BYOD Policies: A Litigation Perspective



Similar documents
How To Make Bring Your Own Device A Plus, Not A Risk

LAWYERING IN THE CLOUD CRIB NOTES 2012 Charles F. Luce, Jr. coloradolegalethics.com/ (alpha release)

Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template)

Bring Your Own Device Security and Privacy Legal Risks

BYOD AND ME. How cell phone hacking effects your business.! Richard Rigby CEO Wraith Intelligence

Privacy and Security Law Report

Security and Privacy Considerations for BYOD

10 Smart Ideas for. Keeping Data Safe. From Hackers

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

Data Protection Act Bring your own device (BYOD)

The potential legal consequences of a personal data breach

A LEGAL PERSPECTIVE OF BYOD Building Awareness to Enable BYOD and Mitigate Its Risks. By Michael Finneran and Jim Brashear January 2014

Business Or Pleasure: The Challenges Of Bring Your Own Device Policies In The Workplace

BYOD BEST PRACTICES GUIDE

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Massachusetts Identity Theft/ Data Security Regulations

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

A number of factors contribute to the diminished regard for security:

BRING YOUR OWN DEVICE

Summary of the Dutch Data Protection Authority s guidelines for the Data Breach Notification Act

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

White Paper. Data Security. The Top Threat Facing Enterprises Today

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

Overview of the HIPAA Security Rule

BYOD. opos WHAT IS YOUR POLICY? SUMMARY

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

White paper Security Solutions Advanced Theft Protection (ATP) Notebooks

Cyber Threats: Exposures and Breach Costs

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

HIPAA Security Alert

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

plantemoran.com What School Personnel Administrators Need to know

HIPAA Compliance and the Protection of Patient Health Information

DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

DATA SECURITY AGREEMENT. Addendum # to Contract #

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Office 365 Data Processing Agreement with Model Clauses

2012 NCSA / Symantec. National Small Business Study

Bring Your Own Device Policy

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

How To Manage A Corporate Device Ownership (Byod) On A Corporate Network (For Employees) On An Iphone Or Ipad Or Ipa (For Non-Usenet) On Your Personal Device

BYOD: Bring Your Own Policy. Bring Your Own Device (BYOD) is already making a significant impact on the way the private sector works.

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

BYOD Policy for [AGENCY]

How To Understand The Bring Your Own Device To School Policy At A School

Montclair State University. HIPAA Security Policy

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Information Security Policy

PROFESSIONAL COUNSELSM

SOLUTION BRIEF Enterprise Mobility Management. Critical Elements of an Enterprise Mobility Management Suite

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

DATA BREACH COVERAGE

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

Samsung Mobile Security

Information Security Policy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Transcription:

General Counsel Panel Reveals the Real Deal BYOD Policies: A Litigation Perspective By Andrew Hinkes Reprinted with Permission

BYOD Policies: A Litigation Perspective By Andrew Hinkes Bring-your-own-device (BYOD) policies are an emerging solution to a new problem: How can an employer control the movement of company data when employees use their own personal devices instead of company-issued devices? With the growing ubiquity of smart phones and digital appliances, it is more and more common to see employees managing their lives through their personal devices, which are often newer and more user-friendly than company- issued devices. Many employees do not want to carry multiple devices and would rather manage their lives on a single device. Likewise, companies are hesitant to devote increasingly large budgets to keep up with employees desire for constantly evolving mobile devices. BYOD policies can provide the solution. Creating and implementing BYOD policies require joint participation of legal, management, compliance, risk, and information technology (IT), and require planning and forethought. If properly implemented, these policies can allow employees the flexibility of using their own devices to access company resources while allowing employers to maintain control over company data, reduce IT costs, and control overhead expenses. Properly implemented policies can also lessen the expense, time, and confusion inherent in litigation holds and discovery production from mobile devices. What Is a BYOD Policy, Why Do I Need One, and What Does It Do? The use of employee-owned personal mobile devices such as smart phones, tablets, and laptops in the workplace is increasingly common. Employee-owned devices are often newer and more user-friendly than employer-issued devices, which, due to lease programs, may be years older (and generations behind) employee-owned devices. Whether it is a user friendliness issue or simply that employees do not want to carry multiple devices, employees and employers alike have moved to embrace BYOD. If your company has not already embraced BYOD, it is in the minority. A Gartner survey found that 70 percent of corporate respondents already have, or are planning to have, BYOD policies in place in the next 12 months. This represents a conceptual shift for employers IT departments are no longer managing devices; instead, they are managing and protecting employer data. If properly implemented, a BYOD policy can result in higher morale and workplace satisfaction for employees along with more accessibility. There are, however, significant risks and liability issues that are less manageable when an employee owns the networked device and can use it independently for tasks unrelated to employment. The key consideration in crafting a BYOD policy is the balance between the desire to allow the employee full rein over the employee s own device and the employer s need to impose controls to protect company data.

Key Considerations for a BYOD Policy When crafting a BYOD policy, consider the following: 1. preserving employer confidentiality over sensitive data and trade secrets 2. balancing employer data security with employee right to privacy 3. ownership and cost issues 4. policy synergy 5. training and employee buy-in Preservation of confidentiality over sensitive data and trade secrets is the primary purpose of a BYOD policy. Modern companies deal in information as much as products, and employee use of personal devices may potentially expose company data to espionage or simple loss. Preservation of confidential information and trade secrets. Companies must take steps to protect their confidential information, including price lists, customer lists, and financial information. Data has become incredibly portable and mobile; every device is a walking hard drive. Thus, limiting the distribution of employer- protected confidential business information is critical. A BYOD policy should establish which employees should have access to what information on their personal devices on a need to know basis. If an employee-owned device holding confidential information is compromised or misused it can pose a significant risk to a business. Lost business data may attract unwanted publicity and can lead to the erosion of customer and employee confidence in the organization s ability to manage its business. In the era of employer-issued devices, the easy solution was to remotely wipe the device; it is considerably harder to manage lost data events when a remote wipe of the device will also destroy your employee s personal data on the device. In certain situations, including those involving concerns for the Health Insurance Portability and Accountability Act, Securities and Exchange Commission, and Sarbanes Oxley, there are regulatory or compliance obligations that require special control and protection for data. Likewise, European data-protection laws impose obligations upon data controllers to keep personal data secure and to take appropriate technical and organizational measures against unauthorized processing or accidental loss or destruction of personal data. For certain European operations, a company may be legally obliged to report data-security breaches to the Data Protection Commissioner. Your BYOD policy should incorporate reporting procedures to comply with regulatory reporting obligations. BYOD policies should discuss both technical and organizational safeguards dealing with data loss. Mobile device-management software that allows for centralized management across multiple devices can provide the amount of control needed to regulate employee-owned devices. However, as discussed further below, employers should require users to expressly consent to this intrusion into their personal devices.

What safeguards against loss of confidential information and trade secrets exist and are actually implemented can have significant impact in litigation. BYOD safeguards must dovetail and harmonize with company document-retention and -destruction policies; unevenly enforced retention and preservation policies may operate as a waiver of safe-harbor defenses under litigation rules. Balancing security with right to privacy. A BYOD policy should seek to balance employee personal privacy with the company s right to control business information on the device. Great care must be taken when accessing, processing, and managing personal and private data of an employee. Embarrassment and potential claims can originate from clumsy handling of employee devices. Most BYOD policies will include a certain degree of monitoring on the devices to regulate access to company data. To comply with data-protection requirements, organizations should set out clearly what information on the employee-owned device might be monitored and/or accessed. A company should be able to demonstrate that its employees have given fully informed and unambiguous consent to the company to reach data on their personal devices. Particular focus should be placed upon any security or access software to be installed on their devices. The employee should be trained to ensure he or she understands how the management software operates, and so that there is no doubt about the nature of the consent given to its use. Employees should also be informed of their right to revoke their consent at a later date if so desired. Ownership and cost issues. A BYOD policy typically includes some financial incentive to the employee to agree to and abide by a BYOD policy. This could involve funding employee data plans, insuring the device for loss or theft, or subsidizing the purchase price of the employee device. The policy, however, should make clear that the company is not liable for whatever the employee does with the device, even if the company subsidizes the purchase or use of the employee-owned device. The BYOD policy should clearly set out how the business and personal uses of the device will be differentiated and paid for. Tax advice may be needed to deal with benefit in kind issues associated with BYOD. BYOD policies need to clearly articulate policies and procedures in case of employee loss of the device containing company data. What happens when an employee wants to sell his or her device? Or loses the device? Does the organization have the right to buy the device from the employee upon termination of employment? Does the company have the right to demand the device be provided to the company for data scrub before sale? How can you enforce a policy of wiping a device before it is sold or retired by a user? It is important for the company to make sure that its BYOD policy anticipates the life cycle of the device. It should answer these questions clearly and should include appropriate provision for contingencies that might arise.

Policy synergy. Your company s BYOD policy should integrate with other critical company policies. For example, a company cannot maintain different retention periods or retention and destruction practices on mobile devices. Other policies that must incorporate the BYOD policy include litigationhold policies and procedures, information-security policies, acceptable Internet use policies, socialmedia policies, and harassment/discrimination policies. These policies together will establish standard-of-care and/or retention standards that are critical in litigation. Notifying and training employees on these policies is essential. Training and employee buy-in. Without training of employees and obtaining express employee consent, your BYOD policy will not make it off the ground. Employees should be provided a copy of the policy, receive training on the policy, and sign express authorizations to allow for monitoring and/or remote wipe or disablement of their devices. The BYOD policy must be clear, must be maintained in written form, and must be enforced. Terms to Include in a BYOD Policy A BYOD policy should include some or all of the following: definition of acceptable use, addressing the purposes for which the device and data may be used for business, technologies that may be used on the device, network access, and any other restrictions; security measures that the organization will take to protect business and private data on the device; when monitoring of the device can occur and the procedures that are in place for accessing an employee's device; informed employee consent allowing the employer to access, back up, audit, and monitor the device and the different types of data on the device; the device- and data-loss policy, dealing with what happens if the device is lost or is compromised in some way, and the related obligations of the employee; ownership of the device and the contract with the mobile-phone operator management of the device, data, and business software on the device upon termination of the employment relationship Litigation Risks of Implementing BYOD BYOD policies are intended to clarify ownership issues and protect both the company/employer and the employee. However, even the most artfully drafted, properly implemented policy still creates risk to the company. Allowing employees to possess company data in any circumstance exposes company data to theft or misappropriation. Likewise, decreased security over the device increases the likelihood of accidental or intentional theft, or hacking, and makes intentional acts of theft by employees easier.

If a device is lost and/or hacked and data is compromised, failure to adhere to company minimum standards could give rise to an argument that the company did not adequately secure data. Any litigation on this basis may turn on the expectation of privacy when using company-issued devices. In Quon v. City of Ontario, decided by the U.S. Supreme Court in 2012, the issue presented was whether an employee had a reasonable expectation of privacy for private messages sent and received on a city-owned texting device while the employee was off duty and whether a search of that data was reasonable. The Court held that the policies in place governed the employee s rights to the extent that those stated policies were enforced. BYOD policies may complicate discovery in litigation, as companies may find it more difficult or expensive to sequester personal versus company data during e-discovery. Surrendering personal data is a touchy subject, and it may be difficult to practically accomplish an image of a mobile device without capturing some employee personal data along with company data. Clear policies can help reduce the likelihood of unnecessary exposure of personal data in discovery. BYOD implementation complicates company incident response because it is harder to obtain physical access to a device, especially if the adverse party is the employee with the personal device. Remotely wiping a device is less complicated for a company-issued device than for a personal device. Personal device use may also invite malicious payload invasions (i.e., viruses, worms, or malware) that may migrate into the corporate network and jeopardize company data, or may wipe out unique data stored only on a local device. Ten Tips to Help Your Company Implement BYOD 1. Start with email. Enterprise email solutions that many companies already use include centralized management tools for mobile users, making email deployment the easiest to manage. 2. Review your current policies. Your current security policies for web applications will likely apply to mobile devices as well. 3. Pick a device. Determine what device or devices you will support, with an emphasis on the security features of those devices and the availability of tools for remote management. 4. Set clear expectations. Train and educate your employees on their rights and responsibilities. 5. Write clear and concise policies. Create clear, understandable terms of use that employees sign and that are maintained by your human resources department. 6. PIN/authentication is mandatory. Encryption is mandatory. 7. Pick apps. Certain apps can facilitate a mass exodus of company information or can serve as a conduit for viruses and malware. Choose carefully what apps are and are not allowable. 8. Use mobile-device-management software. Commercial software packages can include

information push and mobile central control of company data, and can remotely wipe a device. 9. Address what happens when an employee leaves. Define what will happen when employees with devices on your BYOD platform leave the company. Consider how you will enforce the removal of access tokens, email access, data, and other proprietary applications and information. 10. Integrate your BYOD plan with your acceptable-use policy. Clearly explain in writing what is and is not acceptable use on the employee-owned device that will be holding company data. Discussions about an acceptable-use policy are required to protect company data and shield the company from liability. Remember that written, enforced policies will protect the company in litigation. Take care when implementing policies to ensure that employees are properly trained and that their use complies with policies. BYOD policies require coordination between management, IT, legal, risk, and compliance to ensure that they comply with other regulatory obligations and data-protection and -retention policies already in place. If properly executed and implemented, BYOD policies can empower employees, protect employers, and save company time and money. Andrew Hinkes is an attorney at Berger Singerman in Fort Lauderdale, Florida. Copyright 2014, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information