BYOD: Suggested Policies for Mississippi s Public Employees

Transcription

1 Technical Brief BYOD: Suggested Plicies fr Mississippi s Public Emplyees Lydia Quarles, J. D., Senir Plicy Analyst, Stennis Institute f Gvernment quarles 2014 In light f recent Open Recrds pinins frm the Mississippi Ethics Cmmissin, all departments f public entities in Mississippi shuld be thinking abut electrnic devices persnal t their emplyees. Persnal electrnic devices include, amng ther things, smart phnes (iphnes and andrids), tablets f all kinds, mini-cmputers, etc. The practice f cmingling wrk and persnal usage n these persnal electrnic devices can becme a mine-field fr department heads. Cnsider yur current situatin: Des yur department have a plicy n emplyees bringing their persnal electrnic devices t wrk? T what des it extend? Are there sanctins if the plicy is ignred? Are there prtcls in place t enfrce the plicy, retrieve sensitive infrmatin, etc.? It is quite unlikely that a public emplyer in Mississippi will implement a plicy where emplyees cannt bring persnal electrnic devices int the wrkplace. These devices prliferate and prvide many psitives t persnal efficiency, which, in turn, create psitive feelings amng manpwer and may als expedite wrk t be dne. Many wrking parents use these devices t, amng ther uses, keep an eye n their children wh are enrlled in schls r day-care. The devices give these parents peace f mind; this peace f mind pays ff in quality f wrk perfrmed. But what can g wrng in a situatin where emplyees use their persnal electrnic devices fr wrk related tasks? Here are sme examples lcated n varius websites addressing the situatin: Yur department is invlved in a lawsuit and as part f the discvery (the exchange f infrmatin relevant t the lawsuit befre trial) purged data is fund stred n

2 the emplyee s persnal electrnic device. Yur emplyee carries an unsecure persnal electrnic device and a hacker btains sme f the department s sensitive infrmatin. Infrmatin leaves the department s cntrl as emplyees stre cnfidential data n their persnal electrnic devices. An emplyee leaves yur department and still has cmpany data n their persnal electrnic device. T help avid the abve scenaris and thers, departments shuld develp and implement plicies t address these cncerns. Like the prliferatin f devices, there are a prliferatin f suggestins abut handling the prblems which arise frm the use f persnal electrnic devices fr wrk related tasks. They include (1) a written agreement giving the department the right t manage, lck, and/r wipe all department-related infrmatin frm the persnal device; (2) a written agreement where the department issues the emplyee a department-wned and mnitred device and emplyees are nt allwed t use the device fr persnal matters, with the emplyee t return the device upn terminatin f emplyment; (3) a written agreement where the department purchases the persnal electrnic device frm the emplyee fr an agreed amunt f mney and then gives the emplyee the right t use it fr persnal, as well as emplyment related uses, with an ptin t buy back the device upn terminatin f emplyment. Unfrtunately, these types f plicies, althugh a gd beginning, are effectively placing a Band-Aid n a much larger lesin. In rder t frm a plicy unique t yur department, yu must take the fllwing int cnsideratin: Shuld the department require all emplyees wh use a persnal electrnic device t dwnlad sftware that allws the department t remtely access and wipe devices? Shuld the department have its emplyees sign written agreements that disclses all risks assciated with the sftware and requires them t dwnlad it nt any device that will be used t access cmpany-related infrmatin? Shuld the department allw nly certain emplyees t have the privilege f using persnal electrnic devices and limit the type f infrmatin that is accessible, e.g. e- mail? Shuld the department require that emplyees cnsent in writing t have the devices inspected upn terminatin r at any ther time? This may be dne remtely and withut ntice t the emplyees. Shuld the department refuse t allw emplyees t stre crprate infrmatin n persnal devices? Shuld the department require that emplyees sign a written agreement that they will turn ver their persnal electrnic device fr inspectin upn a legitimate request frm the cmpany, r n sme regular (mnthly, quarterly) basis?

3 As yu cnsider a plicy fr yur department, acknwledge that this is nt merely an IT issue. It is a human resurces issue and a legal issue as well. The fllwing human resurce issues emerge frm persnal devices being used fr wrk: (1) nn-exempt wrkers must be paid fr any wrk they d, authrized r nt; (2) exempt wrkers wh d ccasinal wrk during leave -- if the emplyee des this wrk fr mre than a de minimis amunt f time, the emplyee may be entitled t an entire week s pay; (3) texting sexually harassing infrmatin (studies shw that staff are mre casual in texting than in s) -- and while texts are less easy t track r trace than s, a recipient will clearly save thse texts as Exhibit A in the sexual harassment litigatin. Legal issues als emerge, althugh the case and statutry law n the use f persnal devices fr wrk related matters remains in its infancy. Sme are: (1) the legal right f a department t wipe a persnal device, with r withut ntice; (2) a need t retrieve infrmatin because f a recrd retentin plicy (such as thse established by the Mississippi Department f Archives and Histry). Mississippi has established a gvernment recrd retentin plicy which can be fund n the Mississippi Department f Archives and Histry [MDAH] website. Bullets drawm frm the MDAH: Wrk-related messages and attachments are public recrds and must be managed in the same way as ther public recrds are managed. The statute ( ) defines public recrds t include, amng ther recrds, digital recrds made r received pursuant t law r rdinance r in cnnectin with the transactin f fficial business by any agency r by any appinted r elected fficial. The statute des nt cnsider what digital device created the public recrd s lng as it falls within the definitin f a public recrd. Fr instance, if a public recrd is created, it des nt matter if it is made n a persnal/hme accunt, mbile cmputing device, smart phne, persnal digital assistant r scial netwrking website r like services. All s, n matter where created, which are created r transacted by appinted r elected fficials are integral t the peratin f gvernment and gvernment is respnsible fr maintaining these recrds in a manner that they can be assessed in a manner that allws efficient and timely retrieval. They must remain accessible during the entire retentin perid required. These mandated perids, develped by the MDAH Lcal Gvernment Recrds Office and apprved by the Lcal Gvernment Recrds Cmmittee, can be accessed by visiting Once the perids are apprved, they have the frce f law. It is the respnsibility f the entity t determine what types f recrds they maintain and establish crrespnding maintenance perids. An agency may determine different guidelines fr retentin f public recrds created n persnal digital devices based n the level n which the emplyee is emplyed.

4 Regardless f what guidelines are applied t what emplyees, the emplyees shuld be required t sign a statement agreeing t fllw the guidelines, plicies and prcedures adpted by the agency. An agency shuld nt allw an emplyee t use scial netwrking websites (e.g., Facebk) r services which prvide immediate publicatin/feedback (e.g., Twitter) fr the transmissin f fficial cmmunicatins and this shuld appear prminently in the guidelines, plicies and prcedures adpted by the agency. The agency shuld ensure that each divisin has guidance as t what divisin shuld btain and retain the infrmatin generated frm persnal digital devices. It culd be that the agency determines that smene in each divisin shuld be respnsible fr all apprpriate recrds generated frm persnal digital devices f emplyees f that divisin. Hwever, it culd be that the agency will chse the IT department as respnsible fr all such recrds. It is up t the agency t determine whether it will chse t keep a paper cpy f the recrd, as well as a digital cpy. If it is determined that a paper cpy shuld be kept, this must be cnsistently regulated. A best practices decisin wuld require emplyees t als retain and maintain paper cpies f all recrds which wuld fall within the definitin f public recrd fr his/her wn prtectin and as a backstp fr the agency. Hwever, the agency shuld be aware that an individual wh is cncerned abut the cntents f infrmatin which falls within the definitin f a public recrd that has been generated n his/her wn persnal digital device may nt chse t keep that particular recrd. It is nt the respnsibility f the emplyee t maintain these recrds. That respnsibility falls squarely n the agency. After cnsulting retentin requirements, any agency may determine t keep all r sme digitally created recrds in excess f the time required by the MDAH Lcal Gvernment Recrds Office. Cnsideratins might be (1) psitin, duty and authrity f the authr f the message; (2) public recrds f significance (e.g., executive crrespndence f a mayr r ther elected fficial has histrical value and shuld be maintained permanently); (3) public recrds f temprary value which shuld be dispsed f cnsistent with MDAH Lcal Gvernment Recrds Office retentin guidelines (e.g., messages related t cmpleted purchases f equipment and supplies); (4) transitry cmmunicatins which d nt fall under the umbrella f public recrds as defined by [The MDAH prvides examples f transitry cmmunicatins: persnal s nt related t wrk; spam r unslicited advertisement; incming electrnic mailing list message, nn-plicy annuncements, thank yu messages, ut f ffice replies, published materials, and replies t rutine questins (hurs, addresses, directins, etc.) Accrding t the MDAH, public emplyees and fficials wh send/receive such messages may delete them when they are n lnger useful. Chse an ptin fr retentin such as a cntrl schedule suggested by MDAH: Treat all s and/r digitally created dcuments as crrespndence and apply apprpriate recrds cntrl schedules.

5 Create a file with subflders that will allw s and/r digitally created dcuments based n the retentin perid demanded, thus allwing the emplyee/it Department t delete them as the time fr retentin has expired. In ther wrds, place files in flders by years, dividing them int grups f files that have different retentin perids. Create nn-permanent recrds files by functin r categry (e.g., administrative, financial, plicy, general wrk) and then by perid (e.g., keep 5 years, keep 3 years, etc.) Print and file all recrds as part f a paper recrd keeping system. Accrding t MDAH, a cmplete recrd cnsists f the message tgether with its attachments and transmissin data, s it is imprtant t print any/all attachments and message surce infrmatin. Included in the agency plicy shuld be language which includes the agency s attempt t prtect cnfidential r private infrmatin frm disclsure and thus lsing its cnfidential status. As emplyees sign that they agree t the plicy the agency has adpted, they may als be required t acknwledge that emplyees understand the risks invlved in transmitting infrmatin that wuld qualify as a public recrd frm their persnal digital device because it will call int questin all files in that device. An emplyee wh chses t r create digital infrmatin n his/her persnal digital device -- bth persnal and gvernmental -- may be required t place an disclaimer n ALL persnal s r dcuments warning that this particular /dcument is persnal t the wner f the digital device and has n public recrd characteristics. Hwever, the agency plicy shuld require an ccasinal test f this use by the individual t determine that this disclaimer is NOT being used n infrmatin with public recrd characteristics. The federal gvernment is getting int the act with a Digital Services Advisry Grup [DSAG] t prmte crss-agency sharing and accelerated adptin f mbile wrkfrce slutins and best practices, including develpment f a federal gvernment wide BYOD plicy. The Natinal Institute f Standards and Technlgy [NIST] is als drafting standards and guidelines fcused n mbility including: Guidelines fr Managing and Securing Mbile Devices in the Enterprise; Security and Privacy Cntrls fr Federal Infrmatin Systems and Organizatins; and Persnal Identity Verificatin (PIV) f Federal Emplyees and Cntractrs. Amng suggestins available frm these agencies, these are wrthy f cnsideratin: Virtualizatin: Prvide remte access t cmputing resurces s that n data r crprate applicatin prcessing is stred r cnducted n the persnal device; Walled garden: Cntain data r crprate applicatin prcessing within a secure applicatin n the persnal device s that it is segregated frm persnal data;

6 Limited separatin: Allw cmingled crprate and persnal data and/r applicatin prcessing n the persnal device with plicies enacted t ensure minimum security cntrls are still satisfied. Accrding t the DSAG, a business case fr implementing BYOD prgrams vary frm agency t agency, but ften invlve the fllwing drivers: t reduce csts, increase prgram prductivity and effectiveness, adapt t a changing wrkfrce, and imprve user experience. Here is a list f business cnsideratins based n the White Huse s Digital Plicy Guidelines and BOYD Plicy Guidelines established in August Technical apprach Virtualizatin Walled garden Limited separatin Rles and respnsibilities Agency User Help/service desk(s) Carrier technical supprt Incentives fr gvernment and individuals Survey emplyees n benefits and challenges Cnsider vluntary vs. mandatry participatin in BYOD prgram and impact n terms f service Educatin, use, and peratin Establish rientatin, trainings, and user agreements Establish assciated plicies cllabratively with unin representative Ensure cmpliance with Fair Labr Standards Act (FLSA) requirements (e.g., institute plicies t ensure nn-exempt emplyees d nt cnduct wrk after-hurs unless directly authrized/instructed) Cnsider impact f cnnectivity and data plan needs fr f chsen technical apprach (e.g., virtualizatin) n emplyee reimbursement Implement telewrk agreements cnsistent with the Telewrk Enhancement Act and OMB implementatin requirements Security Assess and dcument risks in: Infrmatin security (perating system cmprmise due t malware, device misuse, and infrmatin spillver risks) Operatins security (persnal devices may divulge infrmatin abut a user when cnducting specific activities in certain envirnments) Transmissin security (prtectins t mitigate transmissin interceptin) Ensure cnsistency with gvernment-wide standards fr prcessing and string Federal infrmatin

7 Assess data security with BYOD versus the devices being replaced Securely architect systems fr interperability (gvernment data vs. persnal data) Privacy Identify the right balance between persnal privacy and rganizatinal security Dcument prcess fr emplyee t safeguard persnal data if / when gvernment wipes the device Ethics / legal questins Define acceptable use frm bth gvernment and individual perspective Address legal discvery (including cnfiscatin rights) and liability issues (e.g., thrugh pre-defined pt-in requirements in terms f service) Cnsider implicatins fr equal rights emplyment (e.g., disparity in quality f persnal devices) Service prvider(s) Identify cmpanies that culd ffer discunts t gvernment emplyees Assess pprtunities t leverage the Federal Strategic Surcing Initiative Assess tax implicatins fr reimbursement Devices and applicatins (apps) Identify permitted and supprted devices t prevent intrductin f malicius hardware and firmware Define cntent applicatins that are required, allwed, r banned and cnsider use f mbile device management (MDM) and mbile applicatin management (MAM) enterprise systems t enfrce plicies Adpt existing app develpment best practices t supprt deviceagnsticism and data prtability acrss platfrms Address app cmpatibility issues (e.g., accidental sharing f sensitive infrmatin due t differences in infrmatin display between platfrms) Recmmend apprach t cntent strage (clud vs. device) Clarify wnership f the apps and data Asset management Dispsal f device if replaced, lst, stlen, r sld, r emplyment is terminated (must remve gvernment infrmatin befre dispsal) Reprting and tracking lst / stlen persnal devices Replacement f persnal lst devices if emplyee chses nt t replace with persnal funds Funding fr service and maintenance. As a cnsideratin f best practices, cnsider the BOYD prgram intrduced by the State f Delaware. This prgram transitins frm state-wned blackberries t a persnal device reimbursement plan. William B. Hickx, Chief Operating Officer f the Delaware Department f Technlgy and Infrmatin, described the prgram. (See William.Hckx@state.de.us fr mre infrmatin.)

8 Executive Summary In an effrt t keep up with the pace f mbile technlgy, the State f Delaware initiated an effrt t nt nly embrace the cncept f BYOD but t realize significant savings by having state emplyees turn in their state wned device in favr f a persnally wned device. In rder t encurage the behavir, the State agreed t reimburse a flat amunt fr an emplyee using their persnal device r cell phne fr state business. It was expected that by taking this actin the State culd stand t save $2.5 millin r apprximately half f the current wireless expenditure. There were several challenges including questins abut whether a reimbursement was taxable r nt, whether the persnal device culd be secured by the State fr Freedm f Infrmatin Act (FOIA) requests, and whether utilizatin f persnal devices culd/shuld be mandated. In the end the state decided t make the prgram vluntary at this time. The state recgnizes that nt all emplyees have a persnal device r are willing t utilize it fr wrk purpses. The State f Delaware experience t date has been psitive with specific savings and device reductins. The State anticipates cntinuing t grw the prgram by limiting the number f state wned devices while encuraging the use f persnal devices int the future. Challenge The State s Blackberry infrastructure is reaching end f life and requires a lifecycle replacement. In additin, changes in technlgy are driving agencies t request devices that are nt state standard r currently supprted by the Department f Technlgy & Infrmatin (DTI). As such, the State is nw at a decisin pint regarding the future directin f prtable wireless devices and the nging supprt f the infrastructure. Over the last 10 years the nature and use f prtable wireless devices in the wrkplace has changed dramatically. Originally, nly a handful f state wned devices (BlackBerrys) existed with the majrity f staff relying n state wned cell phnes. In additin, at that time very few state emplyees had persnal cell phnes and almst nne had persnal blackberry devices. Tday, the prliferatin f these state wned devices (apprximately 2500 devices) results in significant csts assciated with the infrastructure and supprt f the blackberry system. In additin, due t the

9 changing needs f the agencies, mre and different devices such as Drids and iphnes are being requested, which wuld expand the csts assciated with infrastructure and supprt. The current Blackberry Enterprise Server (BES) which is managed by the state will reach its end f life within the next year and require replacement. Hwever, replacing the BES will nly address the state wned devices that are currently apprved as standard (Blackberry). It des nt address the request fr additinal prtable devices such as iphnes. Apprach DTI decided that funds shuld nt be expended t lifecycle the BES. Instead, the State shuld start a tw year transitin plan t migrate all users ff f the existing infrastructure by June 30, 2013 and mve them t either a persnal device thrugh a prpsed reimbursement prgram r t a device that runs directly thrugh the state s wireless carrier. By ding s, the state stands t save up t $2.5 millin dllars annually thrugh the reimbursement prgram but als wuld save $75K in lifecycle csts and $120K in nging supprt. This directin wuld als allw agencies t utilize enhanced devices such as Drids and iphnes t supprt their business needs. The abve referenced reimbursement prgram wuld be as fllws: Beginning February 1, 2011 the Department f Technlgy and Infrmatin (DTI) will initiate a prgram aimed at reducing the number f state wned wireless cmmunicatin devices, i.e. cellular phnes, PDAs, prtable devices, etc. The intended benefits f this prgram are twfld. Many emplyees carry persnal devices in additin t the state issued device. With the advances in technlgy, efficiencies can be gained thrugh the cmbinatin f these devices. In additin t end user efficiency, by cmbining devices, there is significant savings fr the State. Emplyees whse jb duties require the frequent need fr a cell phne r prtable device as determined by their supervisr may receive a mnthly vice/data plan reimbursement t cver the csts f state related business. Only in extenuating circumstances will

10 further reimbursement fr vice/data plan csts be available t emplyees wh participate. All ther emplyees may submit infrequent business-related cell phne expenses fr individual reimbursement. Determining Emplyee Eligibility: Emplyees with jb duties that require the frequent need t use a cell phne/pda fr business purpse are eligible, typically include; Emplyees n the rad r in the field, but required t remain in tuch with thers, typically ut f the ffice n business 50 r mre annual days. Emplyees available fr emergency cntact (e.g., duties require them t be cntacted anywhere/anytime). Emplyees with 24/7 respnse requirements. Dllar Amunt f Reimbursement: Eligible emplyees will receive a reimbursement as fllws: Vice nly - $10 per mnth Data nly - $30 per mnth Vice/Data - $40 per mnth Mr. Hickx says that fr emplyees wh have participated s far, the State f Delaware has reduced expense assciated with their devices by 45%, with an verall reductin f departmental wireless csts f 15%. This savings has been achieved by the State f Delaware reimbursing ver 100 emplyees fr utilizing their persnal device and ver 1,000 State f Delaware emplyees using their persnal devices in the BYOD prgram. Sample plicies prvided by the federal gvernment are accessible at Regardless f what type f plicy develpment a department decides upn, whether it is BYOD, issuing agency-wned devices and restricting use, r any ther plicy implementatin, there are basic terms which shuld be included: 1. There must be a requirement that gvernment infrmatin n any device being used by any public emplyee must be regularly dwnladed and material retained cnsistent with the Mississippi Department f Archives and Histry regulatins. 2. There must be a plicy in place in which this regular dwnlad and material retentin will ccur. 3. There must be a requirement that the gvernment has access t infrmatin n a persnal device which is used fr gvernmental purpses, which includes the ability t wipe the device upn terminatin f emplyment. 4. There must be a requirement that the gvernment can access the infrmatin n a persnal device fr matters f litigatin. The Stennis Institute can assist yu in develping an apprpriate plicy. Cntact the authr at lydia@sig.msstate.edu.

11 ABOUT THE AUTHOR Lydia Quarles is a Senir Plicy Analyst at the Jhn C. Stennis Institute f Gvernment, Mississippi State University. She received her Juris Dctrate frm Cumberland Schl f Law, Samfrd University, and her MA and BA frm Mississippi University fr Wmen. After ver a dzen years in the private practice f law in Alabama and Mississippi, she jined the Mississippi Wrkers Cmpensatin Cmmissin as an Administrative Judge in Eight years later, in 2001, she was appinted Cmmissiner f the agency. In 2006, she resigned t jin the Stennis Institute and return t private practice. Quarles was hnred in 2006 by the American Bar Assciatin s Administrative Law and Regulatry Practice Sectin, receiving the Mary C. Lawtn Award fr lasting cntributins t the Mississippi Wrkers Cmpensatin Cmmissin in the areas f alternative dispute reslutin and access fr Hispanic wrkers. She is als a recipient f the American Sciety f Public Administratrs Jan Fiss Bishp Award, hnring a wman wh has prmted increased participatin f wmen in public administratin, exhibited a defined cntributin t increase wmen s invlvement in the public sectr, and demnstrated innvative leadership and accmplished prfessinalism in her wn public sectr career. Recgnized by Martindale-Hubbell as an AV rated lawyer, the highest peer-evaluated designatin, she als hlds the Martindale-Hubbell designatin as a Preeminent Wmen Lawyers in America.

12 ABOUT THE INSTITUTE Based at ur state's land grant university, the Institute is ften referred t as Mississippi's think tank, but the Institute is much mre. We are frequently called upn t prvide technical assistance and cnsultatin t state fficials, lcal gvernments and cmmunity leaders regarding plitical, gvernmental, and ecnmic and cmmunity develpment matters. Our missin is t enhance the capacities f state and lcal fficials t deal effectively with tday's challenges regarding many issues. If the legislature needs a definitive study n the effects f a change in state law, a municipal gvernment desires a cmpensatin study r salary survey, r an assciatin f gvernment fficials requests training n the latest legal r plicy issues, the Institute respnds with its wide variety f resurces and capabilities. CONTACT INFORMATION Jhn C. Stennis Institute f Gvernment and Cmmunity Develpment 382 Hardy Rad Mississippi State, MS Ph: Fax: Mailing Address: Stennis Institute PO Drawer LV Mississippi State, MS Mississippi State University des nt discriminate n the basis f sex, race, age, sexual rientatin, ethnicity, etc. Mississippi State University is an equal pprtunity emplyer.