Employer's data, employee's device: Avoid the pitfalls
Information has gone mobile, and employers and employees are moving right along with it. Access to the office and all its data is now in the palm of employees' hands in the form of their smartphones and tablets.
These devices make workers more efficient and more flexible, but there can be pitfalls. In addition to security concerns, a worker's personal device used for work - and the information it contains - could be used as evidence in the event that the company is sued.
That's why it's incumbent upon every employer to institute common-sense workplace policies, or what I call the BYOD defense, as in Bring Your Own Device.
In my practice at Scaringi Law, where I focus on employment law and civil litigation, I frequently assist companies in becoming BYOD-protected.
The following are some key points that any company developing a BOYD policy needs to consider.
Password protection is a must
When an employee's mobile device is allowed to access his or her company's data, that means a firm's information is only as secure as the password on that device - a serious consideration should the worker's smartphone or tablet be lost or stolen.
To ensure data protection in a BYOD workplace world, employers need a policy that requires that employees who access the company email, internal network (intranet), cloud and servers with their own device enable the device's password security features. Taking this simple step is an easy way to take an active role in protecting company data.
A BYOD workplace policy that spells this out is a win-win for both parties. It's not a huge burden for employees to activate their phone's security features, which include numerical passwords and automatic locking settings after a short time of inactivity. Apple's iPhone also offers a fingerprint recognition system to unlock the phone, while some Android devices can use a personalized diagram to unlock the phone.
The bottom line is these features prevent unauthorized people from using an employee's mobile device as an entryway into the company's customer accounts and other confidential information.
Hitting self-destruct on lost or stolen phones
It's only a matter of time until an employee's smartphone or other mobile device is lost or stolen.
That's why all BYOD policies should include a stipulation that lost or stolen employee devices be subject to a full and complete remote data wipe, erasing all content.
Again, it is a balancing act. The phone is not the employer's, yet some of the information that the personal device can access surely is. As such, while the employer can pledge to make every effort to help the employee recover the lost phone, the company must reserve the right to mandate that the phone's data be eliminated if all else fails. The way to do this is by placing employees on notice via the company's comprehensive BYOD policy.
There are numerous programs and apps that afford the phone owner the power to remotely wipe all data from a lost phone. Remember, that missing employee phone is also a portal into your company's email, data servers, cloud and intranet. You don't want it floating around out there like a lost key to the company vault.
And while much of the data on the phone will be personal to the owner, some data contained there are clearly the property of the company. As such, that data must be protected by erasing the phone.
Jail-breaking's a no-no for BYODs
Smartphones come with their own set of rules, known as operating systems. Some, such as Apple's IOS, are pretty strict, dictating which apps can be downloaded and which cannot.
Some tech-savvy phone owners find their way around these restrictions. It's called "jail-breaking" on an iPhone. Getting around the Android operating system is called "rooting."
A company BYOD policy must disallow the practice for one simple reason: Working around a phone's operating system often leaves it more vulnerable to data-mining hackers and information-sucking malware.
Installing unapproved apps is flirting with company data disaster, as there's no quality assurance for this software. An employee could be unwittingly downloading malware that will siphon information.
As for tech-savvy employees who might balk, tell them this: The company isn't banning employees from working around their phone's operating systems. They just can't use a compromised personal device for work purposes, including accessing the firm's email, data, servers, cloud and other proprietary information.
The risk of data exposure is just too great. If employees want to take that risk, let them do it with devices that they don't use for work.
When litigation opens the door to personal devices
No one likes being sued. But when companies that allow BYODs find themselves the subject of a lawsuit, personal devices used for work can get caught up in the litigation. A good BYOD policy must address this likelihood.
In the event of a lawsuit, employees might be ordered not to delete anything from their devices until the court decides what is fair game for review. If directed by the court, an employee might be required to make his personal devices and the information contained therein available.
A BYOD policy needs to alert employees of this possibility and establish procedures for preserving and reviewing information from personal devices in order to determine if it relates to the pending litigation and any discovery orders by the court.
Failure to preserve such information could expose a company to costly sanctions by the court.
A personal touch
In rolling out a company policy dictating what employees may do with their personal devices used for work, it pays to explain the reasons behind the measures.
Violations of the BYOD policy should be less about punishing employees and more about informing them of the expectations and responsibilities that go along with their role as active partners in protecting company data.
With company data breaches constantly in the news and so much vital information stored in the digital realm, employees should be more than willing to do their part. Making your workers partners in this protection, while ensuring their continued ease of access to company data on their personal devices, is the right approach for all involved.
Have questions about how to set a policy that strikes the right balance? I'm happy to help your business draft an effective BYOD policy.
Your company's data will be safer for it.