We live in a world where corporations are working harder than ever to balance legal and regulatory obligations with business efficiency. This continued expansion of electronic data, partnered with the blurred lines between business and personal information, is straining already stretched legal departments. All of this leads to adding privacy and data leaks to the top of the list of growing concerns for organizations.
The rapid proliferation of ‘bring your own device,’ or BYOD, has created an extra layer of potentially nightmarish scenarios that can keep an organization’s C-Suite up at night. While there are many benefits to having employees access company data 24/7, in order to protect sensitive data and minimize the likelihood of data security leaks, it is important to consider established best practices.
First, there is no “one size fits all” approach. Second, BYOD policies should harmonize with existing information governance policies, employee handbooks and the like, specifically referencing those sections that address the handling of confidential and proprietary information.
When creating a policy, feedback from the C-suite, Legal, IT, and HR teams must be taken into account as they all have a stake in this process. Some areas that BYOD policies should address to minimize data privacy and security leaks are the following:
1. Applicable Device Guidelines
What does BYOD cover? Does it pertain to any device capable of accessing the network or does it simply mean all smart phones?
Different operating systems and nuances with Apple, Android, BlackBerry and Windows devices should be considered when creating your policy. Download this white paper to get ahead of future legal hold and preservation challenges.
What about tablets, employee-owned personal laptops or wearable technology like watches or glasses? Make sure you have clear guidelines on what devices must abide by the policies.
2. Security Codes
Employees generally resist having to enter a four-digit pin or password every time they enter their phones, but this important step. If the phone is lost or stolen, it makes it that much harder for someone to access the mobile device data.
For those organizations that are publicly traded or dealing with confidential information, it is even more important to have this element in place.
3. Remote Wiping
Short of accidentally deleting that document that we have been working on, there are few IT issues that give us greater pause for concern than completely wiping personal items like pictures from your phone. Unfortunately, IT must have the ability to remote-wipe a missing mobile device.
Employees must be conditioned to know that their FIRST call when a device is lost or stolen must be to IT. If an employee’s first call upon losing a phone is to their mobile carrier, the carrier will turn off the device — and with it the ability to remote wipe any data from it.
Banning the installation of apps, other than those downloaded from iTunes or GooglePlay, will significantly reduce the risk of installing viruses or malware that can put sensitive data and your entire network at risk.
5. Jailbroken Phones
A ‘jailbroken’ phone is when a user removes the mobile device operating system or carrier settings. Any modified phones should be banned as they are more likely to contain malware.
6. Separated Employees
Whether voluntary or involuntary, a well-constructed BYOD policy needs to address what happens with the data that lives on a device when an employee is no longer an employee of an organization. Make sure your policy includes a protocol to reacquire or wipe all corporate information on the device is a best practice to support data privacy.
Before wiping a device, be sure that there is no further need for the data or it won’t become necessary evidence later on. Your policy should indicate how long data should be preserved if there is any possibility that the data will need to be used for investigative purposes, or if there is threat of intellectual property theft.
Far from being an exhaustive list, the above suggestions are meant to assist an organization in beginning the conversation around the creation of a thorough BYOD policy. Although it is unlikely that any policy created can completely limit all potential exposure of confidential data, a well-documented and adhered to policy will limit liability as well assist in protecting trade secrets, personally identifiable information and breaches to the corporate network.