BYOD Privacy and Policies: How to Protect Your Business

Editor’s Note: The author of this post is the national director of an eDiscovery service provider.

By Christopher Gallagher, National Director, eQ

The days of work being done when the office lights turn off are long gone.

With a large portion of employees available and online 24/7, many workers opt to use their personal devices to stay connected. In a world where corporations are working harder than ever to balance legal and regulatory obligations with business efficiency, this continued expansion of electronic data, partnered with the blurred lines between business and personal information, is straining already stretched legal departments and adding privacy and data leaks to the top of the list of growing concerns for organizations.

The rapid proliferation of ‘bring your own device,’ or BYOD, has created an extra layer of potentially nightmarish scenarios that can keep an organization’s C-Suite up at night.

While there are many benefits to having employees access company data 24/7, in order to protect sensitive data and minimize the likelihood of security leaks, it is important to consider the following best practices. First, there is no “one size fits all” approach. Second, BYOD policies should harmonize with existing information governance procedures, employee handbooks and the like, specifically referencing those sections that address the handling of confidential and proprietary information.

When creating a policy, feedback from the C-suite, Legal, IT, and HR teams must be taken into account as they all have a stake in this process. Some areas that BYOD policies should address to minimize data privacy and security leaks are the following:

1. What does BYOD cover? Does it pertain to any device capable of accessing the network or does it simply mean all smart phones? What about tablets, employee-owned personal laptops or wearable technology like watches or glasses?

2.Security Codes: Employees generally resist having to enter a four-digit pin or password every time they enter their phones, but this important step makes it that much harder for someone to access data on a lost or stolen device. For those organizations that are publicly traded or dealing with confidential information, it is even more important to have this element in place.

3.Remote Wiping: Short of accidentally deleting that document that we have been working on, there are few IT issues that give us greater pause for concern than completely wiping personal items like pictures from your phone. Unfortunately, IT must have the ability to remote-wipe a missing mobile device. Employees must be conditioned to know that their FIRST call when a device is lost or stolen must be to IT. If an employee’s first call upon losing a phone is to their mobile carrier, the carrier will turn off the device — and with it the ability to remote wipe any data from it.

4.Apps: Banning the installation of apps other than those downloaded from iTunes or GooglePlay will significantly reduce the risk of installing viruses or malware that can put sensitive data and your entire network at risk.

5.‘Jailbroken’ Phones: Phones that have been modified to let users remove operating systems or carrier settings — or ‘jailbroken’ phones as they’re often referred to — should be banned as they are more likely to contain malware.

6.Separated Employees: Whether voluntary or involuntary, a well-constructed BYOD policy needs to address what happens with the data that lives on a device when an employee is no longer an employee of an organization. A protocol to reacquire or wipe all corporate information on the device is a best practice to support data privacy.

Far from being an exhaustive list, the above suggestions are meant to assist an organization in beginning the conversation around the creation of a thorough BYOD policy. Although it is unlikely that any policy created can completely limit all potential exposure of confidential data, a well-documented and adhered to policy will limit liability as well assist in protecting trade secrets, personally identifiable information and breaches to the corporate network.