Not that long ago (but may seem like forever), workers were required to be dependent on a traditional brick and mortar building where they were often tethered to the company ethernet cable or a corded telephone. As mobile electronics have become more advanced and used in all areas of our lives, however, the way workers access company data continues to rapidly change. The use of iPads, iPhones, and other, similar mobile devices has become increasingly common, and is often a popular choice because it enables employees to work from virtually any location.
While many companies provide their employees with company-specific devices, some business owners are turning to Bring Your Own Device (“BYOD”) plans instead. A BYOD plan is often an attractive choice for the employer and the employee because it typically saves the employer from having to purchase expensive equipment, and the employee is able to choose their preferred platform and specific device. As a BYOD plan has many benefits, it also has risks and difficulties in which an employer should be aware.
POTENTIAL RISKS TO BUSINESSES WITH A BYOD POLICY
Increased productivity, happier employees, and lower overhead are just a few reasons that companies are becoming more accepting of BYOD plans. With these benefits come some significant risks and concerns to the business which should be considered by employers with the development of a comprehensive BYOD plan to address these concerns and risks.
Mobile devices have the capability to connect to both public and private access points. It is very difficult for employees to maintain the integrity and confidentiality of company data as public access points and even private access points are susceptible to eavesdropping.
Additionally, many devices are equipped with a substantial amount of memory that is often not encrypted on personal devices, as many users are not even aware of the need for encryption. The ability of confidential data on personal devices to get into the hands of third parties, including competitors or cyber criminals, is alarmingly simple.
DATA SECURITY WITH A BYOD POLICY
Fortunately, options are available to help companies protect themselves. To begin with, employers may wish to consider the use of a VPN to create a secure network with which employees can access data. An additional option, that can prove extremely helpful in the event that data is breached is Data Loss Prevention (DLP) software. DLP is designed to alert the administrator when their data flows through an unrecognized channel. Also, most modern mobile devices and operating systems now include automatic cloud backup of at least a portion of the data contained on the device. An employer may need to have its employees advise the company of any cloud-based storage being used with the employee’s devices and employers may need to consider having access to any cloud storage of confidential company documents or data. This is important for a business to consider as the business data stored on a device or in the backup process may contain trade secrets or other confidential or important information related to the business that should not be stored on personal cloud storage. Also, it becomes increasingly difficult to manage and protect company data being moved around an organization and adding an employee’s personal device increases this problem. The concerns are how can a company guarantee that the business data on the employee device remains secure. It is advisable for the employer to require the employees to password protect each personal device and also ensure that the device has an encrypted secure portion for any business data that resides on the device.
IS YOUR BUSINESS AWARE OF WHAT DATA IT IS HANDLING, PROCESSING, AND/OR STORING? ARE YOU COMPLYING WITH THE APPLICABLE DATA PRIVACY AND SECURITY REGULATIONS?
In addition to the protection and security of the data stored on a BYOD device, a business also has responsibilities associated with keeping track of its data. Depending on the industry and geographical location in which your business operates and the type of data your business is handling or processing, different governmental regulations regarding privacy and data security apply to your business.
Once a device contains business related data, it is advisable to install software or hardware controls such as device locators, remote monitoring, records management, and remote wipe capabilities to be utilized in the event that the device is lost, destroyed, or stolen. Another concern is whether any legal holds and/or eDiscovery rules apply as business documents read, created, or updated on employee devices used for a business are subject to legal hold and discovery. The Federal Rule of Civil Procedure (FRCP) states that a business must preserve and produce electronically stored data under its control. If your business becomes the target of a legal or regulatory discovery action, your employees’ devices, including stored data, may be subject to legal hold. It is important to be prepared for this and ensure your BYOD practices and policy covers how this will be managed.
IMPLEMENT POLICIES AND PROCEDURES REGARDING YOUR BUSINESS’ BYOD PLAN
Additionally, companies that are considering implementing a BYOD plan could benefit from creating a formal BYOD Policy and Agreement with terms and conditions that employees who use personal devices for business company purposes are responsible for reading and signing (“BYOD Policy”).
HAVE BYOD TERMS AND CONDITIONS FOR YOUR EMPLOYEES TO EXECUTE, WHICH INCLUDE PROTECTIONS OF CONFIDENTIAL AND PROPRIETARY INFORMATION, INCLUDING APPLICABLE DATA PROTECTIONS
It is recommended that you have a BYOD Policy covering all of these issues and your BYOD Policy should even specify what systems and data your employees’ BYOD devices do and do not have access to. Your BYOD Policy should also include clear procedures and requirements that the employees need to immediately report lost or stolen devices so that appropriate notices and actions can be taken. As the BYOD Policy is very important in protecting your business and third-party data, it is also important to protect the privacy of your employees as well. As such, your BYOD Policy should specify what amount of access and use of your employees’ personal data is necessary and part of your business processes.
WHAT HAPPENS WHEN AN EMPLOYEE LEAVES YOUR BUSINESS? DO YOU HAVE A CLEAR POLICY ON YOUR DATA PROTECTION, SYSTEM ACCESS, AND SECURITY PROCEDURES THAT A FORMER EMPLOYEE NEEDS TO FOLLOW AND BE REMINDED ABOUT?
It is important that any BYOD Policy include what is required if an employee leaves employment with your company, after termination for any reason. After termination, the possibility of data loss or data theft is high and your BYOD Policy should be clear on the duties and processes that need to take place after any termination. This includes preventing the terminated employees’ access to your systems, data, and documents as soon as practicable and this should be managed prior to the employee leaving with his/her device.
As part of your BYOD plan for your business, a written version of your plan and BYOD Policy should be provided to each employee for signature to show that your BYOD Policy was read and accepted by the employee. Your BYOD Policy is necessary and crucial to protect your business’s confidential and proprietary information, including any applicable data and/or trade secrets. In addition to the written BYOD Policy, training on the BYOD Policy for your business is also important and essential. Without training and informing employees of the proper uses, procedures, and necessary protections, a data breach is likely to occur.
BYOD is a reality in today’s world. All businesses need to consider and understand the risks and concerns involved with BYOD. Implementing a proper BYOD plan and written BYOD Policy with your employees is recommended for limiting the risks associated with the plan.
Should you have any questions about BYOD policies and plans or would like to schedule a free initial consultation, please contact Waltz, Palmer & Dawson, LLC at (847)253-8800 or contact us online.
Waltz, Palmer & Dawson, LLC is a full-service law firm with various areas of service to assist your business, including: Employment Law, Intellectual Property, Commercial Real Estate, Business Immigration, Litigation and general Business Law services. Individual services include Estate Planning, Wills and Trusts, Probate, Guardianship, Divorce and Family Law.
This article constitutes attorney advertising. The material is for informational purposes only and does not constitute legal advice.
To subscribe to our business e-newsletter, pleases send an email request to www.info@navigantlaw.com