This document discusses creating data security policies that balance regulatory requirements, practical constraints, and organizational needs. It addresses challenges like increased costs and reduced flexibility. The document then provides an example of building a personal device security policy, with opening and closing sentences establishing the policy's purpose and applicability. Key policy elements address reporting lost devices, password protection, installing security applications, and removing sensitive data when ending device use. The policy is intended to meet legal obligations while protecting organizational operations and relationships.
1. Rob Cutbirth, Partner, SF
Avril Love, Counsel, LA
Piecing Together Data Policies that
Make Sense in an Ever-Changing World
2. Motivations to Create a Policy
1. Regulatory Standards:
HIPAA-HITECH/State Privacy Laws/FERPA
2. Governance and Risk Management Standards:
Publicly Traded Companies/Board Standards/Insurance Rqmts/
3. Financing/Customer Standards:
Lender-Imposed & Customer Requirements
4. Internal Events:
The Boss, Who Heard At The Club That …; An Actual/Potential
Security Scare; Someone attending a Seminar at Tucker Ellis!
3. Some of the Basic Constraints
1. Practicality:
Location/Systems/Personal
Devices/Employee Skill sets
2. Enforceability:
You must be able to enforce and you
must enforce
3. Training:
You must be able to develop a training
program to share information and
consequences
4. And Then These Turn Up the Heat On You
But If We Do That …
• It Will Make It Tougher To Use Our
Systems/Not “User Friendly”
• It’s Really Not Going To Change
Anything, so Why Do it
• It’s Going To Cost More
I Need My Own Special Policy Because…
• My Content Is Different
• My Department Needs Greater
Flexibility
• I’m In A Different State/City/Type of
Operation
5. Against these Challenges, How Do You Build a
Strong and Defensible Data Security Policy?
First, Know Your:
• Legal Obligations & Limitations
Int’l; US/State/Industry
• Risks – Real and “Unreal”
Industry and Data Driven
• Goals and Expectations
Who Needs it/Who Wants it/When is it Needed/
Who is Covered
• Systems/Environment
What can you Impose Given Your Hardware/Software Systems
and Limitations, and Your Vendor’s Systems
7. Let’s Start to Build a
Personal Device Security Policy*
• Some Of The Key Issues:
– Personal v. Company Devices
– Nature Of Information Accessed And Stored
– Protective Corporate Software/Apps
– Separation From Employment
– Lost/Stolen Phones and Phone Replacement
– Passwords/Access To The Device By Non-Employees
– To Whom Does the Policy Apply
*Does Not Include Other Issues That Should be in a Personal Device Policy:
• Expense Reimbursement · Exempt v. Nonexempt Use
• Improper/Acceptable Use
8. The Policy – How We Might Build It …
• Opening Sentence – Why we have the Policy
In meeting our legal and contractual obligations, and to avoid harm
to the Company’s operations and business relationships, each of our
employees and vendors must take reasonable and necessary steps to
protect the personal, confidential, and proprietary information of
the Company, our employees, and our customers and business
partners (“Confidential Information”).
• Second Sentence – The Big Picture Obligation
To meet this obligation, our employees and vendors must diligently
ensure that Confidential Information cannot be inappropriately
accessed from their personal and business cellular telephones,
tablets, or similar devices (“Personal Device”).
9. • Third Sentence – The Consequences
Employees failing to comply with these obligations may
face discipline. Vendors’ employees failing to comply with
these obligations may have their contracts terminated. In
appropriate circumstances, breach of these obligations
may also result in regulatory or law enforcement officials
being notified.
10. • The Fourth Sentence – The “Rules”
Protective actions required to be taken include:
• The immediate reporting to __________________ of a
lost or stolen device, or an actual or potential security
breach. You must then follow their direction and
guidance.
• The use of password protection on any Personal Device
used to access or transmit Confidential Information.
Because only you are authorized to access or use
Confidential Information from your Personal Device,
passwords must not be shared with family members,
friends, or others who could accidentally or intentionally
access Confidential Information, placing you, the
Company, and the accessing party at risk.
11. • The installation on your Personal Device of the
___________ application, which provides additional
security for the device. In the case of a lost or stolen
Personal Device, the Program can erase all Confidential
Information and/or track the location of the device.
The tracking feature of the program is only used in
response to notice of a lost or stolen Personal Device.
• The removal of all Confidential Information, and
programs or applications used to access Confidential
Information, before you sell, gift, trade-in, or otherwise
dispose of a Personal Device, or upon your separation
from the Company. You must notify
_______________________ to assist with this process.
12. You Should Also Tie in Vendors
• For vendors whose employees may have access to
Confidential Information, our contracts will include a
provision stating they will, at a minimum, comply with
our Data Security Policies and Procedures, with their
employees advised of these obligations.
13. Avril Love, Counsel
515 South Flower Street
Forty-Second Floor
Los Angeles, CA 90071
213.430.3306 (direct dial)
Rob Cutbirth, Partner
One Market Plaza
Steuart Tower, Suite 700
San Francisco, CA 94105
415-617-2235
RAC@TuckerEllis.com
Questions?
Editor's Notes
Policies – by themselves – have no “cost,” but they take time and we have to make sure we understand the “scope” of expectations. Beyond that, they have to be practical for our particular company – “one size fits all” rarely works due to corporate cultures, systems, locations and the sophistication/compliance by our workforce. In addition, we have to look at both practical enforceability (the objective standards) and the support for enforcement (the subjective agreement to enforce, and not waffle/waiver on enforcement). There then must be a commitment to train employees, ensuring they truly understand the policies, because we will be holding them accountable later on.
As the process moves forward, it is common to find some managers/groups who believe they are special or different, and therefore should be carved out of certain policies or they should have greater or different standards imposed. Rarely is it a good idea to have different policies applied across an organization, unless the functions, data, and systems are so distinct that it makes sense.
Beyond that, there are common “complaints,” as folks are concerned with “change” and the claimed threat to the status quo with which they have become accustomed and comfortable. Quick and easy answers exist, defusing many of those issues, but it is also important to have the back-stop of senior management’s support in moving forward and not allowing the naysayers to detract your efforts.
When we put together a policy, it will never be “perfect” but it must meet a majority of our daily needs and requirements, with the hope of capturing and addressing probably 80-90% of the most common or daily issues. You then have to meet language barriers. Sometimes there are education/experiential language barriers. Sometimes it is truly fluency issues, with English as a second language workforce. You also have to draft the Policy in a manner that can gain approval (so you’re not wasting your time, while also still ensuring it is a meaningful and substantive policy), and then withstand the test of time so you’re not having to regularly revise/update, which can be confusing to employees.
Lost or stolen should make sense; password protection in the face of how we actually use and share phones needs more discussion on the practical legal issues involved, and the risks.
We can discuss, if companies will use it, operations for protective applications, and then what happens when phones are being disposed of or the employee is separated.