Here are some questions
to keep in mind as you develop policies for Company-owned devices issued to
employees:
1. Do you have an “Acceptable Use” policy in place? Does it apply to both Company-owned and BYOD
devices?
2. Do you restrict the employee’s use of Company-owned devices? (E.g., to be used for business purposes only,
avoid storing personal information on the device, all information on the device
shall be considered “owned” by the Company)
3. Have you retained the right to take back
any equipment that an employee does not use properly? Similarly, do you ensure that Company-owned devices
are surrendered upon termination?
4. Do you require strong passwords to
secure all portable devices (both BYOD and Company-owned)? (You should.
See, e.g., Eric Griffith, “How to Create Strong
Passwords,” PC Magazine, Nov. 29,
2011, for some good tips.). Once you
require passwords, remind your employees not to tape them to the front of their
devices – instead, suggest alternate ways of remembering the unique passwords
they just created.
5. What about using portable devices on public
or unsecured networks? (For instance, at the coffee shop while waiting for
that triple-shot latte.) Have you
provided guidelines and training to your employees to avoid disclosing
Company-sensitive information across such public networks? This is especially important if the
information is mission critical or could destroy the Company’s tactical
advantage if its competitor were to access it.
6. Do you require employees to report
immediately the theft or loss of a Company-owned device? Prompt reporting allows the Company to block potentially
damaging intrusion attempts or to change the affected employee’s passwords to
prevent unauthorized access. The
Company’s hands will be tied if the employee does not report the loss until
several days later.
7. Do you provide rules about whether Company
documents can be downloaded to external devices and under what circumstances? Consider mobile device management software to
control the downloading of Company information to the device, to track the
location of Company-owned devices and to enable remote wiping if the device is
lost or stolen.
8. Who handles the system updates to the
device? The Company? (Probably, unless it’s a BYOD device.) The employee?
(Probably only if the device is personally owned by the employee.) If it’s a Company obligation, then ensure
that the device is accessible to the Company when needed (i.e., “on demand”) to
fulfill this requirement.
9. Will the employees’ family members be
accessing the device? (More likely
if it’s the only device in the house – less likely if there are other options
available to the family.) Consider
restricting use of Company-owned devices to employees only.
10. Do you prohibit the downloading of
unauthorized content to the device?
Whether it’s pornography, another company’s trade secrets or pirated
videos streaming the latest (copyrighted) episode of a favorite show, none of
these things belong on most companies’ business equipment and could expose the
Company to liability from a third-party who owns the rights to the content.
11. Do you require encryption or
password-protection when transmitting particularly sensitive Company
information to outsiders? If not,
you should. Take everyone opportunity to
protect the Company’s trade secrets and try to keep them from public dissemination. Having a reliable system in place increases
the changes that a court would conclude that the Company’s trade secrets are
deserving of such protection in the event of a breach.
·
Notably, in the 2012 Target data breach, the
large, well-funded entity (Target) was not the source of the leak that allowed
hackers to steal thousands of customer credit card numbers. Instead, it was the HVAC servicing company
that had minimal security protocols in place and effectively acted as the front
door to enable the hackers to steal the data over a surprisingly long period of
time.
12. Does the Company have record-keeping
requirements (statutory, regulatory, etc.) that would apply to an employee’s
use of a portable device? Are
employees who work remotely required to keep Company records and maintain
certain Company files? If so, consider
implementing rules identifying when such record keeping should occur and
provide guidelines for destroying extra copies or other pages that the employee
might otherwise throw out in the trash at a remote site. (Some states have “safe destruction of
documents” laws intended to reduce the likelihood of identity theft or other
unauthorized access of personally-identifiable information.)
A few
closing thoughts – take every precaution to keep Company data secure. Always require the installation and use of anti-malware/anti-virus
and other security tools to limit a potential thief’s ability to misuse the
Company’s data or to leave code behind that continues to collect the data even
after the potential thief has appeared to withdraw.
The
more conscientious you are about keeping Company data secure, the more likely
you are to avoid severe consequences (or at least reduce them) in the event of
a data breach – whether the breach is caused by the concerted efforts of
outsiders or by wrongful conduct of your own employees or by unintentional mishaps
(such as the employee leaving the device in the back of a cab during a hectic
business trip). Watching the doors is
always worthwhile.
Copyright (c) 2016, Christina D. Frangiosa, All Rights Reserved.
Posts
