BRING YOUR OWN DEVICE TEN GOOD PRACTICES FOR EMPLOYERS AND THEIR DATA Managing Risk Maximising Opportunity www.controlrisks.com
TEN GOOD PRACTICES FOR EMPLOYERS AND THEIR DATA The concept of employees using their own personal devices for work is gaining traction in many organizations. But whilst organizations can make savings in hardware purchasing costs from allowing their staff to work from personal devices, are they leaving themselves open to potentially far more damaging issues both for their bottom line and their reputation? In this article, we assess the implications of the Bring Your Own Device (BYOD) trend and offer ten steps for best practice data management. In Asia, it is becoming common practice within many organizations for employees to use their personal devices for work even when they are in the office. This presents significant challenges for those responsible for managing company data, with vast swathes of information effectively off the radar. Global privacy laws vary greatly, but in many jurisdictions it can be difficult, if not impossible, to collect vital information from privately-owned laptops or smart phones without having a court order mandating it. Companies can be at significant risk if their employees use personal laptops, tablets or smart phones at work. Should they need to investigate possible wrongdoing or defend themselves against civil or criminal actions often at short notice in a crisis situation - they could be at a serious disadvantage because they cannot easily examine relevant data on their employees personal devices. Such predicaments can be expensive if not dangerous. Rather than proceeding reactively, it is wise to have policies and plans regarding personal electronic devices in place long before they are needed. The easiest solution is to provide electronic devices to employees to be used for all work-related matters, clearly communicating that the company has the right to retrieve data from them. It might be cheaper to have employees bring their own devices, but you are giving away a lot of control. The following ten steps can help employers handle complicated issues regarding personal devices in the workplace: 1. Create a map of data flows Is your data shared or on a server? Is it in laptops or desktops? Is it on a C-Drive or in clouds? Mapping corporate data flows gives a snapshot of data and communications streams. It helps to understand where data and messages originate, how much comes from personal or company-owned devices, what servers are involved and where they are located. If emails can be trapped on a company-owned server, reviewing them will be easier. This may not be the case if the company uses off-site cloud computing to handle data and message traffic. Cultural practices can be problematic and must be addressed. In China and South Korea, for instance, people routinely use both company and personal emails for work-related purposes, blurring the line between what is personal and what is business. This is an issue Control Risks ediscovery team has encountered numerous times when supporting clients with their investigations. 2. Create a company-wide data classification system The sensitivity of a company s internal information can differ tremendously. Some material may be innocuous, but some could negatively impact a company if released. Executives must consider each type of data and its level of importance. 1
Highly sensitive information such as new product specifications or salary levels cannot be handled in the same manner as publicly available information. The solution is for the company to assess and define levels of sensitivity, educate employees about classifying data according to sensitivity, and restrict access accordingly. 3. Review privacy rules on employee use of personal devices Company officials trying to reconcile the use of electronic devices need to establish early on what is allowed and what is not, keeping abreast of how applicable laws may be evolving. In Latin America, privacy laws increasingly favor individual over corporate rights, especially in countries such as Argentina and Chile that have strong cultural ties to Europe, known for its strong privacy laws. Countries such as Brazil float in the middle with no strong data privacy law. Companies have to make it clear that employees must use company phones or computers when conducting daily operations. They also must be clear that the company has the right to monitor all messages and data involved with the company-owned devices. The statements must be worded in such a way that they can withstand court review if an employer and employee end up in a lawsuit or criminal proceeding. If a company allows workers to use their own smart phones for work-related purposes, they can require them to sign agreements allowing the company to scan the phones for corporate information. 4. Provide company-owned devices if practical Providing employees with company-owned devices may be expensive, but this simple solution solves many problems. It eliminates an employee s excuse of needing to use personal devices to conduct company business, and gives the company the right to inspect and retrieve data. It also makes it easier for a company to maintain control during investigations without necessarily tipping its hand if it suspects that an employee is involved in something inappropriate. 5. Compile a list of vendors who can retrieve data Situations requiring internal investigations typically arise without warning. Many companies are unprepared to deal with suspicions of bribery, fraud or embezzlement. One way for an organization to ensure that it is prepared for such an investigation is to have a list of pre-qualified vendors who can be called upon to help retrieve and analyze employees electronic data and communications. Having a list of vendors can save a company time and money and help it to avoid making mistakes when emotions might run high. Companies should keep in mind though, that vendors employees may also use their own laptops or smart phones. A vendor s methods of storing critically-important data may be unknown to the hiring firm or even outside of its control. The company can protect itself by having vendors sign agreements that their devices can be scanned for company information. 6. Inform employees of probes if possible Even if an employee uses a company-owned device, he or she still has rights to privacy. Unless extenuating circumstances prevent it (such as the need for secrecy in the early stages of a probe), notifying the employee that the company wants to review their electronic device is usually advisable. How this is handled depends on local privacy laws. In some cases, a company may need to identify truly personal material on the company-owned device, such as family photographs or personal bank accounts. Failure to do so can have legal repercussions. 2
7. Have notaries present during data retrieval If an employee s company-owned device is being examined and its data is being copied, a notary or other independent official with legal power should be present to witness the process if data privacy laws in the jurisdiction call for it. If incriminating files or messages are found, an employee could claim to not know where the data came from. The presence of a notary, or local equivalent, could help prevent charges that the company planted incriminating evidence in the equipment used by the employee. 8. Consider covert collection when appropriate Investigations can involve extremely sensitive matters and sometimes the existence of the probe must not be revealed to an employee. In cases involving company-owned electronic devices, the company can quietly take control of a device, retrieve the data contents and examine them once the device is back in the employee s possession. However, such covert data collection should only be pursued after consultation with counsel, as it may violate local data privacy laws. 9. Instruct employees on the proper use of social media Facebook, Twitter and other forms of social media are making it increasingly easy for employees to communicate company-related content outside of company control. Whilst social media can be used successfully as a marketing tool, it can be detrimental if an employee uses it to express opinions or publicize information that is harmful to the company. Some company systems limit access to such sites from corporate domains, but a personal device outflanks such filters. Companies should educate all employees about the potential hazards of social media, through corporate guidance and formal training. 10. Copy data when an employee leaves his job Companies routinely keep copies of corporate documents for specific periods of time in case they are needed for tax or legal matters. Keeping copies of files stored on a company-owned device after an employee leaves their job can be a necessary safeguard. Such data, notably email messages, can help the company protect itself should the employee violate secrecy agreements regarding proprietary information or non-competition pacts. Companies should devote serious consideration to how long the files should be kept. Even if a company plans well and creates clear and workable policies involving personal devices, it may confront other problems over which it has little control. Ultimately, the best approach is to proactively create formal plans and policies on using personal devices at the workplace. Doing so before an investigation is needed can spare companies from considerable frustration and expense. Control Risks is an independent, global risk consultancy specialising in helping organisations manage political, integrity and security risks in complex and hostile environments. We support clients by providing strategic consultancy, expert analysis and in-depth investigations, handling sensitive political issues and providing practical on-the-ground protection and support. Our unique combination of services, geographical reach and the trust our clients place in us ensure we can help them to effectively solve their problems and realise new opportunities across the world. Learn more at www.controlrisks.com 3
Published by Control Risks Group Limited ( the Company ), Cottons Centre, Cottons Lane, London SE1 2QG. The Company endeavours to ensure the accuracy of all information supplied. Advice and opinions given represent the best judgement of the Company, but subject to Section 2 (1) Unfair Contract Terms Act 1977, the Company shall in no case be liable for any claims, or special, incidental or consequential damages, whether caused by the Company s negligence (or that of any member of its staff) or in any other way. Copyright: Control Risks Group Limited 2013. All rights reserved. Reproduction in whole or in part prohibited without the prior consent of the Company. Control Risks offices abudhabi@controlrisks.com alkhobar@controlrisks.com algiers@controlrisks.com amsterdam@controlrisks.com baghdad@controlrisks.com basra@controlrisks.com beijing@controlrisks.com berlin@controlrisks.com bogota@controlrisks.com copenhagen@controlrisks.com delhi@controlrisks.com dubai@controlrisks.com erbil@controlrisks.com hongkong@controlrisks.com houston@controlrisks.com islamabad@controlrisks.com jakarta@controlrisks.com johannesburg@controlrisks.com lagos@controlrisks.com london@controlrisks.com losangeles@controlrisks.com mexicocity@controlrisks.com moscow@controlrisks.com mumbai@controlrisks.com nairobi@controlrisks.com newyork@controlrisks.com panamacity@controlrisks.com paris@controlrisks.com portharcourt@controlrisks.com saopaulo@controlrisks.com seoul@controlrisks.com shanghai@controlrisks.com singapore@controlrisks.com sydney@controlrisks.com tokyo@controlrisks.com washington@controlrisks.com www.controlrisks.com