Your company can manage the risks associated with BYOD (Bring your Own Device) by adopting policies and agreements that fit your risk tolerance, trust assessment, and regulatory context. However, the only way to guarantee your right to access all information on a device is to own the device. In 2010, the U.S. Supreme Court held that employers have the right to access all communications on corporate-issued devices.
However, the Court didn’t address a company’s right to access information on personal devices. Therefore, there’s inherent risk in a BYOD policy for employers who want to have access to all communications and data on personal devices used by their employees.
Mitigating Security Risks
The content of your BYOD policy (or your choice to forgo a policy) should be decided by thoroughly analyzing the following:
- The sensitivity of the information your employees handle
- The inherent security concerns in your industry
- The legal regulations you face
- Your ability to oversee and manage the use of such devices
- Initiate a “wipe” policy. Require your employees to download software that allows you to remotely access and wipe devices. That provides protection if devices are lost or stolen. Additionally, there are software programs that can sequester work-related information into a software “sandbox,” creating a virtual folder in the personal device.
- Require written agreements. Once you locate software that fits your needs, have your employees sign a written agreement that discloses all risks associated with the software (such as information loss) and requires them to download it onto any device that will be used to access work-related information.
- Make the privilege exclusive. Allow only certain employees to have the privilege of using personal devices (exclude personnel who frequently handle sensitive data or personally identifiable information). Further, limit the type of information that’s accessible from a personal device (e.g., e-mail).
- Make device inspection a part of the exit interview. Have employees consent in writing to have their devices inspected at exit interviews. Also, obtain permission to remotely wipe the device of any terminated employee.
- Don’t allow employees to store corporate information on personal devices. Have them sign a written agreement that they will not store any corporate information on their personal devices.
- Require employees to produce their devices for inspection. Have them sign a written agreement that they will turn over their personal devices for inspection upon a legitimate request.
Although dual-use devices have resulted in difficult legal and security issues for employers, you can mitigate the risks by implementing a properly crafted policy and using privacy software. However, because the law on this issue is not settled, before creating a BYOD policy you should contact an attorney to be sure that you fully understand all risks involved in such a policy.
From personal device rules to terminations to intermittent leave and accommodations, there’s a lot for your supervisors and managers to stay up on.
No comments:
Post a Comment