As a business owner, perhaps you have seen articles about setting ground rules for BYOD (a.k.a. employees bringing their own devices to work to use for work purposes). Placing restrictions on access to Company information, however, should not be limited only to those BYOD devices. Instead, if the Company issues Company-owned devices to employees for use on Company systems, similar ground rules should be put in place to set expectations and provide the backdrop for any disciplinary action that may be needed later if an employee misuses Company information or loses an unsecured device.
Here are some questions to keep in mind as you develop policies for Company-owned devices issued to employees:
- Do you have an “Acceptable Use” policy in place? Does it apply to both Company-owned and BYOD devices?
- Do you restrict the employee’s use of Company-owned devices? (E.g., to be used for business purposes only, avoid storing personal information on the device, all information on the device shall be considered “owned” by the Company)
- Have you retained the right to take back any equipment that an employee does not use properly? Similarly, do you ensure that Company-owned devices are surrendered upon termination?
- Do you require strong passwords to secure all portable devices (both BYOD and Company-owned)? (You should. See, e.g., Eric Griffith, “How to Create Strong Passwords,” PC Magazine, Nov. 29, 2011, for some good tips.). Once you require passwords, remind your employees not to tape them to the front of their devices – instead, suggest alternate ways of remembering the unique passwords they just created.
- What about using portable devices on public or unsecured networks? (For instance, at the coffee shop while waiting for that triple-shot latte.) Have you provided guidelines and training to your employees to avoid disclosing Company-sensitive information across such public networks? This is especially important if the information is mission critical or could destroy the Company’s tactical advantage if its competitor were to access it.
- Do you require employees to report immediately the theft or loss of a Company-owned device? Prompt reporting allows the Company to block potentially damaging intrusion attempts or to change the affected employee’s passwords to prevent unauthorized access. The Company’s hands will be tied if the employee does not report the loss until several days later.
- Do you provide rules about whether Company documents can be downloaded to external devices and under what circumstances? Consider mobile device management software to control the downloading of Company information to the device, to track the location of Company-owned devices and to enable remote wiping if the device is lost or stolen.
- Who handles the system updates to the device? The Company? (Probably, unless it’s a BYOD device.) The employee? (Probably only if the device is personally owned by the employee.) If it’s a Company obligation, then ensure that the device is accessible to the Company when needed (i.e., “on demand”) to fulfill this requirement.
- Will the employees’ family members be accessing the device? (More likely if it’s the only device in the house – less likely if there are other options available to the family.) Consider restricting use of Company-owned devices to employees only.
- Do you prohibit the downloading of unauthorized content to the device? Whether it’s pornography, another company’s trade secrets or pirated videos streaming the latest (copyrighted) episode of a favorite show, none of these things belong on most companies’ business equipment and could expose the Company to liability from a third-party who owns the rights to the content.
- Do you require encryption or password-protection when transmitting particularly sensitive Company information to outsiders? If not, you should. Take everyone opportunity to protect the Company’s trade secrets and try to keep them from public dissemination. Having a reliable system in place increases the changes that a court would conclude that the Company’s trade secrets are deserving of such protection in the event of a breach.
- Notably, in the 2012 Target data breach, the large, well-funded entity (Target) was not the source of the leak that allowed hackers to steal thousands of customer credit card numbers. Instead, it was the HVAC servicing company that had minimal security protocols in place and effectively acted as the front door to enable the hackers to steal the data over a surprisingly long period of time.
- Does the Company have record-keeping requirements (statutory, regulatory, etc.) that would apply to an employee’s use of a portable device? Are employees who work remotely required to keep Company records and maintain certain Company files? If so, consider implementing rules identifying when such record keeping should occur and provide guidelines for destroying extra copies or other pages that the employee might otherwise throw out in the trash at a remote site. (Some states have “safe destruction of documents” laws intended to reduce the likelihood of identity theft or other unauthorized access of personally-identifiable information.)
A few closing thoughts – take every precaution to keep Company data secure. Always require the installation and use of anti-malware/anti-virus and other security tools to limit a potential thief’s ability to misuse the Company’s data or to leave code behind that continues to collect the data even after the potential thief has appeared to withdraw.
The more conscientious you are about keeping Company data secure, the more likely you are to avoid severe consequences (or at least reduce them) in the event of a data breach – whether the breach is caused by the concerted efforts of outsiders or by wrongful conduct of your own employees or by unintentional mishaps (such as the employee leaving the device in the back of a cab during a hectic business trip). Watching the doors is always worthwhile.