United States: The "Bring Your Own Device" To Work Movement

I. INTRODUCTION

Two different, but interrelated, phenomena have been occurring over the last decade that are radically reshaping the work environment at many companies. The first is commonly referred to as the "Consumerization of Information Technology." The second is the blurring of the line between work life and personal life experienced by many employees.

One result is the rapid adoption of mobile devices by employees—including iPhones, iPads, Android smartphones, and other devices. Due to their ease of use and the functionality enhanced by hundreds of thousands of free or low-cost applications available for these devices, millions of employees have begun using them to perform work. Recognizing this, a growing number of companies have struggled to create new policies that allow employees to use their personal mobile devices to create, store, and transmit work-related data. These new policies turn an employee's personal device into a "dual-use" device, one used for both personal and company data and activities. This trend is generally referred to as "Bring Your Own Device" or BYOD. Some companies even allow their employees to replace their work laptop computer with their own personal PC, which is sometimes referred to as BYOC.

This Littler Report examines the development of this irreversible trend and explores the very real and immediate challenges—both practical and legal—it creates for employers. Thereafter we set forth a series of recommendations to assist employers in mitigating these risks as the BYOD movement continues to reshape the workplace and even the concept of "a" workplace.

The risks fall into two broad categories. The first set of risks relates to the fact that a company's data is now being stored and transmitted using devices and networks the employer may not own or control. This loss of control clashes with the growth over the last decade of government regulations requiring companies to carefully protect the privacy and security of sensitive personal, financial, and health-related data. It also poses risks to the protection of a company's trade secret, proprietary, or confidential information.

The second set of risks arises from the impact BYOD policies may have on the behavior of employees. For example, employees may feel the use of their own personal devices should not be regulated by company policies on acceptable use, or they may be more likely to engage in "off-the-clock" work that could either increase overtime expenses or the risk of wage and hour claims. Employees may be more inclined to access in the workplace immediately available images and other material that could be in conflict with harassment prevention policies. This is different from the past decade where employers could set limits on usage because they owned and had more control over workplace computers and mobile devices.

Many of these risks can be addressed through the use of new types of software, typically referred to as Mobile Device Management software, that give employers a measure of control over their employees' dual-use devices. But this software can only mitigate, not eliminate, these risks. Employers must also consider revising or creating new policies and operating procedures, entering into new or supplemented employee agreements, and developing a broad awareness of these issues among their employees. This is more than rewriting the company's Acceptable Use Policy. The BYOD movement requires consistency across multiple workplace policies and practices.

Several of the risk areas discussed in this Report also apply to company-owned mobile devices, but the focus of this Report is on identifying challenges for companies that are pursuing BYOD policies or are reacting to the inevitable use of personal devices in the workplace.

We focus this Report on the BYOD movement because the light-speed growth of consumer technology, and the lifestyle plus skills of new generations, increasingly are clashing with traditional ways of mitigating employment and labor law risk. A new set of solutions is desperately needed. Many employers have already built pathways for the BYOD Movement. Littler predicts that within no more than one to three years virtually every employer will have confronted this issue and a majority will have harnessed the positive energy and advantages of the Movement while mitigating risk through new technology, revised policies and practices, and employee education.

II. BACKGROUND

A. The Consumerization of Information Technology

The phrase the "Consumerization of IT" was coined in 2001 by researchers at Computer Sciences Corporation (CSC). They used the phrase to describe "the radical reorientation of the IT industry" they saw taking shape in many companies because of the emergence of consumer technologies.¹ In 2004, the same CSC researchers published a Position Paper, The "Consumerization" of Information Technology.² The Paper described their observations and findings about how consumer-based technologies, public (as opposed to private) infrastructure, and applications had the potential to dramatically lower the cost and improve the functionality of corporate IT departments. Several of their key findings are highly relevant to the BYOD discussion; some are even prescient. For that reason, their findings are restated in their entirety below.

• Consumerized technologies, infrastructure and applications can deliver dramatically lower costs and equally significant improvements in business functionality and ease of use. While most of these technologies have been on the radar screen for several years, we believe that they are now reaching critical mass, and that organizations need a process for adjusting to these developments.
• Enterprises have usually supported IT with private infrastructures. There is growing tension between this traditional sourcing model and the consumerized alternatives that are now available. Over time, comprehensive private IT infrastructures will become a luxury that even the biggest organizations cannot afford. We believe that consumerization will be the process by which many of these traditional infrastructures are transformed and revitalized.
• In many organizations, existing infrastructures and their supporting policies and assumptions have become a barrier to innovation and a source of increasing employee frustration with corporate IT. The potential conflicts between exciting new consumerized services and ageing business infrastructures must be minimized. CIOs must be on the side of change.
• Consumerization seems likely to be a classic case of "disruptive" technology, which means many organizations will find it difficult to manage. To exploit consumerized technology and public infrastructure successfully, companies must decide to support this transition and then learn to scan, evaluate and judge service maturity.
• CIOs will eventually be asked to integrate these new services with existing business systems. This will prove a daunting challenge, and will show that some consumer services are not as cheap as they first appear.

• Although the security issues are often very real and can in the short term be only partially addressed, they should not be allowed to stop emerging consumer infrastructure usage. Over time, market pressures will push many consumer systems to match or exceed the security of privately managed systems. In some areas, this has already happened.
• Companies must treat users as consumers, encouraging employee responsibility, ownership and trust by providing choice, simplicity and service. The parent/child attitude that many IT departments have traditionally taken toward end users is now obsolete.
• To take advantage of consumerization, companies must acknowledge and leverage the blurring of our personal and professional lives. This means adopting differentiated employee usage and support models. The traditional top-down, one-size-fits-all approach will increasingly alienate employees and result in lost business opportunities.
• As the current pace of technology improvement is expected to continue for many years, these issues are sure to become more important. Companies that gain an early understanding of consumerized technologies and their related issues will have significant cost and usage advantages.

(Emphasis added.)

Over the last few years—primarily due to the broad popular appeal of the iPhone, the iPad, and Android devices— the consumerization trend has accelerated. In fact, in April of 2012, Apple created a new feature on its website called iPhone at Work. The page lists apps designed to help you organize your day, view your business, manage projects, meet anywhere, and travel light. The broad appeal of these devices, coupled with their rapid adoption by consumers, has caused many CIOs to begin allowing these devices to interact with corporate IT systems and even replace company-owned devices.

According to one recent study that aggregated data from multiple sources, there is a shift away from laptops and PCs towards smartphones and tablets. In 2010, 350.8 million personal computers were sold worldwide. During the same timeframe, 296.6 million smartphones and 17.6 million tablets were sold. For 2011, the estimates were that 364 million PCs would be sold, but 468 million smartphones and 63.6 million tablets would be sold. The trend will continue with tablet sales predicted to roughly equal overall PC sales by 2015.³

B. Adoption of BYOD Policies

According to a global study by the Aberdeen group in July 2011, of 415 companies surveyed, 75 percent allowed employees to use their personal mobile devices for business purposes.⁴ Another survey by Forester Research showed similar adoption rates of BYOD. In their study from the Fall of 2011 of roughly 1,600 US information technology workers, Forester found that 48 percent of those responding were able to purchase the smartphone of their choice and use it for work.⁵ A 2011 study by IDC and Unisys of 3,000 information workers and business executives in nine countries showed that more than 40% of the devices used by respondents to access business applications were personal devices. This is a 10% increase from a 2010 study. The study also shows that work is intruding on personal life. Approximately 50% of respondents reported using personal devices to conduct work on vacation, 29% while in bed, and almost 20% while driving. A surprising 5% reported using the devices in a place of worship. They also use their devices to perform work during "down time" (vacations and watching TV) and while at family gatherings.⁶

Perhaps the largest company to adopt a BYOD policy is IBM, which recently started a BYOD program. At present, only 80,000 IBM employees use their own personal devices, but the company hopes to extend the program to include all 440,000 employees.⁷ Although IBM had traditionally offered corporate-owned and managed Blackberries, iPhones and other devices started making an appearance. IBM's CIO decided that "If we didn't support them, we figured [employees] would figure out how to support [the devices] themselves."⁸ This self-directed approach would have been a problem for IBM given the volumes of sensitive information that could have been put at risk. According to IBM's CIO, employees "will find the most appropriate tool to get their job done. I want to make sure I can enable them to do that, but in a way that safeguards the integrity of our business."⁹

As one way of mitigating the risks to company data, IBM is building what they call "fit for business" tools that offer the functionality of popular consumer-level tools, but which include the security features IBM requires. One example is an IBM version of the popular cloud-based remote storage service Dropbox.¹⁰

As another example, Kraft Foods started a BYOD program in 2010. Kraft gives approximately 800 employees a stipend to buy either a Windows or Mac computer. If an employee wants a computer that costs more than the stipend amount, the employee must pay the difference. The Kraft program is not available to company executives who handle confidential information, Legal or HR staff, or employees who use their PC to run production equipment. Factory workers are also not eligible.¹¹

Sybase, a 4,000-employee company, has developed a policy that embraces BYOD. Sybase makes and sells software (called Afaria) that allows employers to control dual-use devices. Sybase has leveraged this software for its own internal operations.¹² Under the Sybase approach:

• Employees can choose from 20 different phones.
• Employees buy and own the phones, but Sybase pays for the monthly service contract.¹³
• Sybase apps such as Mobile Office for work email and contacts can be installed and run on those phones.

Employees must let Sybase use its Afaria software to wipe their devices and delete company data if they are lost or stolen, or if the employees leave the company.¹⁴

Citrix, a company that sells software to virtualize the corporate desktop and make it available remotely to workers, adopted a BYOD program in 2008. Citrix gives each employee a $2,100 stipend to purchase a laptop of their choice and a 3-year warranty. Citrix's internal cost for similar equipment and service was $2,600. Citrix reports an adoption rate of about 20%. By using their own desktop virtualization software, Citrix ensures that sensitive corporate data stays on secure corporate servers and is not stored on employee devices, thus mitigating many of the data-related risks described in this Littler Report.¹⁵

C. A Cost/Benefit Decision for Employers

Many companies that are adopting dual-use device policies are doing so because they believe this approach has significant benefits for both the company and their employees, including:

• Reducing expenses for employers (estimated to be approx. $80 per employee per month for device, cellular access, etc.) by allowing companies to leverage their employees' investments in devices
• Improving employee engagement because employees can use devices they want and already know how to use
• Aiding in the recruitment of new employees
• Solving the "two pocket problem" by allowing employees to carry only one device, rather than two—one for business and one for personal use
• Allowing companies to more quickly take advantage of newer technologies that reduce cost and promote collaboration

This "common sense" approach that is gaining acceptance is not without challenges and concerns. Some recent research suggests that BYOD programs have hidden costs that may cause companies to spend more money than they realize and could make the programs more expensive to operate than the traditional model. A recent article in CIO magazine¹⁶ describes these hidden costs.

First, employers lose the power of bulk purchasing and the ability to demand discounts from device manufacturers and cellular providers when their employees purchase individually. These higher costs hit the company through employee expense reimbursements, with a cost differential as much as $10 a month per device per employee.

Second, some companies experience higher help desk and support costs because employees use multiple platforms on many different devices, making it harder and more expensive to support them. And, employers who decide to create their own internal mobile device applications (or "Apps") are faced with the prospect of developing them for multiple platforms as opposed to a single corporate standard.

Security is also another expensive item for employers. In a recent survey by Aberdeen of more than 600 IT decision makers, they discovered that more than half of the companies reported experiencing a security breach as a result of consumer gadgets.

The article concluded with this sobering fact:

(Emphasis added.) If the perceived cost savings are the primary driver for a company—as opposed to the cultural, flexibility, or employee engagement benefits—companies should evaluate the cost savings closely before making this fundamental change. The total cost debate is far from settled and will change over time.

D. The "Appification" of Corporate Information Technology

The consumerization trend goes beyond merely the devices employees use to access, store, and transmit data. It also extends to the applications and services they use with the devices to conduct business. Given the low-cost, or even free, applications that are available to mobile device users via the Apple Store or the Android Marketplace, it is not surprising that employees are beginning to adopt these consumer-level applications and leverage them for business. After all,

In addition, some predict the growth of transient apps, which are described as a new category of enterprise App that meets the needs of multi-tasking workers who can use an App to meet a specific purpose and then dispose of it. Such apps are generally simple apps that are "lightweight, custom, easy to integrate, not mission-critical (relative to mobile enabled ERP or CRM business apps), self-service, low-cost, take less than two weeks to develop and often 'mash up' data from internal and external sources." Examples of such transient apps include things such as corporate conference apps, resource scheduling apps, project management apps, brainstorming apps, and time and expense reporting apps.¹⁸ These "quick and dirty" apps will supplement more traditional applications as well as new mobile apps that allow easier access to traditional corporate IT systems, including Customer Relationship Management software or other enterprise applications.¹⁹

Some companies are embracing this "Enterprise App" trend and have started developing applications specifically for their employees to help them accomplish their jobs. For example, Genentech has built an enterprise App store stocked with third-party applications that employees can use to get their job done. This has created a new mentality of "I have an app for that."²⁰ Other vendors offer software to allow mobile employees to access corporate SharePoint sites securely.

Companies are also developing marketplaces for apps targeting specific industries, such as Happtique, a mobile App store for hospitals and healthcare professionals. It offers a catalog of mobile health apps that are designed to connect patients to their healthcare providers and physicians through mobile phones. The platform is being used by hospitals such as Mount Sinai Hospital and Beth Israel Medical Center.²¹

E. Challenges for Employers

The move to greater adoption of mobile devices is clearly accelerating and appears irreversible. They provide workers with too much flexibility and convenience to be ignored. The question for employers is how to respond to this trend. There are several options, including providing employees with a wider variety of corporate-owned mobile devices to allow employees to use the device of their choice and loosening restrictions on use of these devices for personal activity. Another option, which is currently enjoying a surge in popularity, is to allow employees to use their personally owned devices to perform work and adopt BYOD programs. The remainder of this Report describes the challenges a BYOD approach creates for employers and provides practical recommendations employers can consider to mitigate the risks.

These developments pose two types of challenges for organizations. First, companies that adopt a BYOD policy now have their corporate data stored on personal devices owned by their employees. This creates several data-related challenges for companies, especially those in highly regulated environments, such as healthcare, financial services, and those that handle sensitive personal information. Second, because employees are using devices they own, it may change their expectations regarding what constitutes appropriate use of the device. This change could create significant conflict with other company policies.

In fact, recent research shows the personal "ethics" or "morals" of some workers who are active "social networkers" sharply diverge from other workers on key issues. In the 2011 National Business Ethics Survey (NBES), the Ethics Resource Center reported that active social networkers (defined as an employee who spends 30% or more of his or her work day participating on various social network sites) are more likely to believe that certain questionable behaviors are acceptable. The table below shows the responses to several questions by those who are active social networkers compared with other US workers.

While these findings may not be generally applicable to all mobile workers, these potential changes in expectations and attitudes, combined with the dispersion of corporate data to devices beyond the corporation's immediate control, deserve considerable attention. Companies should consider these issues when crafting policies and procedures to accompany the rollout of a BYOD program.

III. DATA-RELATED CHALLENGES OF BYOD PROGRAMS

The move to dual-use devices raises several challenges because company data is no longer stored on devices the company owns and can control. These challenges arise in the area of security and privacy, litigation holds, record retention obligations, trade secret protection, and more.

A. Information Security Risks for the Employer's Information

Dual-use devices can expose businesses' sensitive information to unauthorized acquisition in many ways. In a recent survey of 614 senior-level IT security professionals, 76% of the respondents reported that employees' use of mobile data-bearing computing devices, such as smartphones and tablets, created a "significant" or "very significant" risk for their organizations' security posture.²² 1. Lost or stolen devices

The most obvious risk is the loss or theft of a dual-use device. According to a study of security breaches published by the Ponemon Institute in 2011, a leading information security think tank, lost and stolen equipment was the number one cause of surveyed security breaches, accounting for 31% of surveyed breaches.²³ In a more recent study by Ponemon, 39% of respondents reported that their organizations had sustained a data security breach in 2011 as a result of lost or stolen equipment.²⁴ In 2011, Lookout, a company that provides software to help locate lost or stolen devices, helped 9 million people locate their devices. That corresponds to one locate request every 3.5 seconds. 2. Malware

Even if a dual-use device is not lost or stolen, the device can create security risks in other ways. For example, in February 2012, Juniper Networks reported a 155% increase from 2010 to 2011 in the volume of malicious software created for mobile devices.²⁵ Some of this malicious software takes the form of apparently innocuous applications ("Apps") downloaded to the dual-use device, particularly devices running the Android operating systems. While Apple screens Apps offered through its App Store, the Android Market does not, and anyone can submit an App for downloading. As a result, applications available for that platform are more likely to be malicious. In fact, in the last seven months of 2011 alone, Juniper found "malware targeting the Android platform rose 3,325 percent."²⁶ The sophistication of the attacks is also increasing. One reflection of this potential exploit is the Ponemon Institute's finding that insecure mobile devices were the fourth most common cause of the loss or theft of corporate data, accounting for 13% of the surveyed breaches.²⁷

3. Friends and family While hackers are commonly believed to be the greatest threat to sensitive information, the reality is that friends, family members and housemates can pose an even more significant risk to sensitive information stored on a dual-use device. When an employee shares a dual-use device with others perceived as trustworthy, or leaves the device unattended in an apparently friendly environment, a trusted person likely would have no need to bypass security measures, such as encryption or password protection because the device would already be unlocked. To be sure, the idea that an employee's "circle of trust" could pose a greater security risk than a hacker may seem cynical, but a report by the U.S. Treasury Department's Financial Crimes Enforcement Network provides empirical support. That study found that, in 27.5% of suspicious activity reports filed by depository institutions between 2003 and 2009, the identity theft victim knew the suspected thief, who was usually a family member, friend, acquaintance, or an employee working in the victim's home.²⁸

4. Gateway to the cloud

Mobile devices can also be viewed as a "gateway to the Cloud." That is, mobile device users are offered a variety of free or low-cost applications, such as Dropbox and Evernote, that allow them to create content and store it, or back it up, using cloud-based storage. While these tools offer great convenience and functionality for consumers, companies must evaluate whether they provide sufficient security before they are used to store company data, especially sensitive personal data, health data, or company trade secrets. Many of the federal and state regulations discussed below impose obligations on companies to: (1) carefully select and oversee their vendors to ensure they are capable of protecting their information; and (2) bind those vendors by contract to safeguard sensitive information. Although these statutes do not specifically address dual-use devices or cloud storage, they extend to sensitive information, regardless of where it is stored. Moreover, as noted below in the discussion of the Stored Communications Act (see Section III.C.2), a company may not have ready access to their data if it is stored with a cloud provider under contract with the employee rather than the employer.

5. Implications of a security breach

These risks can expose organizations to government enforcement actions, civil penalties, and litigation as statutory, regulatory and contractual obligations to safeguard sensitive information become increasingly prevalent. Under the information security regulations (the "Security Rule") promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), hospitals, health care providers, health insurers and self-insured health plans are required to implement technical, physical and administrative safeguards for protected health information (PHI) in electronic form.²⁹ Notably, the U.S. Department of Health and Human Services, which enforces HIPAA, has recently obtained seven-figure settlements in two different matters arising from security breaches.³⁰ Like HIPAA, the Gramm- Leach-Bliley Act (GLBA) extends protections to information created or received by a "financial institution"—a broadly defined term that includes not only banks but also car dealerships that extend credit and even some travel agencies— in connection with the customer relationship.³¹

Many states have enacted laws that impose information security obligations on businesses that collect or store Social Security numbers, drivers' license numbers, credit and debit card numbers, and financial account numbers. Massachusetts and Oregon, for example, require that such businesses implement a comprehensive, written information security program and provide detailed requirements for implementing the program.³² Massachusetts' information security regulations specifically address portable devices, requiring encryption of personal information stored on them. Moreover, the Massachusetts Attorney General has recently obtained monetary penalties against businesses that have failed to fulfill information security obligations.³³

Other states, such as California and Texas, impose a general statutory duty on businesses to safeguard personal information.³⁴ In addition to these more general requirements, a majority of states have enacted narrower information security laws. At least twenty-nine states, for example, require the secure destruction or protection of personal information in electronic form.³⁵

While these statutes and regulations tend to apply only to specific industry sectors or states, their impact has resonated far beyond the businesses directly subject to them. Many of those statutes and regulations, either expressly or implicitly, require companies to carefully screen vendors that handle a company's sensitive personal information— such as, third-party administrators, billing services, insurance brokers, information technology consultants, auditors, accountants and attorneys—and ensure they are capable of providing adequate safeguards for sensitive information. Many of these statutes and regulations also require businesses to bind those vendors, by contract, to implement safeguards to protect this information. Although these regulations may not specifically address dual-use devices or cloud storage vendors, they necessarily apply to sensitive information, regardless of where it is stored.

Footnotes

1 David Moschella, What the Consumerization of IT means to your business, ten messages for CXOs, at http://lef.csc.com/blog/post/2011/06/what-the-consumerization-of-it-means-to-your-business-ten-messages-for-cxos .

2 David Moschella, Dou Neal, and John Taylor, The 'Consumerization' of Information Technology, Computer Sciences Corp, 2004

3 David Meyer, Sales of Smartphones and Tablets to Exceed PCs, Oct. 6, 2011, Practical eCommerce, Insights for Online Merchants, available at http://www. practicalecommerce.com/articles/3069-Sales-of-Smartphones-and-Tablets-to-Exceed-PCs - .

4 Dave Zielinski, Bring Your Own Devices, Society for Human Resource Management, Vol. 51, No. 2, available at http://www.shrm.org/Publications/ hrmagazine/EditorialContent/2012/0212/Pages/0212tech.aspx .

5 Id.

6 Frank Gens, Danielle Levitas, and Rebecca Segal, 2011 Consumerization of IT Study: Closing the "Consumerization Gap", July 2011.

7 Chris Kanaracus, IBM CIO discusses Big Blue's BYOD strategy, Computerworld, Mar. 26, 2012, http://www.computerworld.com/s/article/9225563/IBM_ CIO_discusses_Big_Blue_39_s_BYOD_strategy .

8 Id.

9 Id.

10 Id.

11 Verne G. Kopytoff, More Offices Let Workers Choose Their Own Devices, Sept. 22, 2011, http://www.nytimes.com/2011/09/23/technology/workers-own-cellphones-and-ipads-find-a-role-at-the-office.html?pagewanted=all .

12 JP Finnell, Transient Apps: The Consumer Influence on Enterprise Mobility, Part 2, GigaOm, Aug. 2010.

13 Dave Zielinski, Bring Your Own Devices, Society for Human Resource Management, Vol. 51, No. 2, available at http://www.shrm.org/Publications/ hrmagazine/EditorialContent/2012/0212/Pages/0212tech.aspx .

14 Id.

15 Id. http://www.shrm.org/Publications/hrmagazine/EditorialContent/2012/0212/Pages/0212tech.aspxhttp://www.shrm.org/Publications/ hrmagazine/EditorialContent/2012/0212/Pages/0212tech.aspx .

16 See Tom Kaneshige, "BYOD" If You Think You're Saving Money, Think Again, CIO Magazine, Apr. 4, 2012, available at http://www.cio.com/article/703511/ BYOD_If_You_Think_You_re_Saving_Money_Think_Again .

17 David Moschella, Dou Neal, and John Taylor, The 'Consumerization' of Information Technology, supra n. 2 at 4.

18 JP Finnell, Transient Apps: The Consumer Influence on Enterprise Mobility, Part 2, GigaOm, Aug. 2010.

19 Id.

20 Id.

21 Rip Empson, Happtique Brings Secure, Branded App Stores To Hospitals And Healthcare, Dec. 7, 2001, at http://techcrunch.com/2011/12/07/happtique-brings-secure-branded-app-stores-to-hospitals-and-healthcare/.

22 Ponemon Institute, Future State of IT Security: A Survey of IT Security Executives, Feb. 2012, available at http://365.rsaconference.com/servlet/JiveServlet/ download/17366-3683/RSAC+Manuscript+FINAL+7.pdf , at 6.

23 Ponemon Institute, Understanding Security Complexity in 21st Century IT Environments, Feb. 2011, available at http://www.checkpoint.com/downloads/ whitepapers/ponemon-check-point-march2011.pdf , at 10.

24 Ponemon Institute, 2011 Cost of Data Breach Study: United States, Mar. 2012, available at http://bit.ly/xBF6vr , at 10 (shortened URL link directs to report on Symantec website).

25 Juniper Networks, 2011 Mobile Threats Report, Feb. 2012, at 6, available at http://www.juniper.net/us/en/local/pdf/additional-resources/jnpr-2011- mobile-threats-report.pdf?utm_source=promo&utm_medium=right_promo&utm_campaign=mobile_threat_report_0212 ,

26 Id. at 8.

27 Ponemon Institute, Understanding Security Complexity in 21st Century IT Environments, supra note 22, at 10.

28 U.S. Department of Treasury, Financial Crimes Enforcement Network, Identity Theft: Trends, Patterns and Typologies Reported in Suspicious Activity Reports Filed By Depository Institutions, January 1, 2003 – December 31, 2009, Oct. 2010, available at http://www.fincen.gov/news_room/rp/reports/pdf/ID Theft.pdf , at 4.

29 See 45 C.F.R. pts. 160, 162 and 164.

30 See Phillip L. Gordon, Finding the Messages to Employers in $1.5M HIPAA Settlement, Workplace Privacy Counsel (Mar. 14, 2012), at http://privacyblog. littler.com/2012/03/articles/hipaa-1/finding-the-messages-to-employers-in-15m-hipaa-settlement/ ; Phillip L. Gordon, HHS' One-Two HIPAA Penalty Punch Sends a Message to Employers and Providers, Workplace Privacy Counsel (Mar. 8, 2011), at http://privacyblog.littler.com/2011/03/articles/ hipaa-1/hhs-onetwo-hipaa-penalty-punch-sends-a-message-to-employers-and-providers/ .

31 15 U.S.C. §§ 6801 – 6809.

32 Mass. Regs. Code tit. 201, §§ 17.03 – 17.04; Or. Rev. Stat. §§ 646A.622.

33 See Ellen Giblin, Massachusetts Extends Reach of Data Protection Regulations, Workplace Privacy Counsel (May 18, 2011), at http://privacyblog.littler. com/2011/05/articles/data-security/massachusetts-extends-reach-of-data-protection-regulations/ .

34 See Cal. Civ. Code §§ 1798.80 et seq.

35 See National Conference of State Legislatures, Data Disposal Laws, at http://www.ncsl.org/issues-research/telecom/data-disposal-laws.aspx.

To view this article in full together with its remaining footnotes please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.