View
227
Download
1
Category
Preview:
Citation preview
Three Keys to Mastering BYOD
Chuck Cosson ·T· · ·Mobile· Senior Corporate Counsel, Privacy (425) 383-4114 Chuck.Cosson@T-Mobile.com
Views expressed are my own and do not necessarily reflect the views of T-Mobile US
This document does not constitute legal advice.
OVERVIEW OF SESSION
• Step 1: Privacy Considerations
• Step 2: Breakout sessions
– Group 1: issue checklist
– Group 2: draft privacy notice
– Group 3: acceptable use policy
• Step 3: Assessment
PRIVACY CONSIDERATIONS
• Fair notice and employee expectations for personal data sent over company networks;
• Practical security considerations to protect data from unauthorized access /disclosure;
• Incident response / investigation.
LEGAL CONTEXT
• Computer Fraud and Abuse Act
– 18 USC § 1030
– State Laws on Unauthorized Access*
• Electronic Communications Privacy Act
– 18 U.S.C. §§ 2510–2522
• Common Law Privacy Issues
– Trespass to Chattels
– Invasion of Privacy
• International Laws May Also Apply
*See http://www.ncsl.org/issues-research/telecom/computer-hacking-and-unauthorized-access-laws.aspx
SOME RULES OF THUMB
• Don’t be afraid to start early.
• Take a multi-disciplinary approach. – Legal, security, privacy, IT, risk management, and HR;
– Consider multiple goals to arrive at an integration that works for your organization;
• Don’t under-invest in internal training.
• Consider usability as well as security. – Security requirements that create costs or user
frustrations are susceptible to bypass attempts, inconsistent implementation or weak adoption rates.
NOTICE TO EMPLOYEES
• Common approaches to providing notice:
• Company “acceptable use policy” is provided to employee;
• “Splash screen” reminder is displayed when logging in;
• Regular privacy and security training for employees;
• Employee manuals or internal online resources.
• Common key elements of notice content:
• Security software may remotely wipe a device in case employment ends or the device is lost;
• Litigation holds may require employee to surrender the device and/or indefinitely retain data;
• Monitoring of online activity can and will occur.
SECURITY POLICIES
• Required Device Installations or Controls
– PIN or Swipe lock on Device
– Anti-Badware software
– Remote wipe capability / Data segregation
– Restrictions on Rooted or Modified Devices
• Network Side Policies
– Server access controls
– Special credentials, passwords, or authentication steps
POLICY DRIVERS
• Legal considerations integrated with:
–Morale
–Productivity
–Company Culture
–Cost Considerations
• Stakeholders:
–Legal
–HR
–IT and Information Security
BREAKOUT SESSION
Three Key Takeaways: • How to draft an employee privacy policy addressing a BYOD scenario
• Drafting an acceptable use policy for personal devices connected to company tools
• Creating an issue checklist to determine what BYOD issues your organization faces
Breakout Activities: • Review the draft document provided for your group
– Group 1: Employee privacy policy
– Group 2: Acceptable use policy
– Group 3: Issue Checklist
• Appoint a “scribe” to markup the document with questions, edits, additions
• Appoint a “spokesperson” to readout the group’s observations
PRIVACY/SECURITY POLICY • Specify company principles/standards for BYOD
• Detail expectations of privacy:
– Requirements for personal devices to be granted access;
– Personal data in company-provided applications;
– List circumstances of monitoring of personal device.
• List security requirements for devices & servers.
• Expressly provide for investigative access to data.
• Explain what happens when:
– Device is lost or stolen
– Employee leaves the company
– Protective software is not installed or uninstalled
ACCEPTABLE USE POLICY
• Require employees to acknowledge policy
• Clearly define boundaries /prohibited uses
– Explicit content, hate speech,
– Leaking of proprietary information
• Consider rules for social media / cloud use
• Determine if policy banner can be displayed to BYOD employees logging in
ISSUE CHECKLIST
• Risk Types
• Monitoring of Employees
• Current Policies
– Acceptable Use Policy
– Security and Privacy
• Prospective Policies
Recommended