BYOD, Privacy and Security
It is very common for employers to allow or require employees to bring their own mobile devices, iPads and laptops into work and use the devices for work (“BYOD”). A recent study reveals that the numbers are staggering:
• 89% of employees mobile devices connect to corporate networks
• 65% of companies allow personal devices to connect to corporate networks;
• 78% of companies note that 2x as many BYODs connect than did 2 years ago;
• 68% of American small businesses already embrace BYOD.
BYOD is obviously popular with businesses and their employees. But it creates enormous risks and concerns for businesses and employees that can only be properly handled by an effective BYOD Policy.
Business Risks and Concerns
The primary concern of most employers is security and the unauthorized dissemination of confidential business information to third-parties. Allowing personal mobile devices increases the risk of unauthorized access, disclosure and destruction of business data, as employees can lose their mobile devices that contain confidential information. Or an employee can download viruses or malware along with the latest app that can than infect the entire corporate network.
A related concern is an increased risk for potential liability from a data breach, particularly those breaches involving access to personally identifiable financial or health information. For example, doctors regularly lose mobile devices, or have them stolen, that contain patient personal health information. These data breaches cost companies a significant amount of money and can lead to an unwanted and costly government investigation.
To the extent that nonexempt employees use personal mobile devices for work, the employer may also face exposure under the federal Fair Labor Standards Act or similar state statutes for failure to compensate these employees for overtime. If nonexempt employees use these devices for work-related purposes outside their normal work hours, the employer may be required to pay them overtime compensations.
Employee Privacy Concerns
The use of personal devices for work-related activities offers employees greater convenience, flexibility and other advantages. Employees are very attached to their personal mobile devices and a recent study shows that nearly 1/3 of employees would rather lose their wallet than their mobile device. Using personal mobile devices for work raises some serious concerns among employees as work encroaches more and more on their personal life.
Loss of privacy and control over their electronic information are the two biggest concerns employees typically have with BYOD. With respect to privacy, employees are concerned that employers will inappropriately access or use their personal information, particularly financial and health information, in ways that will harm them at work. Employees are also concerned about losing control of their electronic information (e.g. photographs, videos, contacts, etc.) when employers attempt to remove or “wipe” business information from the employees’ device, which can be done remotely. Employees store a lot of irreplaceable pictures, videos and other personal information on mobile devices and don’t want to lose these valuable memories.
To deal with these concerns, employers should develop a comprehensive BYOD policy and program that includes regular training and monitoring. Below are some of the key issues that should be addressed:
Organizations should make clear who in the organization is allowed to use personal devices, whether on an ad hoc basis for a specific purpose or as a permanent replacement for corporate devices. This can be viewed as a privilege to be earned, a response to employee demand, a requirement for certain types of roles, or a combination of these things. For example, attorneys at different law firms are now regularly permitted to use their own mobile devices and iPads, but administrative assistants are not. This is a function of client and partner demands and the need to be available 24 hours a day, 7 days a week. Administrative assistants do not want or have the same client demands, so they are not permitted to use their mobile devices to access law firm networks.
Allowed Devices/Operating Systems
Organizations should also make a decision about what operating systems will be supported on their BYOD policies. Two areas that are a real challenge for BYOD policies are the diversity and the frequency of updates for the operating systems on the various devices. The various choices include Android from Google; iOS from Apple; Windows Phone and Windows Mobile from Microsoft; Blackberry OS from RIM; Symbian from Nokia; and a few others. What’s worse, some operating systems have multiple versions and the updates to the devices may or may not be automatic from the carrier company or controlled by the enterprise.
These conditions make it very challenging to standardize just a few configurations that you will allow workers to use and support. However, it is a best practice to set a minimum operating system version threshold for users to bring in their own devices as a baseline requirement to protect corporate data and apps running on them. This may eliminate some of the older phones that are still in use, but you need to take minimal steps to ensure the security of your corporate network without draining company resources.
Wiping Data off the Device
When a smart phone is lost or stolen, or when a worker is no longer employed by the company, it may be necessary to forcibly wipe data off the employee-owned device. The manner that this is done is largely a factor of the mobile device management tools that are used. Some tools allow a selective wipe so that only corporate data is removed while not affecting the personal data. Other management tools simply wipe the entire device clean.
Make sure that the BYOD policy clearly explains the data wipe method you will be using and get a signed acknowledgment if the employee chooses to use their own device. Also consider using a user agreement, which will be discussed below. To the extent feasible, it is better to selectively wipe corporate data and to levee personal data alone. This will minimize the future risk of an employee lawsuit while still protecting the organization’s confidential information.
Companies should tread lightly when enforcing policies on personally-owned devices that are used for business. From a legal standpoint, you should have a user agreement, which is a contract between the company and the end user regarding the use of the employee’s personal mobile device in the business environment. Best practice is to have this contract presented to the employee regularly and have it affirmed periodically, typically once a year.
Key topics that should be considered for a user agreement include:
• The Data Wipe Policy – The user agreement should specifically identify when information will be wiped from the device and what types of data will be wiped.
• The Photo Policy – The user agreement should specifically identify what employees are not permitted to snap photos of (e.g. sensitive areas of the work environment; products in development; white boards and sensitive info or drawings).
• Definition of Company Information – The user agreement should clearly explain what information is considered company information, how it must be handled, and that the organization ultimately owns all company information.
• Web Filtering Requirements – Employees are expected to police their own behavior in terms of what shows up on their screens while connected to the corporate network and at work (e.g. no pornographic photos when the device is used in a business context).
• Data Breach Trigger Policy – Employees must promptly report the loss or theft of the device and help the company determine if sensitive data is at risk. The user agreement should specify the time-frame for reporting a lost or stolen device and the procedures regarding locking and wiping the device.
• Maintain Certain Security Measures – The user agreement should also specify what security measures the employee should maintain with the device, such as installing certain software, maintaining updates, requiring antivirus protection, and other security measures. It should also require a strong password to access the device.
• Acceptable Use Policy– Additionally, the user agreement should specify how employees handle company information on their personal device and what can be done with this information. Typically, these policies prohibit employees from downloading company information onto third-party cloud service document storage sites, such as Dropbox or Google Drive.
• Monitoring Policy– The user agreement should also inform the employee about what kind of monitoring will be used by the employer with respect to the device and the BYOD policy. This may include tracking the device’s location, monitoring internet and other activities, key-stroke logging, phone call monitoring, and other types of monitoring. This is a very sensitive area for employees, so be sure to consult with an attorney to determine the scope of monitoring that is legal in your jurisdiction, explain the policy clearly to employees, AND obtain the employee’s consent.
• eDiscovery –The user agreement should also let employees know how e-discovery requests will be handled, should the need arise. This will be discussed further below.
A primary reason why employers adopt a BYOD policy is to shift costs to employees. The BYOD policy should clearly identify what costs will be borne by the employee and what costs will be reimbursed.
Some of the questions to ask and answer in connection with the policy are:
• Are individual users entitled to reimbursement?
• If so, for what services and under what conditions (e.g., voice usage, data usage, Wi-Fi hotspot usage, roaming usage, business vs. personal usage, manager approval, etc.)?
• Are any services not eligible for reimbursement (e.g., SMS/MMS, ringtone downloads, 411 calls, any service not explicitly identified as eligible for reimbursement)?
• Are there any caps on reimbursement (e.g., in the form of fixed monthly stipends or maximum-expense limits, independently of charges incurred)?
• Are individual users ever eligible for full or partial reimbursement of device acquisition or replacement costs?
Different companies answer these questions in different ways and there are numerous acceptable BYOD policies. Choose the one that’s best for your business.
When an employer is involved in litigation, it needs to know where company information is located, it’s content, and needs to review it in order to determine whether to ultimately produce it.
Electronically stored information, or ESI, is subject to discovery, which means it can be requested as evidence in a court case. ESI is a category of discoverable information separate from print documents, and includes both structured and unstructured data such as emails, instant message logs, Word documents, Power point presentations, and other types.
In litigation, eDiscovery is the process of identifying, collecting, preserving, reviewing and producing relevant electronic data or documents. Determining which ESI is relevant is complicated and expensive due to the vast quantities of electronic information, and the difficulty in obtaining it and reviewing it to determine what information is relevant and to not produce privileged or confidential information.
BYOD and mobile devices present four challenges to eDiscovery:
• The company does not own or physically control the devices;
• There are a wide variety of potential data types to consider;
• The data can potentially reside in multiple locations;
• Safeguarding and retrieving the data can be difficult.
If you have a BYOD policy, or are considering implementing one, consider the following best practices to ensure that it is eDiscovery friendly:
• Mandate that employee devices be configured to save information directly to the company servers.
• Sync data between employee devices and company servers regularly.
• Ensure that your BYOD policy is forthright and outlines the exact process for eDiscovery, including a clear chain of custody.
• Consider purchasing and implementing one of the many applications capable of separating business data and personal data, making it especially easy for employers to locate discoverable data.
By taking these steps, you will minimize the costs associated with eDiscovery in case you are ever involved in litigation.
Termination of Employment Relationship
As part of your BYOD policy, you should outline the process for what happens when the employment relationship is terminated. In most cases, a company wants to remove its data from an employee’s personal device when he or she leaves. To accomplish this, the organization may require the employee to submit the device to the IT department, wipe it remotely, or simply tell the employee to delete the data. Choose what policy and procedures work best for your organization. Also make sure that employees are disconnected from the corporate network and are no longer able to access it after the employment relationship is ended.
That’s it for this week. Let me know if you have any questions about BYOD or if your BYOD policies contain some interesting provisions. Have a Happy Holiday!