By Deborah Shinbein, CIPP/US
Data Law Group, P.C.
This article is the fourth in a series describing different privacy and security considerations that apply to nonprofit organizations. For Part I of the series, click here. For Part II, click here. For Part III, click here.
The “bring your own device” (“BYOD”) trend of employees using their own smartphones, tablets, laptops, and other devices in the workplace, can lead to security risks for a company’s confidential information. Because the company does not control the employee’s device, the devices may not contain the protections the company would typically require on the company’s own devices or network.
Allowing employees to use their own devices when accessing the company’s confidential information can cause security risks, including an inability to manage and track the company’s information, storage of confidential information by employees in unsecure cloud services, use of employee devices by friends/family who may see confidential information, risk of lost or stolen devices, insufficient security settings on the device, and other issues. There are several steps your company can take to mitigate these risks.
The company should require that mobile device management software provided by the company be installed on all personal devices used for business purposes. This software program should include features such as:
- Remotely delete all data from the device if it is reported as lost or stolen, or after a designated number of incorrect password access attempts;
- Security software to ensure the device’s storage and transmissions are in accordance with the company’s security standards;
- Remote backups of the device on a regular basis;
- Encryption of data as designated by the company’s IT department;
- Requirement of strong passwords, and frequently changing the passwords; and
- Other features as designated by the company.
The company should establish a BYOD policy/agreement, which all of the company’s employees should be required to sign. Among other precautions, the policy should include the following:
- Require that the company’s mobile device management software (described above) be installed before any company information may be accessed or used on a personal device;
- Limit the type of information that may be accessed from personal devices;
- Require that certain information on the devices be encrypted;
- Devices must be protected by complex passwords, changed frequently;
- Employees must immediately report the loss or theft of a device, so the company can send the “remote wipe” command to delete the device’s data;
- Prohibit storing the company’s information in cloud storage services other than those provided or approved by the company;
- Employees must consent to the employer’s access to the device, and all data on the device, if the company needs to do so for legal reasons;
- Employees must consent to having the employer monitor the device if appropriate based on the nature of the company’s business and data;
- Procedures regarding the company’s review/access to the device upon the employee’s termination;
- Describe if/when the device may be used on unsecured public wi-fi networks;
- Describe if/when personal email accounts may be used for work-related purposes;
- Requirements regarding the device’s internal security settings and which alterations, if any, may be made by the employee (also consider system updates);
- Describe required backup policies and the ability of the company to access those backups;
- Restrict use of the device by friends and family (or consider establishing a separate walled user log-in for any company information on the device); and
- Other terms as applicable depending on the nature of the company’s business, the type of data accessible to employees, and the laws and regulations governing the business.
All new and existing employees should be required to sign the agreement and follow the policy. When requiring an existing employee to sign a new agreement, be mindful of the legal requirements regarding how to handle data already on the employee’s device, and be sure to obtain adequate consents and comply with legal requirements when making changes to current practices.
This article should not be construed as legal advice, and no attorney-client relationship is formed by reading this article or contacting the author.
For further information, please feel free to contact Deborah Shinbein at firstname.lastname@example.org or visit www.datalawgroup.com.