Bizvoice Magazine

Premier Advertisers:          Brinks Hofer Gilson & Lione          |          Community Health Network          |          FORUM Credit Union          |          Hillenbrand, Inc.          |          Indiana CPA Society          |          Indiana Economic Development Corporation          |          Indiana Small Business Development Center          |          Indiana State University          |          Indiana Wesleyan University          |          Legacy Capital Advisors          |          Mussett Nicholas & Assoc.          |          Vectren

Personal Device Dilemma Managing Privacy and Security Risks

yourwebexclusives

gordonmclaughlinPersonal Device Dilemma
Managing Privacy and Security Risks

By Philip L. Gordon and Alan McLaughlin

The lines snaking out the front door of many Apple stores are symptomatic of a critical privacy and information security challenge that U.S. employers are now confronting. Certainly, there is evidence that employees’ use of hand-held personal devices may increase productivity.

Employers are seeking to balance the explosive growth in employees’ desire to conduct business through the use of hand-held personal devices against the risks inherent in the use of personal devices for work. To avoid some of the worst-case scenarios – thwarted workplace investigations, the loss or theft of sensitive employee and customer data, the misappropriation of trade secrets – employers should strongly consider a range of measures designed to reduce these risks:

  • Enable security measures selected by the company: Establish a standard set of security measures – encryption, password protection, inactivity timer and data removal after invalid password entry – that employees must enable before being permitted to use a personal device for work. Employers also should consider uploading enhanced protections against malicious software (to the extent technically feasible) given that personal devices may be used for activities (e.g., peer-to-peer file sharing, downloading games, viewing pornography) that increase the risk of infection by malware.
  • Require an acknowledgement that all company policies apply: Employers need to remind their workforce members that all company policies apply to their conduct when using a personal device for work. Employers should focus these reminders particularly on their policies for the protection of confidential business information and sensitive employee and customer data, as well as on workplace harassment and anti-discrimination policies.
  • Amend your organization’s electronic resources policy to address monitoring of personal devices: Corporate electronic resources policies commonly speak only in terms of the corporate computer network and company-issued equipment. As a result, a court likely would find that warnings that employees should have no expectation of privacy have no impact on an employee’s privacy expectations with respect to information stored on his or her personal devices. To reduce this risk, the corporate electronic resources policy should be modified to warn employees that the policy applies with equal force to personal devices that are connected to the corporate network.
  • Get consent to access the personal device for legitimate business purposes: Access may be necessary for a workplace investigation or to implement a litigation hold. Unlike company-issued devices, the employer has no inherent right to access an employee’s personal device, even for a legitimate business purpose. Employers should notify employees up front that their refusal to comply with a reasonable and legitimate request for access to information stored on a personal device that is used for work could result in discipline or termination of employment.
  • Prohibit use of personal accounts to conduct company business: Permission to use a personal device for work does not mean permission to use a personal account for activities such as text messaging through the employee’s cell service provider or exchanging e-mail through a personal web-based account. If an outright prohibition is impractical, employees should be warned that the employer may, for legitimate business reasons, ask them to disclose their service provider. Failure to comply with that request could result in discipline or termination of employment.
  • Prepare ahead of time for a potential security incident: A lost or stolen personal device containing confidential information such as employees’ or customers’ Social Security or credit card numbers could trigger security breach notification obligations. If encrypting an employee’s personal device is not feasible, the employer should require that the employee allow installation of software that will wipe the device clean upon the employer’s transmission of a “kill command.” Promptly doing so should go a long way toward reducing the risk of harm to potentially affected individuals. Employers also should require immediate reporting of any loss or theft of a personal device used for work.
  • Limit the storage of sensitive information on personal devices: Employers can reduce the risk of unauthorized access by permitting employees to use a personal device only for purposes of accessing corporate e-mail and requiring that employees perform other business functions involving sensitive information only with a company-issued device. Employers could also require that employees permit installation of software that creates an “encrypted container,” which can store sensitive business information and has a password that is different from the one used to access the device.
  • Get consent and release before sending a “kill command”: Although no U.S. court has yet addressed this specific issue, sending a kill command to an employee’s personal device without prior consent may violate the federal Computer Fraud and Abuse Act and state computer trespass laws. To avoid potential liability, employers should obtain prior written consent to send a kill command to any personal device that is reported lost or stolen. As an additional precaution, employers may obtain a release from employees for any change to personal files (music, videos, photographs and more) deleted by a kill command.
  • Think about how your organization will retrieve business information when employment ends: Employers should consider incorporating the review of information stored on an employee’s personal device used for work into the standard exit interview process. For hostile partings, sending a kill command may be the only feasible way to prevent misappropriation of trade secrets. However, without the consent and release noted above, those actions could strengthen the hand of a hostile former employee in pending or threatened litigation.
Authors: Philip L. Gordon is a shareholder in Littler Mendelson PC’s Denver office. He has extensive experience litigating privacy-based claims and counseling clients on all aspects of workplace privacy and information security. Alan McLaughlin is a shareholder in Littler Mendelson PC’s Indianapolis office. He represents public and private employers in a broad range of employment-related disputes at the administrative, state and federal levels. Learn more at www.littler.com

Home   |   About   |   Current Issue   |   Advertising Information   |   Archives   |   Web Exclusives   |   Subscribe   |   Contact Us

Indiana Chamber