Posted on: March 10, 2017in Blog
BYOD Privacy: 6 Considerations to Protect Your Business
We live in a world where corporations are working harder than ever to balance legal and regulatory obligations with business efficiency. This continued expansion of electronic data, partnered with the blurred lines between business and personal information, is straining already stretched legal departments. All of this leads to adding privacy and data leaks to the top of the list of growing concerns for organizations.
The rapid proliferation of ‘bring your own device,’ or BYOD, has created an extra layer of potentially nightmarish scenarios that can keep an organization’s C-Suite up at night. While there are many benefits to having employees access company data 24/7, in order to protect sensitive data and minimize the likelihood of data security leaks, it is important to consider established best practices.
First, there is no “one size fits all” approach. Second, BYOD policies should harmonize with existing information governance policies, employee handbooks and the like, specifically referencing those sections that address the handling of confidential and proprietary information.
When creating a policy, feedback from the C-suite, Legal, IT, and HR teams must be taken into account as they all have a stake in this process. Some areas that BYOD policies should address to minimize data privacy and security leaks are the following:
1. Applicable Device Guidelines
What does BYOD cover? Does it pertain to any device capable of accessing the network or does it simply mean all smart phones?
Different operating systems and nuances with Apple, Android, BlackBerry and Windows devices should be considered when creating your policy. Download this white paper to get ahead of future legal hold and preservation challenges.
What about tablets, employee-owned personal laptops or wearable technology like watches or glasses? Make sure you have clear guidelines on what devices must abide by the policies.
2. Security Codes
Employees generally resist having to enter a four-digit pin or password every time they enter their phones, but this important step. If the phone is lost or stolen, it makes it that much harder for someone to access the mobile device data.
For those organizations that are publicly traded or dealing with confidential information, it is even more important to have this element in place.
3. Remote Wiping
Short of accidentally deleting that document that we have been working on, there are few IT issues that give us greater pause for concern than completely wiping personal items like pictures from your phone. Unfortunately, IT must have the ability to remote-wipe a missing mobile device.
Employees must be conditioned to know that their FIRST call when a device is lost or stolen must be to IT. If an employee’s first call upon losing a phone is to their mobile carrier, the carrier will turn off the device — and with it the ability to remote wipe any data from it.
Banning the installation of apps, other than those downloaded from iTunes or GooglePlay, will significantly reduce the risk of installing viruses or malware that can put sensitive data and your entire network at risk.
5. Jailbroken Phones
A 'jailbroken' phone is when a user removes the mobile device operating system or carrier settings. Any modified phones should be banned as they are more likely to contain malware.
6. Separated Employees
Whether voluntary or involuntary, a well-constructed BYOD policy needs to address what happens with the data that lives on a device when an employee is no longer an employee of an organization. Make sure your policy includes a protocol to reacquire or wipe all corporate information on the device is a best practice to support data privacy.
Before wiping a device, be sure that there is no further need for the data or it won't become necessary evidence later on. Your policy should indicate how long data should be preserved if there is any possibility that the data will need to be used for investigative purposes, or if there is threat of intellectual property theft.
Far from being an exhaustive list, the above suggestions are meant to assist an organization in beginning the conversation around the creation of a thorough BYOD policy. Although it is unlikely that any policy created can completely limit all potential exposure of confidential data, a well-documented and adhered to policy will limit liability as well assist in protecting trade secrets, personally identifiable information and breaches to the corporate network.
- 4 Things to Consider about iPhone OS for an MDM Policy
- 5 Things You May be Leaving Out of Your BYOD Policy
- 3 Methods of Mobile Device Extractions and the Data Each Contains
- 5 Cases that Highlight the Challenges of Mobile Device Preservation
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted May 17, 2017
How to Comply with 21 CFR and HIPAA Data Retention Requirements
Posted May 11, 2017
4 Key Advantages of Conducting Remote Depositions
Posted May 03, 2017
eDiscovery in International Dispute Resolution: What Experts Want You to Know
Posted April 27, 2017
China Expands Data Transfer Requirements for its Cybersecurity Law
Posted April 26, 2017
How to Use Office 365 Advanced eDiscovery to Prioritize Your Review
Posted April 21, 2017
American Bar Association Section of International Law | 2017 Spring Meeting in Washington DC
Posted April 19, 2017
Office 365 Enterprise E5: 6 Features That Could Benefit Your Business
Posted April 12, 2017
Data Reuse in eDiscovery: 4 Questions to Help Start Your Policy
Posted April 05, 2017
ESI Data Mapping Basics for eDiscovery
Posted March 30, 2017
China’s Cybersecurity Law: Objectives, Compliance and Business Recommendations