e.g. Fair
Labor Standard Act (FLSA) claims, which
requires non-exempt employees to be paid for all
hours worked and overtime for hours worked
beyond 40 in a week
27
© 2013 Haynes and Boone, LLP
BYOD Risks cont’d
• Wage and Hour Concerns
− Mohammadi v. Nwabuisi, 2014 WL 29031
• Employer found liable for not compensating employee
for overtime work performed using employee owned
device
• In addition, employer failed to keep accurate records,
and employee’s oral recollection of time worked
satisfied record keeping requirements
28
© 2013 Haynes and Boone, LLP
14
9/5/2014
BYOD Risks cont’d
• “Information governance,” compliance w/
corporate investigations & litigation discovery
holds
• Inadvertent restrictions of union activities
– compliance w/ § 7 of the NLRA
• Insurance coverage for BYOD conduct
– Verify that your policies are up to date
29
© 2013 Haynes and Boone, LLP
Protective Measures
• Mobile Device Management (MDM) and Mobile
Application Management (MAM)
– MDM allows companies to encrypt data, as well as
remotely locate, lock & wipe devices, and track user
activity
– MAM enables IT operators to manage and block
applications that are potentially harmful
• “Sandboxing”
– Software virtualization that partitions employee &
employer’s data
30
© 2013 Haynes and Boone, LLP
15
9/5/2014
MDM & MAM are not Perfect!
• MDM creates potential privacy issues
– Excessive monitoring, or monitoring without
consent, can be an invasion of employee
privacy
• MAM cannot monitor and control all apps
– Impossible to monitor and control all apps
downloaded onto employee devices
– E.g. Employees uploading docs through thirdparty cloud services
31
© 2013 Haynes and Boone, LLP
Sandboxing is not Perfect!
• Sandboxing is not 100% effective
– “Spillage,” when employer data migrates to
the personal side of a device can occur
– Employee use of third-party cloud services
that automatically backs up documents and
other information on personal devices can
inadvertently compromise employee data
32
© 2013 Haynes and Boone, LLP
16
9/5/2014
Sandboxing is not Perfect!
Cont’d
• E.g. Apple stores (in the cloud) EVERYTHING
you tell Siri for two years. As a result,
employees may inadvertently share sensitive
information simply by using common features on
a device
33
© 2013 Haynes and Boone, LLP
Drafting BYOD Policy:
General Advice
• Implement a policy that combines technology
solutions with clear and comprehensive policies
• Emphasize security & respect employee privacy
• Clearly explain permissible behaviors and
activities on personal devices that have access
to corporate systems
• Perform periodic audits to ensure compliance
with BYOD Policy
34
© 2013 Haynes and Boone, LLP
17
9/5/2014
What to include in an Effective
BYOD Policy
• Which employees are allowed to BYOD?
– Some companies are inclined to limit BYOD to
high-level employees
• Which devices are authorized?
• Ensure that a company’s BYOD Policy is
consistent with other policies (e.g., trade secret,
harassment/discrimination, wage and hour)
35
© 2013 Haynes and Boone, LLP
What to include in an Effective
BYOD Policy cont’d
• What are the employee’s security obligations?
– E.g. prohibited websites & applications while
connected to employer network
– E.g. passwords; firewall
• What are the parameters of acceptable use?
– Acceptable information and communications
• What activities are prohibited?
36
© 2013 Haynes and Boone, LLP
18
9/5/2014
What to include in an Effective
BYOD Policy cont’d
• What employer networks, services and
applications can be accessed?
• Protocols for device repairs; who bears the cost?
• Detailed procedure in the event device is lost or
stolen
– Ability to locate, lock, & wipe a device
37
© 2013 Haynes and Boone, LLP
What to include in an Effective
BYOD Policy cont’d
• Disciplinary action
• Assurance that company is not infringing upon
employees’ right to organize under the NLRA
• Separate wage and hour policies
• Safe driving
• Include an Acceptable Use Agreement (“AUA”)
• Outboarding: Employee departure procedure
– Ensure removal of employer data at end of
employment
38
© 2013 Haynes and Boone, LLP
19
9/5/2014
BYOD Training
• Provide BYOD training to employees and
supervisors
• Educate employees about BYOD Policy &
provide effective training that is consistent with
other company policies
39
© 2013 Haynes and Boone, LLP
Notices to Incorporate in BYOD
Policy
• Inform employees about all MDM monitoring or
tracking of devices
• Inform employees before installing anything on
employee devices
• Inform employees that they must consent to the
BYOD Policy and agree to a Acceptable USE
Agreement prior to utilizing a dual-use device
40
© 2013 Haynes and Boone, LLP
20
9/5/2014
Crafting an Acceptable Use
Agreement
• Explain that duel-use of a personal device is a
“privilege“
• Acknowledgement & acceptance of the
Acceptable Use Agreement (“AUA”)
• Employee acceptance of the AUA must be easy
41
© 2013 Haynes and Boone, LLP
Crafting an Acceptable Use
Agreement cont’d
• Obtain employee consent for the company to:
– Remotely wipe a device
– Monitor the personal device when connected to
company network
– Inspect device upon legitimate request, e.g. corporate
investigations and litigation holds
Obtain company release from employee for any liability
stemming from the destruction or incidental viewing of
personal information
– Employee acceptance of the AUA must be easy
42
© 2013 Haynes and Boone, LLP
21
9/5/2014
Is your client protected?
• In the event an employee’s dual-use device is
lost or stolen, can your client:
– Lock down the device remotely
– Identify what was on the device
– Identify who is accessing your network and
what they’re doing, such as what files are
being accessed
– Perform network forensics
43
© 2013 Haynes and Boone, LLP
Is your client protected cont’d?
• Are you tracking the latest developments
in employment law and does your BYOD
policy conform with changes in the law?
– Because the law is consistently changing,
your BYOD policy must be fluid and needs to
be updated in order to stay current and
ultimately be effective.
44
© 2013 Haynes and Boone, LLP
22
9/5/2014
Questions?
45
© 2013 Haynes and Boone, LLP
23
Related Articles Regarding BYOD
Agencies Inch Toward Solutions on BYOD
1 of 13
http://www.govtech.com/Barriers-to-BYOD.html
Solutions to deal with security and data privacy issues
have sprouted up in droves, but is there a good fix to the
people problem?
BY ADAM STONE (HTTP://WWW.GOVTECH.COM/AUTHORS/98564519.HTML) /
JULY 18, 2014
Jay Hadley: The city of Rancho Cordova, Calif., uses mobile device
management, but still worries about risks.
The BYOD phenomenon is becoming more
entrenched in government, and with good
reason. Bring your own device promises
potential cost savings and increased
productivity. Moreover, employees want it.
They’re used to accessing the world through
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
2 of 13
http://www.govtech.com/Barriers-to-BYOD.html
their tablets and smartphones, and taking
their work on-the-go feels like a natural
extension of their mobile lifestyles.
Faced with tough fiscal choices, many city and
state managers find BYOD a tempting
proposition. In a 2013 study, Cisco’s Internet
Business Solutions Group said BYOD could net
employers up to $3,150 per employee each
year on device expenses and increased
productivity. BYOD employees gain 37
minutes per week in productivity, while
spending more than $1,500 a year on expenses
related to their devices.
But BYOD is hardly a slam dunk. As with any
emerging technology, the transition to this
new paradigm presents a range of hurdles to
IT managers trying to do what’s best for the
jurisdiction while simultaneously supporting
the desires of end users.
Security is a primary concern, as work data
increasingly commingles with private
information and travels outside the office
walls. But there are other sticking points,
including concerns about privacy, issues of
overtime and the burden on IT of having to
support a broad range of devices, to name a
few.
Public-sector technology leaders say these
challenges can be overcome, but it takes some
creativity and forethought.
Even before concerns about technology, IT
leaders are wrangling with questions about
people. Perhaps more than any other facet of
IT today, BYOD challenges technology
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
3 of 13
http://www.govtech.com/Barriers-to-BYOD.html
managers to consider the end user, both as an
employee and as an individual with specific
personal needs. At the same time, the
employee’s relationship to the workplace must
be addressed.
Take, for instance, the issue of discovery, the
possibility that participants in a lawsuit could
demand access to the content of a personal
device in order to investigate work-related
information.
“Now somebody wants to see if you have
documents on your device that pertain to
subject X. What does the law really say about
that?” asked Minneapolis CIO Otto Doll. “We
don’t see the laws as being clearly written to
say you can only look at the business side of
the device and not the personal side. It is not
very clear how someone would ascertain just
what is the business side versus the personal
side.”
Some see the issue of discovery as a major
impediment, largely because of employees’
reluctance to make their private data public.
“The city or state has to provide access to
relevant public documents. This means the
government has to have access to that device,”
said New Hampshire state Rep. Bill O’Brien, a
former state speaker of the House and now
COO of Brainloop, which delivers
collaboration tools. “Yet the last thing any
employee would expect is to have their devices
summoned into court.”
Even without the threat of litigation, it’s a real
issue: New Hampshire has received as many as
203 requests for open records. The state’s
response has been straightforward, mirroring
what many say is the best approach to
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
4 of 13
http://www.govtech.com/Barriers-to-BYOD.html
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
5 of 13
http://www.govtech.com/Barriers-to-BYOD.html
employee-based BYOD concerns. That is,
candor upfront. Employees bringing their own
devices are told at the start that the state has
the right to demand that any content be made
available as needed.
Privacy is just one aspect of the “people”
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
6 of 13
http://www.govtech.com/Barriers-to-BYOD.html
equation. Of further significance are questions
of compensation — both in terms of device
usage and work hours.
In Napa County, Calif., where several hundred
of the county’s 1,300 employees bring their
own devices, CIO Jon Gjestvang has tackled
the issue directly, deciding early on that
employees should receive some form of
stipend if they make productive work use of
their own devices. The county will pay $35 to
$120 a month to cellphone users, along with a
$50 to $60 data allowance.
“It was based on your job, how much we
thought you would be calling for business, and
the data stipend was based on roughly the cost
of a data plan at the time we made the policy,”
he said. The basic rule for compensation: “It’s
available, but there has to be a business reason
for it.” And that’s up to department heads to
decide.
It seems simple, but there are complications.
Governments are supposed to be saving
money, and yet the stipend, in some cases,
feels like an expense, even if the user is gaining
productivity. “If I give you $50 to come in with
a phone, that’s still $50 that I am paying,” Doll
said.
One further point on the human element:
When are you at work? And should you be
paid for that time? Will hourly workers claim
overtime for work done at home? Is this a
convenience or a new way for management to
squeeze out more work for less pay?
“You need to define those parameters, that
there is no additional requirement to do more
work because of having these devices. It is only
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
7 of 13
http://www.govtech.com/Barriers-to-BYOD.html
intended for the convenience of the employee.
That has to be in every single policy,” said
Jerry Irvine, CIO of Prescient Solutions and a
member of the National Cyber Security Task
Force.
Some jurisdictions have started addressing the
overtime question explicitly in their BYOD
policies. In Rancho Cordova, Calif., hourly
employees using personal devices outside of
their normal work schedule can work up to
seven additional minutes per day without
needing to report it. Anything beyond that,
however, must be accounted for on the
employee’s timesheet. The rule aligns with the
city’s policy of rounding minutes worked to the
nearest quarter hour.
While IT must consider the human element,
there also are a range of technology-related
impediments in play. One of the most
significant of these is the matter of device
management.
“When we started allowing access back in the
BlackBerry days there was one device, one
operating system. It was pretty simple,” said
Gjestvang. “With the introduction of multiple
devices, that has opened up challenges for us.”
Gjestvang’s team has installed a server
separate from the BlackBerry server and
developed software components to manage
multiple devices. Set-up isn’t hard, he said, but
upgrades can be a bear. A recent upgrade to
the email system didn’t take on every device, in
spite of an otherwise smoothly operating
mobile device management system, and
technicians spent time making adjustments.
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
8 of 13
http://www.govtech.com/Barriers-to-BYOD.html
“Typically this would not have been a big deal,”
he said.
Similar issues have come up when setting up
new business applications. “Apps don’t
necessarily work the same on one mobile
device operating system as another,” Gjestvang
said. “Some installations have taken a fair bit
of manual tweaking.”
Sometimes issues arise on individual devices.
One way to simplify that situation: Wash your
hands of it. Gjestvang’s team as a rule will not
offer support for personal devices. “We won’t
just hang up on them, we’ll tell them what to
do next, whether it is taking it to their carrier
or dealing with some issue within the device,”
he said. “Anything else really just stretches IT
too thin.”
Rancho Cordova IT Manager Jay Hadley takes
a similar approach. “We are always willing to
assist them, but there is a line there where we
can only do so much,” he said. “In 90 percent
of the cases when a user comes to us with an
issue, it is just a small glitch or a
misunderstanding about how to use it. But
there are times when there is something going
on that is on the carrier side. Then there is
nothing we can do.”
Hadley stretches his resources further by
posting information about devices on the city
intranet, including how to choose a device.
“They can read it themselves, and if they need
more information we are glad to sit down and
help them with that,” he said.
Even if they can reduce the complication by
offering only minimal support, IT managers
still have to wrangle with obstacles inherent in
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
9 of 13
http://www.govtech.com/Barriers-to-BYOD.html
the devices themselves. As Gjestvang noted,
the same apps won’t always play nicely on
multiple devices.
But sometimes IT leaders bring the problems
on themselves by trying to take an overly
simplistic approach to launching mobile apps
for BYOD. Israel Lifshitz, CEO of Nubo
Software, said it won’t do just to try and port a
desktop function onto a range of mobile
devices.
Often, a multifaceted desktop tool is wedged
onto a mobile device and asked to do too
much. “For example, you can see that the work
of one Outlook desktop application [when
shifted onto mobile] uses at least five different
apps: email, calendar, contact, notes and
tasks,” he said. The result? Diminished user
experience.
“The best solution is to develop apps for
mobile, to provide native apps,” Lifshitz said.
“Using antiquated desktop applications on
mobile platforms will not work, as the typical
uses of mobile apps are totally different than
desktop applications.”
It all seemed so easy. Employees would bring
in their tablets and phones, their iThisOrThat.
IT would load them up with enough software
to give them access to their needed work
materials and send them on their way.
Well, it probably never seemed quite that easy.
IT folks are savvy enough to realize that this
quiet revolution is going to come with
complications. Even a couple years into the
BYOD groundswell, many are still just
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
10 of 13
http://www.govtech.com/Barriers-to-BYOD.html
discovering the magnitude of the challenge.
Human concerns, technological adaptations —
and then there’s security.
In a sense, this isn’t hard, really. Put in enough
safeguards to keep government data secure
from any incursion; lock it up tight. But then
employees won’t be able to get in either. We’ve
killed the patient to treat the disease. Before
looking for remedies, therefore, it’s best to
understand the risks. What exactly are the
security challenges facing BYOD?
A leading concern involves the nature of the
devices themselves and the way people use
them. “Most people don’t protect the data in
their personal smartphones the same way their
data in a work device would be protected,” said
Michigan Chief Security Officer Dan
Lohrmann. “There aren’t the same mandates,
and ultimately people don’t perceive the risk,
so they don’t take the precautions.”
Without those precautions, it’s easy to see a
catastrophic scenario. In Napa County,
Gjestvang voices the worry that is foremost on
the minds of many IT executives dealing with
BYOD: data loss. “The big concern is about the
data going out, anywhere from personally
identifiable information to protected health
information,” he said. Maybe it happens via a
breached firewall or a lost device. The prospect
of outsiders gaining access to inside
information is the leading worry.
Gjestvang’s solution is not atypical. Workers
can sign into county systems using a mobile
device management system, but no county
data will reside on their devices. Everything
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
11 of 13
http://www.govtech.com/Barriers-to-BYOD.html
comes in encrypted, containerized and
password protected, and it can be wiped
remotely.
Hadley makes use of a mobile device
management solution, a mechanism through
which IT managers can program in rules and
establish routines intended to give strict
guidance to the movement of data over the
network. But it’s not a perfect fix.
“You can put some policies on mobile devices,
but we still don’t have the same comfort level
that we have when we put policies on
workstations. We can tell it to require PINs, we
can tell it to lock devices, but it’s still not
satisfying,” he said. “Suppose the mobile
device gets a virus, for example. I want
something that will report that back to us, and
I haven’t seen anything like that.”
Faced with the same issues, others have taken
a range of approaches, said Dux Raymond Sy,
chief technology officer at AvePoint Public
Sector:
Third-party providers lock down data on
employees’ devices, often through the use of
additional verification methods such as
geofencing and two-factor authentication.
Government assumes control over an entire
smartphone or tablet through mobile device
management or other means. Containerized
solutions create partitions between personal
and work-related data. Secure file sharing and
collaboration tools allow content sharing
while maintaining control over data.
In King County, Wash., IT Enterprise Manager
Bob Micielli frets the mundane, the proverbial
laptop left on the train. He implemented a
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
http://www.govtech.com/Barriers-to-BYOD.html
couple of layers of safeguards against such an
eventuality, relying especially on cloud
provider MaaS360. Not only does a cloud
solution help ensure data is safely out of reach
from malicious actors, it also lightens the IT
load.
“It gives us the flexibility to access the
information from anywhere you are,” Micielli
said. “You don’t have to sign into our
environment, you can use the cloud portal. So
rather than us building the servers, supporting
the software, supporting the applications, we
let the cloud provider handle all that. It means
we don’t have to set up an entire IT stack.”
Despite such potential solutions, few in IT are
comfortable with the state of BYOD security:
There are just too many unanswered
questions.
“We know we just don’t have the same tools
that we have on laptops and workstations,”
Hadley said. “I haven’t seen anything that
totally satisfies us.”
Adam Stone (http://www.govtech.com/authors/98564519.html) |
Contributing Writer
(http://www.govtech.co (http://www.govtech.co (/subscribe?promo_co
/computing/State/local/5 Tips to Build
12 of 13
8/28/2014 10:17 AM
Agencies Inch Toward Solutions on BYOD
13 of 13
http://www.govtech.com/Barriers-to-BYOD.html
(/subscribe?promo_code=Story)
8/28/2014 10:17 AM
BYOD Policy, Security Highlighted as Apple, IBM Join Forces
1 of 4
http://www.shrm.org/hrdisciplines/technology/articles/pages/why-byod-p...
(/pages/default.aspx)
SHRM (/Pages/default.aspx) » HR Topics & Strategy (/hrdisciplines/Pages/default.aspx) » Technology
(/hrdisciplines/technology/Pages/default.aspx) » Articles
By Aliah D. Wright 7/25/2014
Apple and IBM’s recent announcement that they will partner to bring IBM’s big data and analytics
capabilities to the iPhone and iPad highlights the need for human resources and information technology
professionals to be prepared for the sea change of enterprise mobility.
Why should HR care?
Because according to Counterpoint Technology Market Research (http://www.counterpointresearch.com
/top-10-smartphones-in-february-2014), Apple’s iPhone 5s continues to be the best-selling phone in the
world, and more and more businesses, in an effort to save money, are requiring their employees to bring
their own devices to work—despite security concerns, experts say.
Bring your own device (BYOD) as a trend “is an inevitable part of your workforce strategy and … companies
must prepare for its spread across their organizations,” according to the June 2014 Forrester Wave: Global
BYOD Management Services report.
In a recent survey, 26 percent of respondents said their employer required use of employees’ personal
devices, and 15 percent had signed a BYOD agreement, information technology research and advisory
company, Gartner stated in a report published in May 2014.
A sample BYOD policy (/templatestools/samples/policies/pages/bringyourowndevicepolicy.aspx) is available
on the Society for Human Resource Management’s (SHRM) website.
As SHRM reported in spring 2014, “Gartner forecasts that by 2018, 70 percent of mobile professionals will
conduct work on personal devices (/hrdisciplines/technology/articles/pages/byod-identity-crisis.aspx).”
8/28/2014 10:08 AM
BYOD Policy, Security Highlighted as Apple, IBM Join Forces
2 of 4
http://www.shrm.org/hrdisciplines/technology/articles/pages/why-byod-p...
After all, “iPhone and iPad … have transformed the way people work with [more than] 98 percent of the
Fortune 500 and [more than] 92 percent of the Global 500 using iOS devices in their business today,” said
Apple CEO Tim Cook in a news release on Apple’s mobile operating system. “For the first time ever we’re
putting IBM’s renowned big data analytics at iOS users’ fingertips.”
Experts say this trend will mean HR needs to prepare to implement mobile device management policies and
IT will need to address security concerns.
Forrester reports that 35 percent of companies with more than 1,000 employees in the U.S.—and 24
percent of such employers in Canada, as well as 21 percent in Europe—“are ready to pay some or all the
cost of a mobile phone or smartphone used for work.”
While at other companies, having employees pay for their own equipment may ease costs, the need for
policies surrounding BYOD will be even more critical, experts say.
David Lee, vice president of product management at RingCentral, a software-as-a-service vendor that
provides cloud-based phone systems for businesses, told SHRM Online in an interview that mobile
providers are hoping to enter the enterprise, which “should make it easier for HR to manage and enforce
BYOD policies and [for] IT to provide secure and manageable infrastructure for these new mobile devices.”
Security Still Important
The Forrester Wave report stated that “security management for employee personal devices used for work
is a top concern, which is unlikely to abate.” Some 77 percent of those surveyed by Forrester said they
expect their BYOD policies to change within the next 12 months to address security concerns. Part of that
focus will be on “what type of information and resources can be accessed, and how to monitor and enforce
IT policies related to downloads, and transfers of information,” according to the report.
“One challenge HR may face is employees’ willingness to partially give up control of their personal devices,”
Lee said. “Many of the mobile device management functions included in [Apple’s latest operating system],
which IBM will no doubt leverage, take some control away from users (what can be installed, what can be
deleted, etc.), and may enable employees to have access to data on their personal devices that employers
may not be aware of,” Lee pointed out via e-mail. “HR may need to manage those concerns and
expectations transparently to ensure employee acceptance.”
Michael Osterman, principal analyst with Osterman Research, which provides insight for companies in the
messaging industry, told CIO Magazine (http://www.cio.com/article/2376794/byod/cios-face-byodhard-reality--employees-don-t-care.html) recently that “it is clear organizations need to continue to educate
employees on the dangers and risks of mobile security, but also look to solutions that safeguard the devices
and applications which these employees have access to.”
Here’s What HR Can Do
8/28/2014 10:08 AM
BYOD Policy, Security Highlighted as Apple, IBM Join Forces
3 of 4
http://www.shrm.org/hrdisciplines/technology/articles/pages/why-byod-p...
SHRM Technology and HR Management Special Expertise Panel member Jeremy Ames told SHRM Online
in an e-mail interview that measures for securing personal devices can include “such things as ensuring
your company has a virtual private network, or for Android users, installing security programs such as Avast
[or] … making sure ‘Find My iPhone’ [an app that locates the missing device] is set up.”
He said the goal is to have the minimum set of security requirements for BYOD devices.
Ames added that training on the use of BYOD is important, but “I don’t think that training alone can be
sufficient if companies truly think that what they’re ending up with is a secured dual-purpose device,” he
said. “That is true of most companies, but especially for industries like financial services, legal, defense
contractors, etc. More and more companies are trying to realize the cost savings associated with BYOD, but
aren’t tackling this important issue” of security.
“One of the biggest challenges for IT leaders is making sure that their users fully understand the implications
of faulty mobile security practices,” Mike Escherich, principal research analyst at Gartner, stated in a news
release, “and to get users and management to adhere to essential steps which secure their mobile devices.”
Ames added, “Of particular concern are the mechanisms people have to send data up to cloud-data storage
services like Dropbox. If the data isn’t properly segregated, you’ve already lost some control, and
information, to the cloud. So yes, while there can be ‘DIY security’ put in place, I think that companies might
want to determine if the effort to physically get the devices in their hands to secure them is worth the
payback they’ll end up with.”
Aliah D. Wright is an online editor/manager for SHRM and author of A Necessary Evil: Managing Employee
Activity on Facebook, Twitter, LinkedIn … and the Hundreds of Other Social Media Sites
(http://www.amazon.com/Necessary-Evil-Managing-Employee-Activity/dp/1586443410) (SHRM, 2013).
Obtain reuse/copying permission
RELATED CONTENT
Lessons for HR in Light of Data Breaches (/hrdisciplines/technology/Articles/Pages/Data-BreachLessons-for-HR.aspx)
Use of Big Data to Detect Cyber Crime Growing (/hrdisciplines/safetysecurity/articles/Pages/Use-BigData-Detect-Cyber-Crime.aspx)
Health Data Breaches Exposed 1 in 10 Americans Since 2009 (/hrdisciplines/safetysecurity/articles/Pages
/Health-Data-Breaches-HIPAA.aspx)
Can Monitoring Company Vehicles Drive Safety? (/hrdisciplines/safetysecurity/articles/Pages
/Monitoring-Company-Vehicles-Safety.aspx)
Managing Risk in a Digital World (/hrdisciplines/technology/Articles/Pages/Managing-Digital-Risk.aspx)
8/28/2014 10:08 AM
BYOD: If You Think You're Saving Money, Think Again | CIO
1 of 5
http://www.cio.com/article/2397529/consumer-technology/byod--if-you-...
8/28/2014 10:14 AM
BYOD: If You Think You're Saving Money, Think Again | CIO
2 of 5
http://www.cio.com/article/2397529/consumer-technology/byod--if-you-...
8/28/2014 10:14 AM
BYOD: If You Think You're Saving Money, Think Again | CIO
3 of 5
http://www.cio.com/article/2397529/consumer-technology/byod--if-you-...
8/28/2014 10:14 AM
BYOD: If You Think You're Saving Money, Think Again | CIO
4 of 5
http://www.cio.com/article/2397529/consumer-technology/byod--if-you-...
8/28/2014 10:14 AM
BYOD: If You Think You're Saving Money, Think Again | CIO
5 of 5
http://www.cio.com/article/2397529/consumer-technology/byod--if-you-...
8/28/2014 10:14 AM
Keep Cyberspies Out
1 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
(/pages/default.aspx)
SHRM (/Pages/default.aspx) » Publications (/Publications/pages/default.aspx) » HR Magazine
(/Publications/hrmagazine/Pages/default.aspx) » Editorial Content (/Publications/hrmagazine
/EditorialContent/Pages/default.aspx) » 2013 (/Publications/hrmagazine/EditorialContent
/2013/Pages/default.aspx) » July 2013 (/Publications/hrmagazine/EditorialContent/2013/0713/Pages
/default.aspx) » Keep Cyberspies Out
COVER STORY
Vol. 58 No. 7
Here’s how HR can safeguard sensitive data and reduce the threat of cybercrime.
By Aliah D. Wright 7/1/2013
They lurk in a sea of online data—these anonymous cybercriminals
—trying to reel in a big fish: you.
You're the unsuspecting HR professional who sits atop a treasure trove
of information—Social Security numbers, addresses, electronic health
records, strategic plans, trade secrets—that can help criminals in their
quest to profit from stolen data.
It's getting harder to protect data from cybertheft. Security experts say
three developments since early 2012 have led to an increase in hacker
attacks:
8/28/2014 10:11 AM
Keep Cyberspies Out
2 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
The ease of using online "social engineering" techniques—taking
advantage of human characteristics such as curiosity, helpfulness or
greed—to trick and exploit people. Perpetrators often find victims
through publicly identifiable information and then attempt to access
sensitive corporate data through those individuals.
A shift to using mobile devices—a Wild West of security vulnerability.
An increase in the use of cloud-based services, which can have security
holes.
Theft of corporate information threatens organizations of all sizes, and
many are unprepared to detect or resolve such losses, according to the
Ponemon Institute LLC, a research and consulting company in
Traverse City, Mich., specializing in data security.
(/Publications
/hrmagazine
/EditorialContent
/2013/0713/Pages
/default.aspx)
More from this issue
(/Publications
In The Post Breach Boom, a report released in February that reflects
/hrmagazine
the responses of 3,500 information technology security professionals
/EditorialContent
surveyed by Ponemon, 54 percent of the respondents said data
/2013/0713/Pages
breaches had increased in severity during the past two years. Another
52 percent said breaches had become more frequent.
Moreover, 45 percent of chief executive officers said their companies
experience cyberattacks daily or hourly, according to Ponemon's
nationwide 2012 study, The Business Case for Data Protection.
/default.aspx)HR Magazine
homepage
(/Publications
/hrmagazine/Pages
/default.aspx)
Web Extras
Determined Cyberthieves Use Many Tools
Data breaches often involve multiple techniques, according to the 2013
Study: The Business Case for
Data Breach Investigations Report, an analysis of more than 47,000
Data Protection
security incidents from Verizon Communications Inc.:
(http://www.ponemon.org
/library/the-business-case-for-
76 percent of network intrusions exploited weak or stolen credentials,
such as usernames or passwords.
data-protection-what-seniorexecutives-think-about-
40 percent incorporated malware—malicious software, script or code
data-protection) (Ponemon
used to steal information.
Institute)
35 percent involved physical attacks, such as ATM skimming.
SHRM article: Cybersecurity
29 percent leveraged social engineering tactics, such as phishing.
Bill Dies, Executive Order on the
Way? (/hrdisciplines
/safetysecurity/articles/Pages
/Cybersecurity-ExecutiveOrder.aspx) (Safety & Security)
8/28/2014 10:11 AM
Keep Cyberspies Out
3 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
Cyberattacks are typically outside jobs. In a 2013 analysis of more than
SHRM article: Cybercrime
47,000 security incidents, Verizon Communications Inc. researchers
2012: Malware Threatens Social
found that "external attacks remain largely responsible for data
Media, Cloud Services
breaches, with 92 percent of them attributable to outsiders." These
(/hrdisciplines/safetysecurity
attacks came from organized crime, activist groups, former employees,
/articles/Pages/Cybercrime-
lone hackers and even organizations sponsored by foreign
2012-Malware.aspx)(Safety &
governments, according to the 2013 Data Breach Investigations
Security)
Report.
SHRM article: Bring Your Own
"There isn't just one type of criminal operating online. It's a robust,
Device (/Publications
complex and very healthy ecosystem composed of many different types
/hrmagazine/EditorialContent
of attackers, all looking for different things to buy and sell," says Eric
/2012/0212/Pages
M. Fiterman, founder of Spotkick, a Washington, D.C.-area
/0212tech.aspx) (HR Magazine)
cybersecurity company.
SHRM article: Company Data
"Today's spies no longer need to sneak in anywhere with a microfilm
Endangered by Lack of BYOD
camera under the cover of darkness. They do their spying job without
Security (/hrdisciplines
ever leaving the comfort of their high-tech offices," says Michael
/safetysecurity/articles/pages
Burtov, CEO of Cangrade, an applicant tracking and assessment
/byod-security.aspx) (Safety &
company in the Boston area.
Security)
HR professionals must be vigilant when it comes to protecting their
SHRM article: Cloud
organizations from this new breed of cyberthieves.
Computing and Security
"I work closely with our IT administrator to make sure that we're
protecting the integrity of our data," says Ben Eubanks, PHR, HR
manager for Pinnacle Solutions Inc., an aviation training and logistics
support company in Huntsville, Ala. The company is a government
(/hrdisciplines/technology
/Articles/Pages
/CloudSecurity.aspx)
(Technology)
contractor, and "data security is highly important to our business," he
SHRM article: Employer
says.
Beware: Spyware Comes to
Information gained in cyberattacks can be used to perpetrate identity
theft; commit espionage, financial crimes or insurance fraud; or
circulate false information. The potential harm of such crimes was
apparent this spring when someone hacked the official Twitter account
Mobile (/hrdisciplines
/technology/articles/pages
/spyware-comes-to-mobile.aspx)
(Technology)
of the Associated Press and tweeted falsely that President Barack
SHRM article: Smart Phones
Obama had been injured in an explosion at the White House, which led
Create New Security Threats for
to wild swings in the stock market.
HR (/hrdisciplines/technology
Phishing for Access
/Articles/Pages
/SecureSmartPhones.aspx)
(Technology)
8/28/2014 10:11 AM
Keep Cyberspies Out
4 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
Experts say online social engineering poses one of the greatest risks to
SHRM video: Aaron Titus,
companies whose information resides on servers or mobile devices or
privacy director for The Liberty
in the cloud. According to the Verizon analysis of security incidents, the
Coalition, offers tips for
proportion of breaches incorporating tactics such as phishing—the
protecting HR data on company
practice of tricking users into clicking on a link presented as that of a
networks (/multimedia/video
seemingly legitimate website—was four times higher in 2012 than in
/vid_archive/Pages
2011.
/110121titus3.aspx)
Social engineering attempts hinge on fooling people into believing
they're going to benefit in some way or prevent a negative consequence
RELATED CONTENT
by clicking on a link or divulging confidential personal or proprietary
information.
For instance, a hacker may breach a network and learn that an
employee has high health care costs. The hacker could then create an
e-mail that looks like it comes from the employee's physician and reads
something like, "I need you to come to our office ASAP. Our recent
scans show something I need to discuss with you. Click here for an
The Heartbleed Bug: Data
Breach and Liability Risks
(/hrdisciplines/safetysecurity
/articles/Pages/HeartbleedBug-Data-Breach-LiabilityRisks.aspx)
appointment," says Stu Sjouwerman, CEO at KnowBe4 LLC, a network
Financial Institutions Face
security firm in Clearwater, Fla. The target might think, "Oh, my God!
Variety of Cyberthreats
Do I have cancer?" and then click on a link that could put the
(/hrdisciplines/safetysecurity
company's sensitive HR data at risk.
/articles/Pages/Financial-
That's because tracking programs—keystroke loggers, Trojans, worms,
cookies, adware, viruses and malware—can be introduced when a user
clicks a link.
Banks-CyberthreatsCloud.aspx)
Cybercrime 2012: Malware
Threatens Social Media, Cloud
Alfred Saikali, an attorney and co-chair of Shook Hardy & Bacon's Data
Services (/hrdisciplines
Security and Data Privacy Practice Group based in Miami, says
/safetysecurity/articles/Pages
criminals are targeting three types of data:
/Cybercrime-
• Personally identifiable information such as name, Social Security
2012-Malware.aspx)
number, financial information, driver's license information and date of
Tablets and Portals Prove a Hit
birth.
in Boardrooms (/hrdisciplines
• Sensitive proprietary information such as trade secrets.
/businessleadership/articles
• Health data such as medical records and other information protected
under the Health Insurance Portability and Accountability Act.
/Pages/Tablets-PortalsPaperless-Boardrooms.aspx)
Experts: Seasonal Hiring Boosts
Risk for Identity Fraud
(/hrdisciplines
/staffingmanagement/Articles
/Pages/Seasonal-Hiring-
8/28/2014 10:11 AM
Keep Cyberspies Out
5 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
"Sometimes, the easiest way into a company's network is through its
Boosts-Identity-Fraud-
people," says Fiterman, a former FBI agent. "The more information I
Risks.aspx)
can identify about people in an organization, the easier it makes my job
as an attacker. I can use intelligence gathered from social networks, for
example, to send highly targeted e-mails with malicious links or
attachments to high-value targets" such as CEOs.
"An employee's employment history, any derogatory or personal
information, financial information, or personally identifiable
information all have value to someone," Fiterman adds.
A stolen medical identity has a $50 street value, whereas a stolen Social
Security number sells for only $1, according to Kirk Herath, chief
privacy officer at Nationwide Mutual Insurance Co. Yet most people
don't protect their medical information as diligently as they protect
their Social Security number.
Mobile Security Challenges for HR
Despite repeated warnings and reports about data breaches, employers
continue to fail miserably when it comes to protecting employee data
and corporate information, experts say. Many organizations put
themselves at risk by allowing employees to take unencrypted data out
of the office on devices such as cellphones, laptops and tablet
computers.
In addition, myriad apps that allow employees to work remotely can
increase cybertheft risks. "Many of these apps will remember IDs and
passwords, therefore placing personal and company data at risk if the
device is stolen or misused by others," says Gregory Rogers, SPHR, vice
president of human resources for GS1 US, an information standards
organization based in Lawrenceville, N.J. The possibilities of
proprietary information ending up in the wrong hands are endless, he
says, and can lead to "payroll and identify theft, retirement plan/401(k)
manipulations, medical plan fraud, inappropriate company intranet
access, and company data theft—all through the use of mobile apps.
"Caution employees to always use a password to access their mobile
devices, particularly if these devices provide access to company sites,"
Rogers says. "Employees should also be cautioned not to store ID and
password information on the device or have the device 'remember' this
information."
8/28/2014 10:11 AM
Keep Cyberspies Out
6 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
Mobile Security Tips
Alex Bobotek is co-chairman of the Messaging, Malware and Mobile
Anti-Abuse Working Group, a global organization based in San
Francisco that targets messaging abuse, and the lead for messaging
anti-abuse architecture and strategy at AT&T Labs. To decrease threats
from mobile devices, he suggests HR professionals make sure
employees:
Install a mobile anti-virus product from a leading vendor. Many are
free.
Download applications only from reputable application stores. Don't
download apps from unknown sources such as unofficial app stores or
the Internet.
Realize that even if an app comes from a reputable app store, it may
not be safe. "Some have hidden Trojans that can cost you money or
steal your information," Bobotek points out.
Consider any communication to be suspicious—whether in an e-mail,
text message or in-phone ad—that asks you to download an
application.
Treat as suspicious any notification of a problem with an account that
requests a phone call or a visit to a website to provide account
information.
Report spam and other unwanted text messages by forwarding them to
7726 (the numbers that spell out "spam" on a phone keypad). The
reports go to the GSMA, an association of mobile communications
providers, which relays the information to providers.
Ponemon reports that 68 percent of companies allow employees to use
their own devices in the workplace. Sixty percent of employees,
however, circumvent their devices' security features by ignoring
warnings not to click on links or failing to download security software.
8/28/2014 10:11 AM
Keep Cyberspies Out
7 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
A bring-your-own-device policy, "from a security perspective, is a rat's
nest," Sjouwerman says. Business leaders who support BYOD policies
should limit the types of devices they support, he says, noting that
Apple devices are more secure than Android devices, for instance.
"Using enterprise mobile device management software can help
companies manage the degree to which employees can access corporate
networks," he adds. With such software, HR and IT staff members can
secure, monitor and manage mobile devices that access the company's
systems.
Cristian Florian, project manager with GFI Software in Cary, N.C., adds
that "some managers may choose to deploy separate wireless networks,
to be used by mobile devices, [that] do not allow full access to company
IT resources, such as virtual private networks and databases."
Experts note that users are downloading a host of social networking,
financial and productivity apps to mobile devices and that malware
threats are increasing apace. "There is an enormous growth in malware
for mobile devices," Sjouwerman says.
"Over 100,000 new [malware] variants are created on a monthly basis,
which makes detecting them very difficult," says James Bower, founder
and CEO of Ninja Technologies, an information security company in
Atlanta.
Users can thwart infection of their devices by purchasing apps directly
from retail outlets such as iTunes, Google Play or BlackBerry World. In
fact, when fashioning a mobile device policy, HR professionals may
want to consider requiring employees to buy apps from reliable
vendors—but it's probably only a matter of time before those apps, too,
are compromised.
8/28/2014 10:11 AM
Keep Cyberspies Out
8 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
How to Make Your Data More Secure
Members of the Society for Human Resource Management's
Technology & HR Management Special Expertise Panel identified
several best practices HR professionals, along with IT professionals,
should follow to keep data secure.
Use firewalls and virus protection software.
Establish and enforce a variety of password policies. For example, don't
allow everyone to have the same level of access to certain types of
information. Restrict network access for departing employees.
Use encryption software.
Make sure backup systems are in place, and have onsite and offsite
storage, in case of an attack.
Make sure employees log off or lock computers when not in use.
Other threats facing mobile devices include the low-tech danger of
their being lost or stolen.
Sjouwerman says employees should be required to contact HR if a
device goes missing. If the device is lost or stolen, it should be locked
and its contents deleted as a security precaution.
HR professionals should make sure their companies' IT departments
have policies "governing the use of mobile devices," Fiterman adds.
"Standard guidance usually states, 'Have a password on the device,
don't use it for sensitive data storage, and encrypt data when possible.'
"
The Air Up There in the Tech Clouds
IT experts say HR data hosted by a third party in the cloud is only as
safe as the provider hosting it.
Traditionally, companies have been responsible for securing their own
data, says Dave Dalva, vice president at Washington, D.C.-based Stroz
Friedberg LLC, a security risk consulting and investigations company.
But when data are moved to the cloud, the process results in "a
dissolving security perimeter," he notes.
8/28/2014 10:11 AM
Keep Cyberspies Out
9 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
HR leaders need to make sure their vendors have conducted "an
appropriate security analysis of their cloud environment so they're not
putting their customers at risk," Dalva says, "especially if they have
multiple customers with data residing in the same cloud environment.
There needs to be a separation of customers' information to prevent
cross-pollination."
Cloud providers, he says, "need to do the technological due diligence to
make sure their systems are meeting best practices for security."
Due diligence includes making sure "the cloud provider's security
requirements are certified by recognized authorities such as the
International Standards Organization on Data Privacy and Protection,"
says Paul Belliveau, SPHR, managing director and global human
capital management advisor at Avancé-Human Capital Management in
Bedford, N.H. Good cloud providers will also have protocols for
keeping data secure, such as encrypting files or spreading the data out
among different systems.
"Cloud computing is only increasing in scope. And it's critical that
companies invest in cloud partners with the highest level of backup and
data encryption services," says Shari Missman Miller, business
manager at NogginLabs Inc., a custom e-learning software developer
based in Chicago. Miller manages the company's human resources. The
Cisco Global Cloud Index (2011-2016), issued in 2012, predicts that
cloud traffic as a percentage of total data center traffic will increase
from 39 percent in 2011 to 64 percent in 2016.
Experts suggest that HR leaders might want to consider storing really
sensitive HR data in-house. The data that falls into this category
depends on what's most important in a company's business, Belliveau
says. "Is it pay structures or strategies that deal with human capital?
You want to bring that in-house so you're not sharing it," he explains.
Keys to Planning Data Protection
Having a data security plan is critical. "Plan for the inevitable,"
including theft and loss, Dalva says.
Miller agrees, adding, "There isn't really any way to completely
guarantee the safety of corporate data."
8/28/2014 10:11 AM
Keep Cyberspies Out
10 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
HR and IT professionals can reduce the possibility of an attack by
making sure software for routers, wireless devices, printers, laptops
and desktops is current and patched when necessary. "In more than 90
percent of cases, keeping systems up-to-date would have avoided a
security breach," says Florian of GFI Software.
HR and IT professionals also need to know where network
vulnerabilities exist to decrease the probability of a breach. This
includes being aware of how people access and transmit corporate data
and recognizing that a virtual private network (VPN) is more secure
than a standard Internet connection.
Systems security audits—reviewing applications, quizzing employees,
scanning for security vulnerabilities—should be conducted for all those
who access HR data, including third-party sources, says Belliveau, a
member of the Society for Human Resource Management's Technology
& HR Management Special Expertise Panel.
Miller advises HR leaders to focus on prevention and training and to
ensure that employees "follow strict security directives when handling
data, especially in mobile platforms."
"Policy, procedure and security awareness training is essential,"
Florian adds. It's HR's job to create a policy and to be "instrumental in
making sure that policy is applied. From the onboarding process
through annual security awareness trainings, employees need
cybersecurity training."
One way to protect your organization: Train employees to think
critically before they click on e-mailed links. Simple skills, such as
knowing that hovering your mouse over the link will show the link's
destination, can go a long way toward preventing infection, Florian
says. The more employees know about the risks, the more secure data
will be.
Verizon reports that 97 percent of breaches "were avoidable through
simple or intermediate controls," such as by training employees not to
click on suspicious links and by changing administrator passwords or
making them more secure.
8/28/2014 10:11 AM
Keep Cyberspies Out
11 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
HR and IT professionals should make sure password policies are
well-enforced, recommends Sorin Mustaca, a security expert and vice
president of product development with Avira Operations GmbH & Co.
KG, a data security company based in Germany. "Many users are
simply unaware how simple their passwords are and that they are
endangering the entire company" if a password is guessed by a hacker.
Two-factor authentication should be required on systems that handle
customer data, he says. With this method, the user provides a keyword
or other special knowledge that proves he or she has the right to access
sensitive data.
Requiring employees to access corporate data only over VPNs instead
of using free Wi-Fi hot spots, or using a security token that generates
new passwords to provide an additional layer of identity protection,
can also help, experts say.
A strong data security plan and effective training aren't always enough.
"If I send one e-mail, I've got about a 25 percent chance that somebody
is going to click on a link in that e-mail. If I increase that to six e-mails,
I've got an 80 percent chance that someone will click on that link," says
Chris Porter, co-author of Verizon's 2013 Data Breach Investigations
Report and managing principal for Verizon's Risk Team. "Even with
training, people will still click on dubious links."
Experts say there was a time when installing anti-virus protection on
all computers was sufficient to prevent breaches, but not anymore.
"All it takes is one simple mistake for an attacker to find and exploit,"
Fiterman says, noting that attackers are highly motivated and working
24/7. "So there's no simple answer, other than understanding that
malicious action is inevitable. Plan, plan, plan."
Aliah D. Wright is an online editor/manager for SHRM and author of A
Necessary Evil: Managing Employee Activity on Facebook, Twitter,
LinkedIn … and the Hundreds of Other Social Media Sites (SHRM,
2013).
What are the biggest cybersecurity threats to your organization?
What have you done to close vulnerabilities?
If you are having problems seeing the discussion comments when using
Internet Explorer on a PC, press F12 and change your Browser Mode to
‘Internet Explorer 8.’ Then press F12 again.
8/28/2014 10:11 AM
Keep Cyberspies Out
12 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
Comments for this thread are now closed.
Comments
052214_1
•
—
Clarification would be a
blessing. In the non-profit
Capitol Hill Update
Congress Takes Renewed
•
— You talk about
"the best employers"
working to ensure
1
Washington Update High
Court Rules President’s
•
— Of course, these
decisions are invalid. Every
employer that lost a
Washington Update Social
Security Administration
•
— I've tried
several times to create an
account at the SSA
8/28/2014 10:11 AM
Keep Cyberspies Out
13 of 13
http://www.shrm.org/publications/hrmagazine/editorialcontent/2013/071...
blog comments powered by Disqus (http://disqus.com)
Obtain reuse/copying permission
8/28/2014 10:11 AM
9/8/2014
Your Law Firm’s Internet Presence
Wednesday September 10, 2014
An Andrew Cabasso and Jurispage
Joint
JurisPage.com
Overview
•
•
•
•
•
•
Email
Social Media
Your Website
SEO
Internet Marketing
Ethics
JurisPage.com
Email
JurisPage.com
1
9/8/2014
JurisPage.com
Your Email Address
You want yourname@yourlawfirm.com
4 Steps
JurisPage.com
Your Email Address: Step 1
$10
/year
Buy a .com domain
JurisPage.com
2
9/8/2014
Your Email Address: Step 2
Find an e-mail host provider
$5 / user / month
Google Apps
Free
for up to 10 users
Zoho
Most likely your registrar offers email too (Godaddy, 1&1, Rackspace,
etc. all have inexpensive plans)
JurisPage.com
Your Email Address: Step 3
Change your MX records
Go to your domain registrar settings to change the e-mail records
(called “MX records”) following your e-mail host’s instructions*
*if you get your email from your domain provider, this is not necessary
JurisPage.com
Your Email Address: Step 4
Configure your e-mail client
Follow your e-mail host’s instructions (this
will let you access your email via Outlook or
your phone).
JurisPage.com
3
9/8/2014
Alternatively…
• Option B: Mail server
– Cost
– Security
– Stability
– Scalability
– IT guy
JurisPage.com
Social Media
JurisPage.com
Why Engage in Social Media?
JurisPage.com
4
9/8/2014
Why Engage in Social Media?
1) SEO: Google’s search algorithm cares about
social media sharing
2) Go where potential clients are
3) Engage other professionals
Either use it or don’t – don’t half-use it
JurisPage.com
Which Social Networks?
Focus on 1 or 2
•
•
•
•
Google+
LinkedIn
Twitter
Quora
• Facebook
• Pinterest
• Meetup
JurisPage.com
Google+
• Highest SEO ROI
• G+ Communities for exposure
• Client testimonials / reviews
JurisPage.com
5
9/8/2014
LinkedIn
Have a Company
page that your
current employees
can join, a
personal profile so
that clients can
give testimonials
JurisPage.com
Twitter
JurisPage.com
Twitter
• Link to blog posts
• Discuss events in your practice area that
don’t warrant a blog post
• Engage other attorneys
JurisPage.com
6
9/8/2014
Quora
A Q&A website – use it
to answer relevant
questions in your
practice area and build
authority
JurisPage.com
Meetup
• In-person events
• Make contacts
• Make friends
JurisPage.com
Hootsuite
JurisPage.com
7
9/8/2014
Hootsuite
• Saves time, posts to every social network
simultaneously
• Scheduled posts
JurisPage.com
Websites
JurisPage.com
JurisPage.com
8
9/8/2014
Things You Need to Have a Website
1. Domain: yourfirm.com
2. Hosting: to make your site accessible
3. Website: preferably using a CMS like
Wordpress
JurisPage.com
What’s a Website For Anyway?
JurisPage.com
What’s a Website For Anyway?
• Getting new leads
• Convincing current leads to become clients
• Establishing authority in your niche among
other attorneys
JurisPage.com
9
9/8/2014
What it Should Have
1.
2.
3.
4.
5.
Clear indication of the type of law you practice
Contact: Forms and Phone Number
Attorney Bios
Practice area pages for each type of case
Social Proof:
Testimonials/Verdicts/Settlements
6. Professional design / layout
JurisPage.com
Make it Mobile-Friendly
?
% web traffic from mobile
JurisPage.com
Make it Mobile-Friendly
40%
% web traffic from mobile
Google’s algorithm penalizes non-mobile sites
JurisPage.com
10
9/8/2014
Mobile-Friendly Example
Not Mobile‐Friendly
Mobile‐Friendly
JurisPage.com
Websites – Mobile Sites
http://boss.blogs.nytimes.com/2014/01/08/making‐sure‐your‐website‐is‐ready‐for‐smartphones/
JurisPage.com
Getting it Built: DIY
Wordpress, Wix, Godaddy
Pros
Cons
• Cheap
• You’ll know how to update your content
•
•
•
•
Steep learning curve
Hard to design
Have to worry about ethics rules
Bad SEO
JurisPage.com
11
9/8/2014
Getting it Built: Professional
Use a Legal-Focused Developer
Ask Them:
Be Careful:
JurisPage.com
Getting it Built: Professional
Use a Legal-Focused Developer
Ask Them:
Be Careful:
• Will it be mobile‐friendly?
• Will I be able to update it myself?
• If not, will you update it?
• What CMS will you use?
• Use Wordpress if possible
• Will it be SEO‐ready?
• Sitemap, Meta Tags, Content
• How fast will it load
• Under 3 seconds is best
• Can I see an example of your work?
JurisPage.com
Getting it Built: Professional
Use a Legal-Focused Developer
Ask Them:
Be Careful:
• Will it be mobile‐friendly?
• Will I be able to update it myself?
• If not, will you update it?
• What CMS will you use?
• Use Wordpress if possible
• Will it be SEO‐ready?
• Sitemap, Meta Tags, Content
• How fast will it load
• Under 3 seconds is best
• Can I see an example of your work?
• Don’t use other peoples’ content
• Templates can be boring
• Make sure your site isn’t available through both www.yoursite.com and yoursite.com
• Make sure they’re accessible
JurisPage.com
12
9/8/2014
Building a Second Website
• Useful for class actions
• Geared towards a specific client type
• Plaintiff / defendant sites
JurisPage.com
Search Engine Optimization
JurisPage.com
JurisPage.com
13
9/8/2014
JurisPage.com
I Want My Site to Come Up in Google!
On Site
Off Site
• Page Content
• Meta Tags
• Backlinks
– Quality > Quantity
• Social Mentions
• Social Profiles
• Directory Profiles
•
•
•
•
Interlinking
Posting Frequency
Page Speed
Mobile Readiness
JurisPage.com
On Site
Blog, Blog, Blog
• Blogging makes you an authority
• Fresh content tells Google your website is
still relevant
• Differentiate yourself
JurisPage.com
14
9/8/2014
Keys to Good Blogging
On Site
•
•
•
•
Write for readers, not machines
Stay current
Stay consistent
Be patient!
JurisPage.com
Use Key Language
On Site
Optimize keywords
Some Popular Attorney-Related Keyword
Descriptors I’ve Come Across:
Aggressive
Top
Affordable
Cheap
Best
Local
And… yes, unfortunately “attornies”
JurisPage.com
Hurdles to Blogging
On Site
• “I’m too busy”
– Outsource
• “What would I write about”
Blog Topic Suggestions:
JurisPage.com
15
9/8/2014
Hurdles to Blogging
On Site
• “I’m too busy”
– Outsource
• “What would I write about”
Blog Topic Suggestions:
Client FAQs
The auto-fill trick
Newly decided cases
Recently enacted laws
Recent controversies
JurisPage.com
The Auto-Fill Trick
JurisPage.com
Privacy Policy
On Site
No one reads them except
1. The lawyers who write them
2. The developer who copies one and
substitutes his/her company name
3. Search engine robots
JurisPage.com
16
9/8/2014
Off Site
7 Ways to Increase Backlinks
1. Local Business Directories
2. Social SEO
3. Lawyer Directories
4. Guest Posting
5. Forum Posts / Blog Comments
6. RSS
7. Press Releases
JurisPage.com
Off Site
Local Business Directories
• Google Places
• Moz Local
JurisPage.com
Off Site
Social SEO
• Social media sites (as much as some of us may
hate them) are vehicles for linking your content
for SEO
•
•
•
•
LinkedIn
Twitter
Facebook
Quora
JurisPage.com
17
9/8/2014
Off Site
Lawyer Directories
• Reach many more visitors of popular
legal websites that get top organic
billing
• Lawyers.com/Lexis/Martindale
• SuperLawyers
PageRanks for Legal • FindLaw
Directories
FindLaw ‐ 7
SuperLawyers ‐ 7
Avvo ‐ 6
Lexis ‐ 6
Martindale ‐ 7
Lawyers.com ‐ 7
JurisPage.com
Off Site
Reputation Management
If you get a bad review somewhere, it’s not
the end of the world. There are PR firms and
SEO firms that specialize in burying bad
reviews.
JurisPage.com
Tools
SEO Tools
• Google Analytics
– Monitor website traffic
• Google Webmaster Tools
– Sitemaps, inbound link analysis, keyword analysis
• Google Keyword Tool
– Analyze prospective keywords
• Pingdom Website Speed
• Feedburner
– Create RSS feed for your content / blog
• Keyword Position
– Where does your site show up for a particular keyword?
JurisPage.com
18
9/8/2014
Tools
Google Analytics
JurisPage.com
Tools
Google Webmaster Tools
JurisPage.com
Tools
Pingdom Website Speed
JurisPage.com
19
9/8/2014
Tools
FeedBurner
JurisPage.com
Tools
Keyword Position Tool
JurisPage.com
Internet Marketing
JurisPage.com
20
9/8/2014
JurisPage.com
Internet Marketing
Advertising in Google, Bing, and Facebook
can get clients to your website (through the
front door). Once they’re there, it’s up to your
website to get them to stay with you.
JurisPage.com
Keys to Success
JurisPage.com
21
9/8/2014
Keys to Success
1.
2.
3.
4.
5.
Use landing pages!
Track your campaigns carefully
Test changes
Try different marketing channels
Abandon campaigns that aren’t working
JurisPage.com
Example Landing Page
JurisPage.com
Landing Page Basics
• Eliminate distractions: navigation, social
links, extraneous information
• Align landing page copy with ad copy
• Include social proof
• Have a clear call to action
JurisPage.com
22
9/8/2014
Track Your Campaign ROI
JurisPage.com
Track Your Campaign ROI
•
•
•
•
Review keywords periodically
Track ad click through rate
First page vs. top-page cost
Track conversions
$/Lead
$/Client
JurisPage.com
Test Changes
•
•
•
•
•
•
Keywords
Ad Copy
Landing Page Copy
Landing Page Geography
Geography
Time of Day
JurisPage.com
23
9/8/2014
Try Different Channels
Directories
Search Engines
Social Networks
Retargeting
JurisPage.com
Ethics
What You Can, Can’t, and Probably Shouldn’t Do
JurisPage.com
Ethics - Blogs
• Concerns about blogging?
JurisPage.com
24
9/8/2014
Ethics - Blogs
• Concerns about blogging?
– Advertising ethics issues
– Blogging about clients
– Getting sued
– Defamation
JurisPage.com
Ethics - Blogs
• Hunter v. VA State Bar
• VA criminal defense law firm has blog
posts, where every blog post is about his
firm. No advertising disclaimer
JurisPage.com
Ethics - Blogs
• A blog is not an attorney advertisement
unless the “primary purpose” of the blog is
for the retention of the lawyer
• NYSBA Opinion 967 (6/5/13)
JurisPage.com
25
9/8/2014
Ethics - Blogs
• “Advertisement”
• “any public or private communication made
by or on behalf of a lawyer or law firm
about that lawyer or law firm’s services, the
primary purpose of which is for the
retention of the lawyer or law firm.”
JurisPage.com
Ethics – Blogs
• Blogging about clients?
• In re Pershek (2009)
– Pub defender referred to criminal clients in blog,
tried to anonymize them but did a bad job
• Anyone could’ve put pieces together to see who she
wrote about
JurisPage.com
Ethics – Blogs
• Blogging about clients?
• You need written permission if on-going
matter
• Non-Confidential info may still be embarrassing
to client
– Don’t get to that level
JurisPage.com
26
9/8/2014
Ethics – Blogs and Stock Photos
• Rule 7.1 (c)
• No fictionalization of a law firm w/o disclosure
• Stock photos
16 instances
JurisPage.com
Ethics - Expectations
• Board of Managers of 60 E. 88th St. v.
Adam Leitman Bailey, PC
– Firm advertising highlighted that it “gets
results”
– Judge cut fees from $112,000 to $60,000
JurisPage.com
Ethics – Attorney Advertising
• ATTORNEY ADVERTISING 7.1(f)
• “Prior results do not guarantee a similar
outcome” 7.1(e)
JurisPage.com
27
9/8/2014
Ethics - Expectations
• Cmt. 12 to 7.1
• Non-comparative characteristics are
permissible statements even though not
factually supported
• “Hard-working” “dedicated” = yes
• “Best” “hardest-working” = no
• “Big $$$” “We win big” = no - expectation
JurisPage.com
Ethics - Astroturfing
Yelp, Inc. v. McMillan Law Group, Inc.
JurisPage.com
Ethics - Astroturfing
JurisPage.com
28
9/8/2014
Ethics - Astroturfing
• Rule 7.2
– A lawyer shall not compensate or give
anything of value to a person or organization
to recommend or obtain employment by a
client, or as a reward for having made a
recommendation resulting in employment by a
client
JurisPage.com
Ethics - Astroturfing
• Rule 7.1
– (a) A lawyer or law firm shall not use or
disseminate or participate in the use or
dissemination of any advertisement that: (1)
contains statements or claims that are false,
deceptive or misleading; or (2) violates a Rule
JurisPage.com
Ethics - Expertise
• “Specialties”
– Yelp
– LinkedIn (not likely an issue anymore)
– NYSBA Opinion 972 (6/26/13)
JurisPage.com
29
9/8/2014
Ethics - Advertising
• Matter of Dannitte Mays Dickey (S.C.
2012)
• Attorney made false statements on his
website
• Used the word “specialist”
• Public reprimand
JurisPage.com
Ethics - Advertising
• Rule 7.1(q)
• “A lawyer may accept employment that
results from participation in activities
designed to educate the public to
recognize legal problems, to make
intelligent selection of counsel or to utilize
available legal services.”
JurisPage.com
Ethics - Advertising
• Rule 7.1(r)
• Without affecting the right to accept
employment, a lawyer may speak publicly
or write for publication on legal topics so
long as the lawyer does not undertake to
give individual advice.
JurisPage.com
30
9/8/2014
Ethics - Advertising
• “Recognition of legal problems” (Cmt. 9 to 7.1)
• Lawyers should encourage and participate in
educational and public-relations programs
concerning the legal system, with particular
reference to legal problems that frequently
arise. A lawyer’s participation in an educational
program is ordinarily not considered to be
advertising because its primary purpose is to
educate and inform rather than to attract clients.
JurisPage.com
Ethics - URLs
• 7.5 (e) – Website URL
• A lawyer or law firm may utilize a domain name for
an internet web site that does not include the name
of the lawyer or law firm provided: (1) all pages of
the web site clearly and conspicuously include the
actual name of the lawyer or law firm; (2) the
lawyer or law firm in no way attempts to engage in
the practice of law using the domain name; (3) the
domain name does not imply an ability to obtain
results in a matter;
JurisPage.com
Ethics - URLs
• Winlawyers.com vs.
nycriminaldefense.com
JurisPage.com
31
9/8/2014
Ethics - URLs
• Cmt. 2 to 7.5
• Can always use your firm name or an abbrev.
• Can use practice area (e.g. realestatelaw.com)
– 1. Must have firm name on every page
– 2. Can’t say “contact realestatelaw.com” unless firm
name is included in the ad
– 3. No implied results
• E.g. no “win-your-case.com”
JurisPage.com
Ethics - URLs
• 2003-01: Lawyers’ and Law Firms’ Selection
and Advertising of Internet Domain Names
– The web site bearing the domain name must clearly
and conspicuously identify the actual law firm name;
the domain name must not be false, deceptive or
misleading; the name must not imply any special
expertise or competence, or suggest a particular
result; and, it must not be used in advertising as a
substitute identifier of the firm.
JurisPage.com
Ethics - URLs
•
•
•
•
•
•
Antonelli-Legal.com
MEN-Law.com
HeaneyDisabilityLaw.com
NYChapter7lawyers.com
NYInjuryVerdicts.com
NYInjuryExperts.com
JurisPage.com
32
9/8/2014
Ethics – Referral Fees
• Rule 7.2 – referral fees
• Totalbankruptcy.com referral fees case
– 5 attorneys found to violate 7.2 (in CT)
JurisPage.com
Ethics – Referral Fees
• Rule 7.2 – referral fees
• Paying “subscription fees” for
advertisements
– The line: paying “per referral”
• Subscription services
– Martindale/Lexis, Avvo, Superlawyers,
Findlaw, Totalattorneys
JurisPage.com
Ethics – Internet Marketing
JurisPage.com
33
9/8/2014
Ethics – Internet Marketing
JurisPage.com
Ethics – Outsourcing Marketing
• You can’t outsource ethics to your legal
marketing / SEO team
• Adwords, blog posts, SEO done by a thirdparty can’t violate the rules
• If you outsource, make sure they know the
attorney ethics rules, what they can / can’t
do
JurisPage.com
Ethics - Retention
• Rule 7.1 (k)
• Retain computer-based advertisements for
1 year
• Retain website redesigns for at least 90
days
JurisPage.com
34
9/8/2014
Ethics - Judges
•
•
•
•
Don’t tweet during a trial, you’ll regret it
Friending judges is tricky…
Don’t blog about a pending case or judge
Rules 3.5, 3.6, 8.1, 8.4, 8.5
JurisPage.com
Ethics - Judges
• Rule 3.5 (a)
• A lawyer shall not:
• (1) seek to or cause another person to
influence a judge, official or employee of a
tribunal by means prohibited by law . . .
JurisPage.com
Ethics - Judges
• Rule 3.6
• No extrajudicial statements the lawyer
“knows or reasonably should know” will be
publicly disseminated and can prejudice
the matter
JurisPage.com
35
9/8/2014
Ethics - Judges
• Rule 8.1
• No false statements concerning the quality,
integrity, or conduct of judges
JurisPage.com
Ethics - Judges
• Rule 8.4 (d)
• A lawyer shall not: . . . engage in conduct
that is prejudicial to the administration of
justice
JurisPage.com
Ethics - Judges
• Rule 8.5
• (a) A lawyer shall not knowingly make a
false statement of fact concerning the
qualifications, conduct or integrity of a
judge or other adjudicatory officer or of a
candidate for election or appointment to
judicial office.
JurisPage.com
36
9/8/2014
Ethics - Judges
• Don’t write a blog post about a judge
• NY lawyer suspended for 5 years
• Attorney wrote a blog post to campaign for the
attorney’s client who was imprisoned after
being held in contempt by the judge
• The blog named the judge, tried to create a
campaign to pressure the judge to free the
client
JurisPage.com
Ethics - Judges
• Domville v. State (Fla. Jan. 2012)
• Judge friend requested a prosecutor in the
case
JurisPage.com
Ethics - Judges
• Chace v. Loisel (Fla. Jan. 2014)
• Judge friend requested a litigant in an
ongoing case
JurisPage.com
37
9/8/2014
Ethics - Judges
• Matter of Terry (N.C. 2009)
• Attorney messaged judge on Facebook
regarding a pending case
JurisPage.com
Ethics - Judges
• Florida State Bar v. Conway (Fla. 2008)
• Blog criticizing judge as “unfair witch”
• Public reprimand
JurisPage.com
Ethics - Judges
Las Vegas substitute judge sacked
JurisPage.com
38
9/8/2014
JurisPage.com
References
• http://jurispage.com/category/ethics/
JurisPage.com
Thank You
Andrew Cabasso
Phone: (800) 863-7603
Email: andrew@jurispage.com
Twitter: @andycabasso
Blog: jurispage.com/blog
Web: jurispage.com
Slides available at slideshare.com/jurispage
Free SEO for Lawyers eBook available at jurispage.com/ebook
JurisPage.com
39
Andrew Cabasso
(631) 606-0052 | andrew@jurispage.com
Experience
JurisPage
New York, NY, January 2013 – Present
Founder
Provide internet marketing services to small and medium-sized law firms, including mobile-ready website design,
SEO, Adwords campaign management. Publish a blog at jurispage.com/blog covering topics related to law firm
website design, search engine optimization, internet marketing, legal tech startups, and law practice management.
Selected Publications
JurisPage Blog, JURISPAGE, jurispage.com/blog (2013-Present)
Pay Per Click Marketing for Lawyers (September 2014)
Cloud Case Management Software Comparison, JURISPAGE, http://jurispage.com/2014/practice-management-reviews/law-firmpractice-and-case-management-software-comparison-chart/ (April 2014)
How to Pick an Ethical Domain Name, BROOKLYN BARRISTER, available at http://www.brooklynbar.org/wpcontent/uploads/01-12_Barrister_01_2014.pdf (Jan. 2014)
Get New Law Firm Clients, SLIDESHARE, slideshare.net/jurispage (August 2013)
Search Engine Optimization for Lawyers: Utilize SEO to Get New Clients Today, AMAZON, available at
http://www.amazon.com/Search-Engine-Optimization-Lawyers-Utilize-ebook/dp/B00BMTX1JA (February 2013)
Piercing Pennoyer with the Sword of a Thousand Truths: Jurisdictional Issues in the Virtual World, 22 Fordham Intell. Prop. Media & Ent.
L. J. 383 (2012)
Speaking Engagements
Google Hangouts for Lawyers, WEBINAR (August 2014)
How to Bring in New Clients via the Web with Online Marketing, WEBINAR (July 2014)
Social Media and Website Tips for Lawyers, LIVE CLE (April 2014)
Your Law Firm’s Internet Presence, LIVE CLE (March 2014)
Tech Tips for Attorneys: Your Firm’s Internet Presence, LIVE CLE (January 2014)
Bar Admissions
New York, New Jersey
Memberships and Committees
New York County Lawyers Association Young Lawyers Section (2013-Present)
Brooklyn Bar Association Young Lawyers Section (2013-Present)
New York City Bar Information Technology Committee (2013-2014)