Three Keys to Mastering BYOD

Chuck Cosson ·T· · ·Mobile· Senior Corporate Counsel, Privacy (425) 383-4114 Chuck.Cosson@T-Mobile.com

Views expressed are my own and do not necessarily reflect the views of T-Mobile US

This document does not constitute legal advice.

OVERVIEW OF SESSION

• Step 1: Privacy Considerations

• Step 2: Breakout sessions

– Group 1: issue checklist

– Group 2: draft privacy notice

– Group 3: acceptable use policy

• Step 3: Assessment

PRIVACY CONSIDERATIONS

• Fair notice and employee expectations for personal data sent over company networks;

• Practical security considerations to protect data from unauthorized access /disclosure;

• Incident response / investigation.

LEGAL CONTEXT

• Computer Fraud and Abuse Act

– 18 USC § 1030

– State Laws on Unauthorized Access*

• Electronic Communications Privacy Act

– 18 U.S.C. §§ 2510–2522

• Common Law Privacy Issues

– Trespass to Chattels

– Invasion of Privacy

• International Laws May Also Apply

*See http://www.ncsl.org/issues-research/telecom/computer-hacking-and-unauthorized-access-laws.aspx

SOME RULES OF THUMB

• Don’t be afraid to start early.

• Take a multi-disciplinary approach. – Legal, security, privacy, IT, risk management, and HR;

– Consider multiple goals to arrive at an integration that works for your organization;

• Don’t under-invest in internal training.

• Consider usability as well as security. – Security requirements that create costs or user

frustrations are susceptible to bypass attempts, inconsistent implementation or weak adoption rates.

NOTICE TO EMPLOYEES

• Common approaches to providing notice:

• Company “acceptable use policy” is provided to employee;

• “Splash screen” reminder is displayed when logging in;

• Regular privacy and security training for employees;

• Employee manuals or internal online resources.

• Common key elements of notice content:

• Security software may remotely wipe a device in case employment ends or the device is lost;

• Litigation holds may require employee to surrender the device and/or indefinitely retain data;

• Monitoring of online activity can and will occur.

SECURITY POLICIES

• Required Device Installations or Controls

– PIN or Swipe lock on Device

– Anti-Badware software

– Remote wipe capability / Data segregation

– Restrictions on Rooted or Modified Devices

• Network Side Policies

– Server access controls

– Special credentials, passwords, or authentication steps

POLICY DRIVERS

• Legal considerations integrated with:

–Morale

–Productivity

–Company Culture

–Cost Considerations

• Stakeholders:

–Legal

–HR

–IT and Information Security

BREAKOUT SESSION

Three Key Takeaways: • How to draft an employee privacy policy addressing a BYOD scenario

• Drafting an acceptable use policy for personal devices connected to company tools

• Creating an issue checklist to determine what BYOD issues your organization faces

Breakout Activities: • Review the draft document provided for your group

– Group 1: Employee privacy policy

– Group 2: Acceptable use policy

– Group 3: Issue Checklist

• Appoint a “scribe” to markup the document with questions, edits, additions

• Appoint a “spokesperson” to readout the group’s observations

PRIVACY/SECURITY POLICY • Specify company principles/standards for BYOD

• Detail expectations of privacy:

– Requirements for personal devices to be granted access;

– Personal data in company-provided applications;

– List circumstances of monitoring of personal device.

• List security requirements for devices & servers.

• Expressly provide for investigative access to data.

• Explain what happens when:

– Device is lost or stolen

– Employee leaves the company

– Protective software is not installed or uninstalled

ACCEPTABLE USE POLICY

• Require employees to acknowledge policy

• Clearly define boundaries /prohibited uses

– Explicit content, hate speech,

– Leaking of proprietary information

• Consider rules for social media / cloud use

• Determine if policy banner can be displayed to BYOD employees logging in

ISSUE CHECKLIST

• Risk Types

• Monitoring of Employees

• Current Policies

– Acceptable Use Policy

– Security and Privacy

• Prospective Policies