2. ►
► Twenty Minutes Is Not A Lot of Time
► We hope to provide:
► Insight
► Practical Advice
► Tips to Minimize Your Liability
Mark Twain Once Said:
3. ► BYOD = Employee uses, in the context of company business,
a device (smart phone, table, laptop)
► That the employee owns or owns jointly with employer
►
►
doing it
► What this means in practice:
► Increased legal, practical and technical headaches
►
policies may not be adequate. They were written to address the use
of devices owned by the company
►
Definition & Basics
5. ► No Specific BYOD Laws
► Numerous Laws Apply
► Stored Communications Act - 18 USC § 2701, and State law
equivalent
► Computer Fraud & Abuse Act - 18 USC § 1030, and State Law
equivalent
► Federal and State Information Security Laws and Regulations, e.g.
Massachusetts Security Regulation
► Federal and State Security Breach Disclosure laws
► E- Discovery Federal & State Laws
► Contracts with third parties or with the employee
► Existing company policies and procedures
Laws Impacting BYOD
6. ► Health Care
► Health Information Portability & Accountability Act (HIPAA) +
Regulations
► Health Information Technology for Economic and Clinical Health
(HITECH) + Regulations
► State laws
► Finance
► Gramm Leach Bliley Act (GLBA)
► Regulations issued by FDIC, OCC, FFIEC, SEC, etc.
► Electrical Power
► North American Electric Reliability Corp
► Federal Energy Regulation Commission
Industry Laws Impacting BYOD
7. ► Establish standards for identifying the acceptable device
► Manufacturers, devices, models, operating platforms
► Mobile networks and service plans
► Define the procedure for enrollment
► Configuration of the devices
► Define the parameters of assistance to employees
► Initial activation assistance
► On-going support
► Identify relevant security patches, and mechanisms to download
them
► End-of-support
Role of the IT Department
8. ► Define security standards
► Minimum security standards to be met before accessing network
► Authentication
► Lost password
► Lost device
► Define privacy standards
► Segregation of company data v. personal data
► Monitor
► Review server logs to determine what was downloaded
Role of the IT Department / 2
9. ► Create the policy BEFORE allowing the use of BYOD
► Who is eligible for access (labor law concerns)
► Who pays for what
► What technical parameters for the device
► Devices supported
► Data plans
► What security measures must be followed
► What apps are permitted
► What data are permitted / excluded
► How and when a mobile device may be used to access the
company network
Key Aspects of BYOD Policy
10. ►
►
► What to do if the device is lost or stolen
► Geolocation of lost device
► Remote wipe data on lost device
►
social media, web-based personal email
► -discovery
requests, internal or external investigation
► What happens if employee leaves the company
Key Aspects of BYOD Policy / 2
11. 1. Thorough evaluation of the potential uses; and of the
related risks
2. Limiting what data may be used from, or stored in a non-
company owned device
3. Authentication
4. Easy to comply with security measures: policies,
procedures, technology
5. Frequent audits and monitoring of compliance, and
updating of the policies and procedures
6. Training and awareness
7. Enhanced termination procedures
Top Ways to Minimize BYOD Liability