By Brittany Robinett
Today, many businesses are implementing “bring-your-own-device” policies, which permit employees to conduct company business on their own mobile devices. Encouraging the use of employee-owned devices can save employers the costs of purchasing and maintaining technology, while motivating employees to work harder through increased flexibility and mobile access to the workplace.
Decreased overhead expenses? Increased workplace productivity? Sounds like a win-win.
However, allowing employees to conduct company business on their own devices can prove less than cost-effective, as it subjects businesses to multiple security and liability risks. The greatest of these risks are caused by the removability of devices from the workplace, and the accessibility of confidential company data outside of the workplace. Employers can mitigate these risks by creating protocols to decrease dangers posed by using personally-owned devices.
Allowing employees to conduct business on their personal devices puts stored data at risk, because that data leaves the workplace. This non-stationary data may fall prey to wandering eyes, as employees may connect to public access points or private access points that are not properly configured. Plus, mobile devices are frequent targets of theft. Passcodes and other security features are not foolproof, and they do not necessarily protect the contents of memory cards or hard drives. Some of these dangers may be eliminated by requiring employees to use a VPN (or a “virtual private network”). A VPN allows employees to access their employer’s intranet securely when working remotely. These networks require authentication prior to access, which helps protect against data breaches.
Employers should always have breach response plan in place. These plans should focus on complying with regulation requirements, assessing risks of potential breaches, and preventing future breaches. When it becomes clear that data has been compromised, immediate action should be taken to determine whether federal and state regulations require the data to be reported. Once a determination is made, necessary parties must be immediately notified. Even if no regulations demand notification, it is important to determine what data has been compromised, what risk the compromise poses, and what steps could have prevented the compromise of such data. Encourage employees to report any breaches; it should be remembered that they, too, are exposing themselves to greater legal liability, and should be punished for blatant wrongdoing, not necessarily accidents. Employers can encourage reporting by providing employee training to recognize at-risk situations data apprehension. (Note: As the use of mobile technology within the workplace is a growing trend, it is important to keep abreast of new regulations, as the government has given the topic a great deal of attention. Attorney consult can ensure that nothing goes unnoticed and save employers the hassle of conducting their own research. They can also provide oversight in drafting company protocol and employee consent agreements.)
Companies should lay out clear frameworks for data preservation and destruction on personal devices. Personal devices present a unique problem when it comes to preserving data for legal discovery. Legal counsel can help businesses determine whether a preservation duty exists and what that duty requires. Employers may demand that employees sign consent agreements, recognizing that their devices may be subject to search and seizure should litigation require it. Signing a consent agreement puts employees on notice that their devices could be subject to future search and seizure processes. (This is especially important, as personal and professional information often become intermingled with the dual-use of mobile devices.) Also, business owners are advised to maintain duplicates of all company-related information from employee devices. That way, data can still be produced, if not from the original device.
Once a duty to preserve disappears and data is no longer needed, employers should make sure that company data is properly destroyed from device storage. Simply “deleting” data, such as documents, emails, and contacts from a memory card is not always enough, as the device’s internal storage may retain information. For this reason, employers should require that devices be restored to factory settings prior to an employee parting with a device.
Bexley Law Firm, LLC
About the Author: Brittany Robinett is a rising third year law student at the Georgia State University College of Law.