11-22-13 | Blog Post
Having trouble getting senior management to see the importance of implementing a Bring Your Own Device (BYOD) policy at your workplace? We know just how to grab their attention.
If you missed it last week, Online Tech’s latest ‘Tuesdays at 2’ educational webinar series featured a BYOD presentation co-presented from technical and legal perspectives. Along with Online Tech’s Steve Aiello discussing the best technical practices for implementing an effective BYOD strategy, guest co-host Tatiana Melnik provided an overview of the legal and regulatory framework of the process. Or, in a nutshell, how proper implementation can keep senior management out of legal hot water and away from fines. Attention grabbed!
To be BYOD or not to be BYOD:
Is a “Bring Your Own Device” Policy Right for Your Organization?
First, some brief introductions:
Melnik is a Tampa-based attorney focused on information technology, data privacy and security, and intellectual property. She is a healthcare IT columnist for the Journal of Health Care Compliance and the managing editor for the Nanotechnology Law & Business Journal.
Aiello is a Senior Product Architect at Online Tech with 15 years of experience managing IT in the healthcare and financial sectors.
Melnik has led a number of legal-focused BYOD presentations in the past, notably at the Michigan HIMSS Conference and the SecureWorld Expo in Detroit, but mentioned in a preview of the webinar that she was excited to add Aiello’s technical and security expertise to take the messaging to a new level.
They opened their presentation with a quick overview of the Bring Your Own Device movement and its potential cost savings to organizations. They discussed why many organizations – such as the US Department of Health and Human Services – advocate for the use of mobile devices, and cover the security challenges that come with a BYOD policy.
Heading into the meat of the presentation, Melnik addressed the legal concerns organizations should consider when drafting a BYOD policy. She noted that one of the biggest issues is compliance, particularly for organizations operating in a highly-regulated market such as healthcare or the financial services industry. “That’s compliance not only with your internal controls, but also compliance with external laws, such as breach notification laws, data destruction laws, litigation holds, etc.” she said.
Melnik noted that many companies don’t have the requisite data protection controls to know exactly what information is stored on personal phones, devices or laptops that employees bring to the worksite or use for work purposes. So how would the organization possibly know how to properly perform a breach notification if an employee’s iPhone or Android device was lost?
But there are other legal ramifications to consider within a BYOD policy that Melnik covers, such as wage and hour laws (sure it’s great that employees seem to work 24/7, but are you willing to pay them all that overtime?) and privacy and security regulations.
Melnik notes that an organization considering drafting a BYOD policy should first look at their existing policies. BYOD may very well be covered in an organization’s policies on acceptable use, security, social media, remote access, litigation hold, remote working, incident response, breach notification and/or privacy. If so, organizations may simply need to add verbiage that addresses employees bringing their own device to work must enroll in a device management program and allow authorization to remotely wipe a device that is lost.
If there are problems with employees who are not following policies or are using devices to negatively impact their productivity, Melnik said, organizations may want to address that with a specific policy addressing that kind of activity. The workforce must then be educated on the new policy and employees appropriately disciplined when applicable.
But why is there a need for a policy at all?
Aiello notes that an effective policy not only adds a level of professionalism to an organization, but it protects employees from liability and protects companies from lawsuits. He notes that regulators are focusing on mobile devices today, and that includes anybody who brings their own mobile device on-premises.
So what kind of issues should a discrete BYOD policy address? Aiello says he has seen them range from the extreme (no installing apps without corporate authorization) to too lenient. The best, he said, are reasonable and applicable.
“You have to write a policy that is appropriate for your business,” Aiello said. “What might be an appropriate policy for a not-for-profit organization may be very different than a policy for a government or military organization. And you need to be able to have the technical staffing in-house to actually implement the policy, or you can get into trouble if you’re not living up to the policy.”
Melnik expanded on the concept of or organizations not living up to their policies. She cited 32 cases brought forward by the Federal Trade Commission citing Section 5 of the FTC Act that bars “unfair and deceptive acts and practices.” In other words, companies that claimed to be protecting data in their BYOD policy, but really were not protecting that data at all.
“Speak honestly about what you’re doing and accurately portray what you are doing,” Melnik said.
Aiello covered some inexpensive and relatively easy to implement steps.
Specifically for mobile devices: Encryption, pass code requirements, enforcing screen lock timers, not allowing jail-break phones, enforcing an enrollment system for remote wipes, and an application and OS update policies.
Aiello also recommends data classification and data isolation, a procedural process that tags data and moves it to different systems to maintain and control access through various methods. “Not everything has the same value,” he said. “If you have data critical to the organization, isolate it. It’s the easiest way to ensure your organization does not lose data that it shouldn’t.”
He also covered suggested steps to protect data during delivery to devices: Using managed data delivery via Microsoft Terminal Server Services, using VPN (most phones now have a VPN client), using two-factor authentication (typically free for up to 10 users), strong encryption (‘baked in’ with new operating systems), and the VMware suite of systems.