Which of the following BYOD security measures would allow separation between work and personal data
In the not too distant past, employees had no choice but to work at a company's office or on a company laptop or phone. As mobile electronic devices (tablets and smartphones, for example) became both more accessible and affordable, this changed. Now employees can work virtually anywhere and it's becoming more and more common for them to use devices for both personal and work purposes. Show
Many individuals own multiple mobile devices. One person may own a smartphone, tablet, and laptop computer. An employer may also offer employees one or more company-owned devices. For some, it's both inconvenient and less productive to carry company-issued and personal devices. Others may prefer a specific technology or brand, or simply be annoyed by having to carry multiple devices.
If an employer doesn't offer employees the option to use a company smartphone, tablet, or laptop, employees may still want the option to work remotely. This work could include accessing work files, the company network, the phone system, emails, and even contacts.
Bring your own device ("BYOD") policies are making a significant impact on the workplace. Employers create BYOD policies to meet employee demands and keep employees connected. They may also do it to save money by eliminating the need for company plans and devices.
While "bringing your own device" is common, allowing employees to use personal devices for business purposes can expose employers to many risks. Because of these concerns, employers often establish BYOD terms or policies that can have a surprising and significant impact on employee privacy. However, not all employers have BYOD policies even though employees may already be using personal devices for work purposes.
This Fact Sheet addresses reasons employers have BYOD policies, some practices employees may encounter, and some of the common concerns and privacy risks that employees face when considering whether to participate in an employer's BYOD policy.
2. What are an employer's concerns surrounding BYOD? Employers will assume legal, security, reputational, and other business-related risks when their employees use a device for both personal and work-related purposes. This is largely because employers lose control when employees use their own devices and networks to store and transmit company data. The same is true when employees use company-owned devices for personal purposes. A company may need to protect many types of sensitive information for business and/or legal purposes. Sensitive information might include:
A. Legal obligations There are many laws and regulations companies must consider when creating a BYOD policy. Which laws apply will depend on the nature of the employer's business and what kind of data it collects, stores, and uses. Some industries, such as healthcare and finance, are subject to more legal obligations than others. An employer's legal obligations may include, but are NOT limited to:
B. Security Device loss. When an employee loses a device he uses for both work and personal purposes (or if someone steals it), the employer faces a security risk. Many company security breaches result from lost or stolen devices. Company data on an employee’s personal device can be compromised when he loses the device or the device is stolen. Information loss. Employee error can compromise data and device security as well. Bad habits include using unsecured wi-fi networks, failing to password protect a device, and allowing the phone to be Bluetooth discoverable. Each of these increases the risk of an unauthorized person accessing potentially sensitive information. Malicious software (malware) also threatens device and data security. People can inadvertently download a malicious app, click on a malicious link, or become the victim of a phishing scam. Some applications, such as peer-to-peer file sharing apps, may not be malicious per se, but may permit third parties to access data on an employee’s device leaving company data stored there easily compromised. Many apps connect a user to data stored "in the cloud." Cloud services offer varying degrees of security, so it is important for employers to know which services employees are using for company purposes. C. Protecting data for other business purposes Employers must also consider business interests when creating a BYOD policy. These can overlap with legal obligations, or they may be completely separate. Employers may be concerned with protecting their reputation or brand integrity. They may also need to protect proprietary information, trade secrets, or other confidential information. For example, to preserve trade secrets, a company must typically take adequate steps to protect the information from being disclosed. 3. What might employees expect to find in BYOD policies? BYOD policies (or terms affecting how an employee uses a personal device for company-related purposes) may appear in an employment contract, orientation materials, employee manual, when an employee decides to use his device, or when the employee installs an employer’s mobile device management (MDM) software on his/her own device. It is important for employees to read an employer's BYOD policy before participating in a BYOD program, and to ask questions. Employers must implement policies and company practices to safeguard sensitive information and reduce the risk of legal liability. In the case of BYOD, the employer should balance this with employee privacy. The following are examples of what an employee might find in a BYOD policy. A. Permitted and prohibited uses, devices, and software The policy may state which devices the employer allows to be used for both work and personal purposes. This could also include acceptable software, brands, and device models. B. Employee responsibilities An employer may place any number of responsibilities on an employee who is using a device for both work and personal purposes. Some examples are as follows.
C. Explanation of available/required technical support Employers may require employees to work with the employer's IT department to enroll in the BYOD program, receive security updates, agree to remote access to the device, install specific software, and receive continuous support. D. Consent to certain practices When an employee receives a copy of the BYOD policy, he or she may have to consent to certain practices. These may include: Remote data deletion. As a security measure, employers often require employees who store company information on their personal devices to allow the employer to remotely delete data from the phone if the phone is lost or stolen. The same may be true when a person leaves the company. Employees should ask what data will be wiped from the phone, so that they understand whether or not they risk losing personal photos and videos, downloads, contacts, and anything else that is stored on the device and not backed up elsewhere. Authorizing access to personal data on a device. When an employee reviews and signs an employer's BYOD policy, she should determine whether the agreement allows the employer to access personal content on the mobile device. Employees should never just assume that their personal content such as emails and applications will remain private. Requirements to save and produce relevant information for legal purposes (e-discovery in particular) and consequences for deletion or alteration. When an employer is involved in litigation, it will likely need to know where company information resides and what the data consists of. This can be difficult when an employee owns a device and is able to store company data and information in places the company is not aware of. Who pays for what. An employer may pay for a portion of the personal devices' cost, the monthly bill, or the data plan. To reduce the risk of unexpected financial responsibilities, employees need to make sure they understand what they are responsible for covering prior to using the personal device for work purposes. Processes for the end of an employment relationship. In most cases, a company will want to remove its data from an employee's personal device when he or she leaves. The company may require the employee to submit the device to the IT department, or it may just tell the employee to delete the data. Employees will also be disconnected from the network, and no longer able to access it. Employees should make sure they understand what these processes entail. Trade secret policies and confidentiality agreements. Employers must protect their trade secrets and proprietary information. If information is valuable and has legal protection because it is secret, an employer must be extremely cautious when allowing employees to handle and transfer information on personal devices and potentially outside the employer's network. The same is true for businesses with legal and professional duties to maintain confidentiality. Employees must understand their obligations so that they do not accidentally expose sensitive information. Agree to maintain certain security measures. Employers may require or prohibit specific software on an employee's device. Employers may require employees to encrypt data stored on the device, and/or require a strong password or other security measures to access the device. They may also ask for the ability to remotely locate the device, and automatically wipe the device of all data in certain instances (too many incorrect password attempts, for instance). E. Explanation of mobile device management software Employers may use mobile device management software (MDM) to exercise control over the devices employees use for both personal and work-purposes. MDM software may enable the personal device to access the employer’s network or cloud with added security. It may be used to remotely wipe a device if the individual loses it or it is stolen, or to prevent personal apps from accessing company information. MDM software can prohibit a user from installing certain apps and require a device to update apps. Employers may also use it to set other security protections. Using a personal device on an employer’s network may allow the employer to access the information, even personal nonwork-related information, contained on your personal device. 4. Why are employees concerned about their privacy? Most people carry their personal devices, especially smartphones, with them wherever they go. For some, using personal devices for work is a convenience that helps them multi-task. Others find that their personal and work lives blend more than they would like. Employees may be unhappy when an employer has any control at all over how they use their personal device. Many don't trust employers with their personal data, and further distrust them with keeping it private and not using it against them. What if an employee uses a mobile health app to monitor a medical condition, and she does not want her employer to know? How private are personal email accounts, photos, calendars, etc.? If an employer does not manage employees' expectations or adequately disclose what it does and does not do, employees have reason to be concerned about their personal privacy. So what can employers do with this access to an employee's personal device? There is a difference between what a particular employer can do and what an employer actually will do. The following is a non-exhaustive list of what is possible (but will completely depend on the employer, agreement, and software):
BYOD policy terms, even if present, may or may not indicate when or how often the employer will actually do any of these things. It may also include vague language that can leave an employee unsure under what circumstances the employer will access the personal device and what added responsibilities an employee takes on. 5. Tips for employees considering participating in a BYOD program A. How employees can protect their privacy proactively
These are only a few situations to consider, and the law surrounding BYOD is evolving. Every employment situation and policy will be unique.
B. When employees believe an employer has violated their privacy In the area of employment law, the facts are very important and state laws vary. With regard to BYOD policies, the law is emerging as more employees use mobile devices for both work and personal purposes. This means legal issues are less likely to have clear cut answers. Issues and policies will also depend on the specific employer. Government employees, employees of private companies, and employees in highly regulated industries should have different expectations.
Employees should discuss legal concerns with an attorney. However, it is probably most important for employees to understand their employer's BYOD policy before agreeing to it.
The following are just some of the issues an employee may encounter and want to discuss with an employment attorney.
6. Tips for employers implementing a BYOD program
7. Additional resources National Employment Lawyers Association Directory National Labor Relations Board U.S. Equal Employment Opportunity Commission U.S. Department of Labor: Wage and Hour Division
Relevant Articles and Guides by Law Firms David Navetta, Esq., The Legal Implications of BYOD: Preparing Personal Device Use Policies, ISSA Journal, Nov. 2012, available at http://www.infolawgroup.com/files/2012/12/BYOD_ISSA1112-pdf1.pdf. Littler Mendelson, The "Bring Your Own Device" to Work Movement, May 10, 2012, available at http://www.littler.com/publication-press/publication/bring-your-own-device-work-movement. Which of these are security measures for BYOD devices?BYOD Security: Threats, Security Measures and Best Practices. Data Leakage and Loss. ... . Device Infection. ... . Mixing Personal and Business Use. ... . Application Control. ... . Containerization. ... . Encrypting Data at Rest and in Transit. ... . Educate Employees. ... . Separate Personal and Business Data.. Which two options are security best practices that help mitigate BYOD?5. Which two options are security best practices that help mitigate BYOD risks? (Choose two.) Use paint that reflects wireless signals and glass that prevents the signals from going outside the building. Keep the device OS and software updated.
How can BYOD risk be prevented?Here are 6 ways you can protect your organization from these BYOD security risks:. BYOD AUP: Clearly Define Your Acceptable Use Policy. ... . Utilize a BYOD Mobile Device Management (MDM) Solution. ... . Provide BYOD End User Awareness Training. ... . Secure Your Network. ... . Formulate an Employee Transition Plan. ... . Mitigate BYOD Risk.. What are the 3 levels of BYOD?BYOD policies allows various levels of access to company data and systems: Unlimited access. Access to non-sensitive systems and data only. Access to sensitive data with IT control over personal devices.
|