Three Keys to Mastering BYOD

Transcription

1 Three Keys to Mastering BYOD Chuck Cosson T Mobile Senior Corporate Counsel, Privacy (425) Chuck.Cosson@T-Mobile.com Views expressed are my own and do not necessarily reflect the views of T-Mobile US This document does not constitute legal advice.

2 OVERVIEW OF SESSION Step 1: Privacy Considerations Step 2: Breakout sessions Group 1: issue checklist Group 2: draft privacy notice Group 3: acceptable use policy Step 3: Assessment

3 PRIVACY CONSIDERATIONS Fair notice and employee expectations for personal data sent over company networks; Practical security considerations to protect data from unauthorized access /disclosure; Incident response / investigation.

4 LEGAL CONTEXT Computer Fraud and Abuse Act 18 USC 1030 State Laws on Unauthorized Access* Electronic Communications Privacy Act 18 U.S.C Common Law Privacy Issues Trespass to Chattels Invasion of Privacy International Laws May Also Apply *See

5 SOME RULES OF THUMB Don t be afraid to start early. Take a multi-disciplinary approach. Legal, security, privacy, IT, risk management, and HR; Consider multiple goals to arrive at an integration that works for your organization; Don t under-invest in internal training. Consider usability as well as security. Security requirements that create costs or user frustrations are susceptible to bypass attempts, inconsistent implementation or weak adoption rates.

6 NOTICE TO EMPLOYEES Common approaches to providing notice: Company acceptable use policy is provided to employee; Splash screen reminder is displayed when logging in; Regular privacy and security training for employees; Employee manuals or internal online resources. Common key elements of notice content: Security software may remotely wipe a device in case employment ends or the device is lost; Litigation holds may require employee to surrender the device and/or indefinitely retain data; Monitoring of online activity can and will occur.

7 SECURITY POLICIES Required Device Installations or Controls PIN or Swipe lock on Device Anti-Badware software Remote wipe capability / Data segregation Restrictions on Rooted or Modified Devices Network Side Policies Server access controls Special credentials, passwords, or authentication steps

8 POLICY DRIVERS Legal considerations integrated with: Morale Productivity Company Culture Cost Considerations Stakeholders: Legal HR IT and Information Security

9 BREAKOUT SESSION Three Key Takeaways: How to draft an employee privacy policy addressing a BYOD scenario Drafting an acceptable use policy for personal devices connected to company tools Creating an issue checklist to determine what BYOD issues your organization faces Breakout Activities: Review the draft document provided for your group Group 1: Employee privacy policy Group 2: Acceptable use policy Group 3: Issue Checklist Appoint a scribe to markup the document with questions, edits, additions Appoint a spokesperson to readout the group s observations

10 PRIVACY/SECURITY POLICY Specify company principles/standards for BYOD Detail expectations of privacy: Requirements for personal devices to be granted access; Personal data in company-provided applications; List circumstances of monitoring of personal device. List security requirements for devices & servers. Expressly provide for investigative access to data. Explain what happens when: Device is lost or stolen Employee leaves the company Protective software is not installed or uninstalled

11 ACCEPTABLE USE POLICY Require employees to acknowledge policy Clearly define boundaries /prohibited uses Explicit content, hate speech, Leaking of proprietary information Consider rules for social media / cloud use Determine if policy banner can be displayed to BYOD employees logging in

12 ISSUE CHECKLIST Risk Types Monitoring of Employees Current Policies Acceptable Use Policy Security and Privacy Prospective Policies