{"id":59766,"date":"2014-09-18T21:57:03","date_gmt":"2014-09-19T01:57:03","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-07-04T13:48:02","modified_gmt":"2021-07-04T17:48:02","slug":"10-policies-to-minimize-byod-risk","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/10-policies-to-minimize-byod-risk\/","title":{"rendered":"10 Policies to Minimize BYOD Risk"},"content":{"rendered":"

\"Mandatory<\/a>The challenge for employers offering BYOD<\/a>, according<\/a> to\u00a0schnaderworks<\/a>, a labor and employment blog from Schnader Harrison Segal & Lewis LLP<\/a>, is finding the right cost\/benefit balance for their businesses. In developing an effective \u201c<\/strong>bring your own device\u201d (BYOD) policy, employers must first identify which employees will be eligible for the program according to the blog.<\/p>\n

Onc\"10<\/a>e the basic parameters are set, the lawyers stress a written policy is essential to set up ground rules and permit enforcement to protect the company\u2019s data and other interests. They suggest the following steps are key to establishing an effective BYOD policy:<\/p>\n

1. Establish a Mandatory Authorization Process:<\/em><\/strong>\u00a0 The lawyers say this should be completed before an employee can use company data and systems on a personal mobile device<\/a>.<\/p>\n

\"Require<\/a>2. Require Password<\/a> Protection:\u00a0<\/strong><\/em> Each authorized device should have the same password protection as an employer-issued device.\u00a0 According to the article, such protections include limiting the number of password entry attempts, setting the device to time out after a period of inactivity, and requiring new passwords at regular intervals.<\/p>\n

3. Clarify Data Ownership<\/em><\/strong>:\u00a0 A BYOD policy should specifically address who owns the data stored on the authorized device. It should be clear that company data belongs to the employer and that all company data will be remotely wiped from the device if the employee violates the BYOD policy, terminates employment, or switches to a new device. The policy should also alert employees that it is their responsibility to backup any personal data stored on the authorized device states the article.<\/p>\n

\"Spell<\/a>4. Control the Use of Risky Applications and Third Party Storage<\/em><\/strong>:\u00a0 Schnader Harrison Segal & Lewis recommends employers may want to ban the use of applications that present known data security<\/a> risks, such as the use of \u201cjailbroken\u201d or \u201crooted\u201d devices and cloud storage.<\/p>\n

5. Limit Employee Privacy Expectations<\/em><\/strong> The BYOD policy should clearly disclose the extent to which the employer will have access to an employee\u2019s personal data stored on an authorized device and state whether such personal data is stored on the company\u2019s backup systems. The article recommends minimizing the co-mingling of company and personal data. Employers may want to install software that permits the \u201csegmenting\u201d of authorized devices.\u00a0 However, no matter what measures the company takes to preserve employee privacy, the policy must emphasize that the company does not guarantee employee privacy if an employee opts in to the BYOD program.<\/p>\n

\"Control<\/a>6. Address Any Business-Specific Privacy Issues<\/a><\/em><\/strong>:\u00a0 Certain businesses are subject to legal requirements about the storage of private personal information (such as social security numbers, drivers\u2019 license numbers, and credit and debit card numbers, etc.) which may need to be addressed in a BYOD policy.\u00a0 The blog points out that HIPAA<\/a> requires native encryption on any device that holds data subject to the act. An employer may need to put in place processes prohibiting or limiting remote access for certain categories of sensitive data.<\/p>\n

7. Consider Wage and Hour Issues<\/em><\/strong>:\u00a0 Permitting employees to use an authorized device for work purposes outside of the employee\u2019s regular work hours may trigger wage and hour claims. The lawyers suggest the BYOD policy should set forth the employer\u2019s expectations about after-hours use\u00a0 (such as a requirement that non-exempt employees must refrain from checking or responding to work emails, voice mail, and texts after hours) (rb- Yeah<\/em>).<\/p>\n

\"BYOD<\/a>8. Ensure Compliance with Company Confidentiality Policies<\/em><\/strong>.\u00a0 The author says a BYOD policy should reiterate that an employee using an authorized device must comply with all company policies on confidentiality and the \u201cacceptable use\u201d of company information.<\/p>\n

9. Spell Out Procedures In Case of Loss or Theft<\/em><\/strong>:\u00a0 The employer should set up a specific protocol to be followed in the event an authorized device is lost or stolen. The blog says the process should include the prompt reporting of a lost or stolen device and the remote wiping of the device.<\/p>\n

\"Insure<\/a>10. Document Employee Consent<\/em><\/strong>:\u00a0 Finally the law firm, in good lawyer form, suggests the employer should get an employee\u2019s written consent to all terms and conditions of the BYOD policy.<\/p>\n

Related articles<\/h6>\n