Recommended
More Related Content
Similar to Data Security Policy for Personal Devices
Similar to Data Security Policy for Personal Devices (20)
More from Robert Cutbirth
Data Security Policy for Personal Devices
- 1. Rob Cutbirth, Partner, SF Avril Love, Counsel, LA Piecing Together Data Policies that Make Sense in an Ever-Changing World
- 2. Motivations to Create a Policy 1. Regulatory Standards: HIPAA-HITECH/State Privacy Laws/FERPA 2. Governance and Risk Management Standards: Publicly Traded Companies/Board Standards/Insurance Rqmts/ 3. Financing/Customer Standards: Lender-Imposed & Customer Requirements 4. Internal Events: The Boss, Who Heard At The Club That …; An Actual/Potential Security Scare; Someone attending a Seminar at Tucker Ellis!
- 3. Some of the Basic Constraints 1. Practicality: Location/Systems/Personal Devices/Employee Skill sets 2. Enforceability: You must be able to enforce and you must enforce 3. Training: You must be able to develop a training program to share information and consequences
- 4. And Then These Turn Up the Heat On You But If We Do That … • It Will Make It Tougher To Use Our Systems/Not “User Friendly” • It’s Really Not Going To Change Anything, so Why Do it • It’s Going To Cost More I Need My Own Special Policy Because… • My Content Is Different • My Department Needs Greater Flexibility • I’m In A Different State/City/Type of Operation
- 5. Against these Challenges, How Do You Build a Strong and Defensible Data Security Policy? First, Know Your: • Legal Obligations & Limitations Int’l; US/State/Industry • Risks – Real and “Unreal” Industry and Data Driven • Goals and Expectations Who Needs it/Who Wants it/When is it Needed/ Who is Covered • Systems/Environment What can you Impose Given Your Hardware/Software Systems and Limitations, and Your Vendor’s Systems
- 6. Second, Know Your Drafting Rules and Requirements
- 7. Let’s Start to Build a Personal Device Security Policy* • Some Of The Key Issues: – Personal v. Company Devices – Nature Of Information Accessed And Stored – Protective Corporate Software/Apps – Separation From Employment – Lost/Stolen Phones and Phone Replacement – Passwords/Access To The Device By Non-Employees – To Whom Does the Policy Apply *Does Not Include Other Issues That Should be in a Personal Device Policy: • Expense Reimbursement · Exempt v. Nonexempt Use • Improper/Acceptable Use
- 8. The Policy – How We Might Build It … • Opening Sentence – Why we have the Policy In meeting our legal and contractual obligations, and to avoid harm to the Company’s operations and business relationships, each of our employees and vendors must take reasonable and necessary steps to protect the personal, confidential, and proprietary information of the Company, our employees, and our customers and business partners (“Confidential Information”). • Second Sentence – The Big Picture Obligation To meet this obligation, our employees and vendors must diligently ensure that Confidential Information cannot be inappropriately accessed from their personal and business cellular telephones, tablets, or similar devices (“Personal Device”).
- 9. • Third Sentence – The Consequences Employees failing to comply with these obligations may face discipline. Vendors’ employees failing to comply with these obligations may have their contracts terminated. In appropriate circumstances, breach of these obligations may also result in regulatory or law enforcement officials being notified.
- 10. • The Fourth Sentence – The “Rules” Protective actions required to be taken include: • The immediate reporting to __________________ of a lost or stolen device, or an actual or potential security breach. You must then follow their direction and guidance. • The use of password protection on any Personal Device used to access or transmit Confidential Information. Because only you are authorized to access or use Confidential Information from your Personal Device, passwords must not be shared with family members, friends, or others who could accidentally or intentionally access Confidential Information, placing you, the Company, and the accessing party at risk.
- 11. • The installation on your Personal Device of the ___________ application, which provides additional security for the device. In the case of a lost or stolen Personal Device, the Program can erase all Confidential Information and/or track the location of the device. The tracking feature of the program is only used in response to notice of a lost or stolen Personal Device. • The removal of all Confidential Information, and programs or applications used to access Confidential Information, before you sell, gift, trade-in, or otherwise dispose of a Personal Device, or upon your separation from the Company. You must notify _______________________ to assist with this process.
- 12. You Should Also Tie in Vendors • For vendors whose employees may have access to Confidential Information, our contracts will include a provision stating they will, at a minimum, comply with our Data Security Policies and Procedures, with their employees advised of these obligations.
- 13. Avril Love, Counsel 515 South Flower Street Forty-Second Floor Los Angeles, CA 90071 213.430.3306 (direct dial) Rob Cutbirth, Partner One Market Plaza Steuart Tower, Suite 700 San Francisco, CA 94105 415-617-2235 RAC@TuckerEllis.com Questions?
Editor's Notes
- Policies – by themselves – have no “cost,” but they take time and we have to make sure we understand the “scope” of expectations. Beyond that, they have to be practical for our particular company – “one size fits all” rarely works due to corporate cultures, systems, locations and the sophistication/compliance by our workforce. In addition, we have to look at both practical enforceability (the objective standards) and the support for enforcement (the subjective agreement to enforce, and not waffle/waiver on enforcement). There then must be a commitment to train employees, ensuring they truly understand the policies, because we will be holding them accountable later on.
- As the process moves forward, it is common to find some managers/groups who believe they are special or different, and therefore should be carved out of certain policies or they should have greater or different standards imposed. Rarely is it a good idea to have different policies applied across an organization, unless the functions, data, and systems are so distinct that it makes sense. Beyond that, there are common “complaints,” as folks are concerned with “change” and the claimed threat to the status quo with which they have become accustomed and comfortable. Quick and easy answers exist, defusing many of those issues, but it is also important to have the back-stop of senior management’s support in moving forward and not allowing the naysayers to detract your efforts.
- When we put together a policy, it will never be “perfect” but it must meet a majority of our daily needs and requirements, with the hope of capturing and addressing probably 80-90% of the most common or daily issues. You then have to meet language barriers. Sometimes there are education/experiential language barriers. Sometimes it is truly fluency issues, with English as a second language workforce. You also have to draft the Policy in a manner that can gain approval (so you’re not wasting your time, while also still ensuring it is a meaningful and substantive policy), and then withstand the test of time so you’re not having to regularly revise/update, which can be confusing to employees.
- Lost or stolen should make sense; password protection in the face of how we actually use and share phones needs more discussion on the practical legal issues involved, and the risks.
- We can discuss, if companies will use it, operations for protective applications, and then what happens when phones are being disposed of or the employee is separated.