BRING YOUR OWN DEVICE



Similar documents
BUILDING DATA CENTERS: UNDERSTANDING THE RISKS. Managing Risk Maximising Opportunity.

VIOLENCE IN THE WORKPLACE

DIOCESE OF DALLAS. Computer Internet Policy

Please read these Terms and Conditions of Use carefully. They govern the provision and use of the MyPAYE Online Payroll service and website.

INTERNET, AND COMPUTER USE POLICY.

Acceptable Use of Information Systems Standard. Guidance for all staff

ICT POLICY AND PROCEDURE

region16.net Acceptable Use Policy ( AUP )

ATTENTION: This legal notice applies to the entire contents of this website under the domain name

The term Broadway Pet Stores refers we to the owner of the website whose registered office is 6-8 Muswell Hill Broadway, London, N10 3RT.

"choose your own device" : the employer still provides the hardware and the employee can choose e.g. the model.

MEMORANDUM INFORMATION TECHNOLOGY SERVICES DEPARTMENT

GENOA, a QOL HEALTHCARE COMPANY WEBSITE TERMS OF USE

Performance 2015: Global Stock Markets

Performance 2013: Global Stock Markets

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

HUMAN RESOURCE COMPLIANCE AUDIT Why is it so critical to complete?

SONOMA CHARTER SCHOOL STUDENT USE OF TECHNOLOGY POLICY

ROHIT GROUP OF COMPANIES PRIVACY POLICY This privacy policy is subject to change without notice. It was last updated on July 23, 2014.

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY

TERMS OF USE 1 DEFINITIONS

Smart Policies for Workplace Technologies , Blogs, Cell Phones & More

Ethics Opinion

Terms & Conditions. In this section you can find: - Website usage terms and conditions 1, 2, 3. - Website disclaimer

WHAT IS A COMPLIANCE PLAN

AB 1149 Compliance: Data Security Best Practices

All copyright, trade mark, design rights, patent and other intellectual property rights (registered or unregistered) in the Content belongs to us.

GENOA, a QoL HEALTHCARE COMPANY GENOA ONLINE SYSTEM TERMS OF USE

4 Steps to Effective Mobile Application Security

Radix Technologies China establishes compelling cloud services using CA AppLogic

Performance 2016: Global Stock Markets

What are cookies and how does Glendale Career College use them?

City of Grand Rapids ADMINISTRATIVE POLICY

Tools for workplace monitoring - The all-seeing eye of the boss Legal newsletter

CODE OF ETHICS AND BUSINESS CONDUCT

~CEIVEcJ FEB

Table of Contents. Acknowledgement

Service Description: Dell Backup and Recovery Cloud Storage

BRING YOUR OWN DEVICE

Security - A Holistic Approach to SMBs

Application to access Chesters Trade

Introduction to Data Privacy & ediscovery Intersection of Data Privacy & ediscovery

YORK REGION DISTRICT SCHOOL BOARD

360 o View of. Global Immigration

CYBERSAFETY AT WESTLAKE GIRLS HIGH SCHOOL

Cloud computing. Advantages and disadvantages

A White Paper from AccessData Group. The Future of Mobile E-Discovery

workplace efficiency and compliance with Impero

A White Paper from AccessData Group. The Future of Mobile E-Discovery

Website TERMS OF USE AND CONDITIONS

Human Resources Policy and Procedure Manual

White Paper. What the ideal cloud-based web security service should provide. the tools and services to look for

WHISTLEBLOWING TO THE CHILDREN S COMMISSIONER FOR WALES

WHAT MATTERS MOST TO CORPORATE COUNSEL IN E-DISCOVERY MANAGEMENT. Presenting the results from BDO s inaugural Inside E-Discovery Survey

Terms and Conditions Website Development

How to Manage Costs and Expectations for Successful E-Discovery: Best Practices

Online Business Terms and Conditions - A Brief Glossary

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Standard: Information Security Incident Management

Frontier Academy s Bring Your Own Device (BYOD) - User Agreement


Neil Meikle, Associate Director, Forensic Technology, PwC

BYOD At Your Own Risk Working in the BYOD Era. Shane Swilley (503)

Responsible Use Agreement

Queensland Legal Salary Survey Report A guide to salaries and recruiting trends for the Queensland legal profession.

Protecting Your Network Against Risky SSL Traffic ABSTRACT

Gain the cloud advantage. Cloud computing explained Decide if the cloud is right for you See how to get started in the cloud

COLUSA EDUCATORS WIDE AREA NETWORK (CEWAN) USE OF COMPUTERS, COMPUTER NETWORKS, AND INTERNET SERVICES POLICY

Department of Finance and Administration Telephone and Information Technology Resources Policy and Procedures March 2007

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Version: 2.0. Effective From: 28/11/2014

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Introduction. General Use

White Paper. The benefits of a cloud-based archiving service. for use by organisations of any size

ANTI-BRIBERY AND FOREIGN CORRUPT PRACTICES ACT COMPLIANCE POLICY

Case study on asset tracing

ESI Risk Assessment: Critical in Light of the new E-discovery and notification laws

London LAWN Terms of Service

E-DISCOVERY AND E-DISCLOSURE 2013 The Ongoing Journey From Reactive E-Discovery to Proactive Information Governance

The Proactive Marketer. Ensuring the safe arrival and optimum placement of s

David Crum, Esq. Managing Partner New Mexico Legal Group, P.C.

ACCEPTABLE USE POLICY

TAUNTON PUBLIC SCHOOLS Internet Acceptable Use and Social Networking Policies and Administrative Procedures

Service NSW Code of Conduct

The IRS s New Whistleblower Program Another Enforcement Alert for International Business

MOTORCAR PARTS OF AMERICA, INC. CODE OF BUSINESS CONDUCT AND ETHICS ADOPTED EFFECTIVE JANUARY 15, 2015

SSSD Bring Your Own Device Policy Structure

PRIVACY RISKS OF AD SUBSIDIZED COMPUTING DEVICES IN SCHOOLS: A SAFEGOV ADVISORY BRIEFING FOR GLOBAL EDUCATION POLICY MAKERS

Securing Your Journey to the Cloud. Managing security across platforms today and for the future. Table of Contents

White Paper of Criminal Background Checks

Course Overview and Outline

ICAEW TECHNICAL RELEASE TECH 01/11

Helix Energy Solutions Group, Inc. Code of Business Conduct and Ethics

Service Schedule for Business Lite powered by Microsoft Office 365

TERMS & CONDITIONS FOR INTERNET ACCESS. Service Provided by Fast Telecommunication Company W.L.L. (hereinafter referred to as FAST Telco )

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Image Control. Administrator Guide

The Fulham Boys School ipad Acceptable Use Policy, Procedures and Information

Transcription:

BRING YOUR OWN DEVICE TEN GOOD PRACTICES FOR EMPLOYERS AND THEIR DATA Managing Risk Maximising Opportunity www.controlrisks.com

TEN GOOD PRACTICES FOR EMPLOYERS AND THEIR DATA The concept of employees using their own personal devices for work is gaining traction in many organizations. But whilst organizations can make savings in hardware purchasing costs from allowing their staff to work from personal devices, are they leaving themselves open to potentially far more damaging issues both for their bottom line and their reputation? In this article, we assess the implications of the Bring Your Own Device (BYOD) trend and offer ten steps for best practice data management. In Asia, it is becoming common practice within many organizations for employees to use their personal devices for work even when they are in the office. This presents significant challenges for those responsible for managing company data, with vast swathes of information effectively off the radar. Global privacy laws vary greatly, but in many jurisdictions it can be difficult, if not impossible, to collect vital information from privately-owned laptops or smart phones without having a court order mandating it. Companies can be at significant risk if their employees use personal laptops, tablets or smart phones at work. Should they need to investigate possible wrongdoing or defend themselves against civil or criminal actions often at short notice in a crisis situation - they could be at a serious disadvantage because they cannot easily examine relevant data on their employees personal devices. Such predicaments can be expensive if not dangerous. Rather than proceeding reactively, it is wise to have policies and plans regarding personal electronic devices in place long before they are needed. The easiest solution is to provide electronic devices to employees to be used for all work-related matters, clearly communicating that the company has the right to retrieve data from them. It might be cheaper to have employees bring their own devices, but you are giving away a lot of control. The following ten steps can help employers handle complicated issues regarding personal devices in the workplace: 1. Create a map of data flows Is your data shared or on a server? Is it in laptops or desktops? Is it on a C-Drive or in clouds? Mapping corporate data flows gives a snapshot of data and communications streams. It helps to understand where data and messages originate, how much comes from personal or company-owned devices, what servers are involved and where they are located. If emails can be trapped on a company-owned server, reviewing them will be easier. This may not be the case if the company uses off-site cloud computing to handle data and message traffic. Cultural practices can be problematic and must be addressed. In China and South Korea, for instance, people routinely use both company and personal emails for work-related purposes, blurring the line between what is personal and what is business. This is an issue Control Risks ediscovery team has encountered numerous times when supporting clients with their investigations. 2. Create a company-wide data classification system The sensitivity of a company s internal information can differ tremendously. Some material may be innocuous, but some could negatively impact a company if released. Executives must consider each type of data and its level of importance. 1

Highly sensitive information such as new product specifications or salary levels cannot be handled in the same manner as publicly available information. The solution is for the company to assess and define levels of sensitivity, educate employees about classifying data according to sensitivity, and restrict access accordingly. 3. Review privacy rules on employee use of personal devices Company officials trying to reconcile the use of electronic devices need to establish early on what is allowed and what is not, keeping abreast of how applicable laws may be evolving. In Latin America, privacy laws increasingly favor individual over corporate rights, especially in countries such as Argentina and Chile that have strong cultural ties to Europe, known for its strong privacy laws. Countries such as Brazil float in the middle with no strong data privacy law. Companies have to make it clear that employees must use company phones or computers when conducting daily operations. They also must be clear that the company has the right to monitor all messages and data involved with the company-owned devices. The statements must be worded in such a way that they can withstand court review if an employer and employee end up in a lawsuit or criminal proceeding. If a company allows workers to use their own smart phones for work-related purposes, they can require them to sign agreements allowing the company to scan the phones for corporate information. 4. Provide company-owned devices if practical Providing employees with company-owned devices may be expensive, but this simple solution solves many problems. It eliminates an employee s excuse of needing to use personal devices to conduct company business, and gives the company the right to inspect and retrieve data. It also makes it easier for a company to maintain control during investigations without necessarily tipping its hand if it suspects that an employee is involved in something inappropriate. 5. Compile a list of vendors who can retrieve data Situations requiring internal investigations typically arise without warning. Many companies are unprepared to deal with suspicions of bribery, fraud or embezzlement. One way for an organization to ensure that it is prepared for such an investigation is to have a list of pre-qualified vendors who can be called upon to help retrieve and analyze employees electronic data and communications. Having a list of vendors can save a company time and money and help it to avoid making mistakes when emotions might run high. Companies should keep in mind though, that vendors employees may also use their own laptops or smart phones. A vendor s methods of storing critically-important data may be unknown to the hiring firm or even outside of its control. The company can protect itself by having vendors sign agreements that their devices can be scanned for company information. 6. Inform employees of probes if possible Even if an employee uses a company-owned device, he or she still has rights to privacy. Unless extenuating circumstances prevent it (such as the need for secrecy in the early stages of a probe), notifying the employee that the company wants to review their electronic device is usually advisable. How this is handled depends on local privacy laws. In some cases, a company may need to identify truly personal material on the company-owned device, such as family photographs or personal bank accounts. Failure to do so can have legal repercussions. 2

7. Have notaries present during data retrieval If an employee s company-owned device is being examined and its data is being copied, a notary or other independent official with legal power should be present to witness the process if data privacy laws in the jurisdiction call for it. If incriminating files or messages are found, an employee could claim to not know where the data came from. The presence of a notary, or local equivalent, could help prevent charges that the company planted incriminating evidence in the equipment used by the employee. 8. Consider covert collection when appropriate Investigations can involve extremely sensitive matters and sometimes the existence of the probe must not be revealed to an employee. In cases involving company-owned electronic devices, the company can quietly take control of a device, retrieve the data contents and examine them once the device is back in the employee s possession. However, such covert data collection should only be pursued after consultation with counsel, as it may violate local data privacy laws. 9. Instruct employees on the proper use of social media Facebook, Twitter and other forms of social media are making it increasingly easy for employees to communicate company-related content outside of company control. Whilst social media can be used successfully as a marketing tool, it can be detrimental if an employee uses it to express opinions or publicize information that is harmful to the company. Some company systems limit access to such sites from corporate domains, but a personal device outflanks such filters. Companies should educate all employees about the potential hazards of social media, through corporate guidance and formal training. 10. Copy data when an employee leaves his job Companies routinely keep copies of corporate documents for specific periods of time in case they are needed for tax or legal matters. Keeping copies of files stored on a company-owned device after an employee leaves their job can be a necessary safeguard. Such data, notably email messages, can help the company protect itself should the employee violate secrecy agreements regarding proprietary information or non-competition pacts. Companies should devote serious consideration to how long the files should be kept. Even if a company plans well and creates clear and workable policies involving personal devices, it may confront other problems over which it has little control. Ultimately, the best approach is to proactively create formal plans and policies on using personal devices at the workplace. Doing so before an investigation is needed can spare companies from considerable frustration and expense. Control Risks is an independent, global risk consultancy specialising in helping organisations manage political, integrity and security risks in complex and hostile environments. We support clients by providing strategic consultancy, expert analysis and in-depth investigations, handling sensitive political issues and providing practical on-the-ground protection and support. Our unique combination of services, geographical reach and the trust our clients place in us ensure we can help them to effectively solve their problems and realise new opportunities across the world. Learn more at www.controlrisks.com 3

Published by Control Risks Group Limited ( the Company ), Cottons Centre, Cottons Lane, London SE1 2QG. The Company endeavours to ensure the accuracy of all information supplied. Advice and opinions given represent the best judgement of the Company, but subject to Section 2 (1) Unfair Contract Terms Act 1977, the Company shall in no case be liable for any claims, or special, incidental or consequential damages, whether caused by the Company s negligence (or that of any member of its staff) or in any other way. Copyright: Control Risks Group Limited 2013. All rights reserved. Reproduction in whole or in part prohibited without the prior consent of the Company. Control Risks offices abudhabi@controlrisks.com alkhobar@controlrisks.com algiers@controlrisks.com amsterdam@controlrisks.com baghdad@controlrisks.com basra@controlrisks.com beijing@controlrisks.com berlin@controlrisks.com bogota@controlrisks.com copenhagen@controlrisks.com delhi@controlrisks.com dubai@controlrisks.com erbil@controlrisks.com hongkong@controlrisks.com houston@controlrisks.com islamabad@controlrisks.com jakarta@controlrisks.com johannesburg@controlrisks.com lagos@controlrisks.com london@controlrisks.com losangeles@controlrisks.com mexicocity@controlrisks.com moscow@controlrisks.com mumbai@controlrisks.com nairobi@controlrisks.com newyork@controlrisks.com panamacity@controlrisks.com paris@controlrisks.com portharcourt@controlrisks.com saopaulo@controlrisks.com seoul@controlrisks.com shanghai@controlrisks.com singapore@controlrisks.com sydney@controlrisks.com tokyo@controlrisks.com washington@controlrisks.com www.controlrisks.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information