Posted on: March 10, 2017in Blog
BYOD Privacy: 6 Considerations to Protect Your Business
We live in a world where corporations are working harder than ever to balance legal and regulatory obligations with business efficiency. This continued expansion of electronic data, partnered with the blurred lines between business and personal information, is straining already stretched legal departments. All of this leads to adding privacy and data leaks to the top of the list of growing concerns for organizations.
The rapid proliferation of ‘bring your own device,’ or BYOD, has created an extra layer of potentially nightmarish scenarios that can keep an organization’s C-Suite up at night. While there are many benefits to having employees access company data 24/7, in order to protect sensitive data and minimize the likelihood of data security leaks, it is important to consider established best practices.
First, there is no “one size fits all” approach. Second, BYOD policies should harmonize with existing information governance policies, employee handbooks and the like, specifically referencing those sections that address the handling of confidential and proprietary information.
When creating a policy, feedback from the C-suite, Legal, IT, and HR teams must be taken into account as they all have a stake in this process. Some areas that BYOD policies should address to minimize data privacy and security leaks are the following:
1. Applicable Device Guidelines
What does BYOD cover? Does it pertain to any device capable of accessing the network or does it simply mean all smart phones?
Different operating systems and nuances with Apple, Android, BlackBerry and Windows devices should be considered when creating your policy. Download this white paper to get ahead of future legal hold and preservation challenges.
What about tablets, employee-owned personal laptops or wearable technology like watches or glasses? Make sure you have clear guidelines on what devices must abide by the policies.
2. Security Codes
Employees generally resist having to enter a four-digit pin or password every time they enter their phones, but this important step. If the phone is lost or stolen, it makes it that much harder for someone to access the mobile device data.
For those organizations that are publicly traded or dealing with confidential information, it is even more important to have this element in place.
3. Remote Wiping
Short of accidentally deleting that document that we have been working on, there are few IT issues that give us greater pause for concern than completely wiping personal items like pictures from your phone. Unfortunately, IT must have the ability to remote-wipe a missing mobile device.
Employees must be conditioned to know that their FIRST call when a device is lost or stolen must be to IT. If an employee’s first call upon losing a phone is to their mobile carrier, the carrier will turn off the device — and with it the ability to remote wipe any data from it.
Banning the installation of apps, other than those downloaded from iTunes or GooglePlay, will significantly reduce the risk of installing viruses or malware that can put sensitive data and your entire network at risk.
5. Jailbroken Phones
A 'jailbroken' phone is when a user removes the mobile device operating system or carrier settings. Any modified phones should be banned as they are more likely to contain malware.
6. Separated Employees
Whether voluntary or involuntary, a well-constructed BYOD policy needs to address what happens with the data that lives on a device when an employee is no longer an employee of an organization. Make sure your policy includes a protocol to reacquire or wipe all corporate information on the device is a best practice to support data privacy.
Before wiping a device, be sure that there is no further need for the data or it won't become necessary evidence later on. Your policy should indicate how long data should be preserved if there is any possibility that the data will need to be used for investigative purposes, or if there is threat of intellectual property theft.
Far from being an exhaustive list, the above suggestions are meant to assist an organization in beginning the conversation around the creation of a thorough BYOD policy. Although it is unlikely that any policy created can completely limit all potential exposure of confidential data, a well-documented and adhered to policy will limit liability as well assist in protecting trade secrets, personally identifiable information and breaches to the corporate network.
- 4 Things to Consider about iPhone OS for an MDM Policy
- 5 Things You May be Leaving Out of Your BYOD Policy
- 3 Methods of Mobile Device Extractions and the Data Each Contains
- 5 Cases that Highlight the Challenges of Mobile Device Preservation
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review
Posted November 10, 2017
What You Need to Know About Managed Review and the eDiscovery Process
Posted November 02, 2017
7 Steps to Help You Defensibly Migrate eDiscovery Data
Posted October 27, 2017
CLE Webinar with Lewis Brisbois: How to Do Social Media Collection and Presentation Right
Posted October 26, 2017
Despite Clawback, Defendant’s Reckless Abandon of Rule 502 Bites Back
Posted October 20, 2017
How to Use the eDiscovery PST Export Tool in Office 365 E3
Posted October 12, 2017
Recent eDiscovery Cases for Mobile Phones and Social Media
Posted October 05, 2017
Raising Objections to the Format of ESI Productions: Do it Early and Do it Clearly
Posted September 27, 2017
5 Reasons eDiscovery Alternative Fee Models Make Sense for You
Posted September 22, 2017
Why it's Crucial to Have a Corporate Mobile Device Policy