BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

Similar documents
Employee Security Awareness Training Program

Avoiding the Pitfalls of Bring Your Own Device Policies

Checklist: Credit Union Information Security and Privacy Policies

COUNTY OF RIVERSIDE, CALIFORNIA BOARD OF SUPERVISORS POLICY. ELECTRONIC MEDIA AND USE POLICY A-50 1 of 9

COMMENTARY. Information JONES DAY

Privacy Breach Policy

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

University Policies and Procedures ELECTRONIC MAIL POLICY

Cleveland State University General Policy for University Information and Technology Resources

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Subject: University Information Technology Resource Security Policy: OUTDATED

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

SPRING-FORD AREA SCHOOL DISTRICT

Building a Privacy Management Program

The HIPAA Omnibus Rule

HIPAA Security and Privacy Policies & Procedures

Beam Technologies Inc. Privacy Policy

HIPAA For Assisted Living WALA iii

Integrating HIPAA into Your Managed Care Compliance Program

Social Media and Texting: A Growing Concern

Acceptable Use Policy

Acceptable Use Policy

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

PRIVACY 102 TRAINING FOR SUPERVISORS. PRIVACY ACT OF U.S.C.552a

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security Manual

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Shaw Privacy Policy. 1- Our commitment to you

Red Flags/Identity Theft Prevention Policy: Purpose

SECURITY & PRIVACY DOCUMENTATION

Putting It All Together:

UTAH VALLEY UNIVERSITY Policies and Procedures

PEDs in the Workplace: It s a Mad, Mad BYOD World

Computer Use and File Sharing Policy

Information Security BYOD Procedure

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Security and Privacy Breach Notification

HIPAA Federal Security Rule H I P A A

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

HIPAA Privacy and Security Training Program

Last updated 31 March 2016 This document is publically available at

Data Protection Policy

LCU Privacy Breach Response Plan

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

LifeWays Operating Procedures

Frequently Asked Question Regarding 201 CMR 17.00

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

PRIVACY-SECURITY INCIDENT REPORT

October 2016 Issue 07/16

Virginia Commonwealth University School of Medicine Information Security Standard

DATA PROTECTION POLICY THE HOLST GROUP

Autofill and Other Disasters: The Ethics of Inadvertent Disclosures

Data Processing Agreement

Data Compromise Notice Procedure Summary and Guide

Electronic Communication of Personal Health Information

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

HIPAA & Privacy Compliance Update

Electronic Discovery in Employment Cases: What Every Employer Needs to Know. Presented By: Shannon Cohorst Johnson

FERPA & Student Data Communication Systems

Name of Policy: Computer Use Policy

Cyber Security Program

Throughout this Data Use Notice, we use plain English summaries which are intended to give you guidance about what each section is about.

REGULATION BOARD OF EDUCATION FRANKLIN BOROUGH

HIPAA Privacy, Security and Breach Notification

Policy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents

Subject: Kier Group plc Data Protection Policy

Minnesota Government Data Practices Act and Litigation Holds In An Electronic Environment

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

MNsure Privacy Program Strategic Plan FY

CARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION. I. Purpose

2. What is Personal Information and Non-Personally Identifiable Information?

Bring Your Own Device (BYOD) Best Practices & Technologies

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

Website Privacy Policy

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

RMU-IT-SEC-01 Acceptable Use Policy

Data Privacy Breach Policy and Procedure

HIPAA FOR BROKERS. revised 10/17

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Department of Public Health O F S A N F R A N C I S C O

Records Management and Retention

POLICY 8200 NETWORK SECURITY

Freedom of Information and Protection of Privacy (FOIPOP)

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Ferrous Metal Transfer Privacy Policy

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

EXHIBIT A. - HIPAA Security Assessment Template -

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cell Phone Policy. 1. Purpose: Establish a policy for cell phone use and compensation allowance.

Information Security Incident Response Plan

Mobile Application Privacy Policy

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

Privacy Notice. Lonsdale & Marsh Privacy Notice Version July

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

INFORMATION ASSET MANAGEMENT POLICY

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Transcription:

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace MCHRMA Spring Conference April 4, 2014

PRESENTED BY: Sonya Guggemos MCIT Staff Counsel for Risk Control sguggemos@mcit.org The information contained in this document is intended for general information purposes only and does not constitute legal or coverage advice on any specific matter.

Use of Personal Devices for Work BYOD: Bring Your Own Device Trend for employees to use their own smartphone for work purposes Dual-use device used for personal and professional tasks 3

How Are Employees Using Their Personal Devices? Phone calls and voice mail Text messaging E-mail Document review Drafting documents Access to computer servers or databases 4

Why BYOD? Employee Convenience and flexibility Increased productivity Employer has limited resources Employer Believed to be costefficient Increased employee productivity and engagement 5

Risks to Employer and Employee Data retention, preservation and retrieval Data privacy and security Wage and hour concerns: Fair Labor Standards Act 6

Bring Your Own Device DATA RETENTION, PRESERVATION AND RETRIEVAL 7

Data Retention, Preservation and Retrieval Both government entity and employee may have an obligation to retain, preserve or produce data and/or device Minnesota Government Data Practices Act (MGDPA) Litigation hold or discovery Investigation 8

Minnesota Government Data Practices Act Imposes obligation to produce government data and an obligation to make data easily accessible for convenient use Includes all data collected, created, received, maintained or disseminated by any government entity Government data is not defined by where it is stored, in what format or how it is used Responsive government data stored on employee s dual-use device must be produced 9

Minnesota Government Data Practices Act Government entity: Failure to produce data may be a violation of MGDPA Employee Failure to cooperate with employer could be grounds for disciplinary action Willful violation of MGDPA may be just cause for disciplinary sanctions 10

Litigation Holds and Discovery Litigation hold: A means by which relevant documents, data and other information is identified and preserved for potential use in a lawsuit Discovery: Requires production of documents, electronically stored information or things in a lawsuit 11

Litigation Holds and Discovery Employers are responsible for maintaining or producing documents or items in possession, custody or control Failure to comply could lead to court sanctions against the employer, employee or both, depending on circumstances 12

Investigation Government entity may need to access sources of data on employee s personal device in the course of an investigation Internal complaint Responding to outside investigations Investigating a data breach 13

The Problem Government entity owns the data Employee owns the device Work and personal data are likely intermingled on the device 14

The Bottom Line Employee May be required to provide employer or third-party access to the device or the device itself to avoid discipline or sanctions This may include access to personal data Employer May have limited ability to preserve the data Employee may have reasonable expectation of privacy in devices and personal data on the device 15

Bring Your Own Device DATA PRIVACY AND SECURITY 16

Data Privacy and Security Government entities and employees are obligated to keep certain government data private, confidential and secure Minnesota Government Data Practices Act Requires that government entity establishes and implements appropriate safeguards Restricts access to data classified as private or confidential 17

Data Privacy and Security Health Insurance Portability and Accountability Act (HIPAA) Requires covered entity or business associate to implement policies and procedures that restrict unauthorized access to electronic protected health information Includes individually identifiable health information Other privacy or security requirements in law or agreement 18

The Problem Government entity is legally responsible for data privacy and security Employee is responsible for physically securing device and data 19

Inadvertent Release of Data Lost or stolen device Access by friends and family Malware or computer viruses Employee upgrades device End of employment relationship Remote backup and storage 20

The Bottom Line Employer May be responsible for its employee s inadvertent release of the data and violation of data privacy laws Employee May be subject to discipline for violating personnel, data privacy and security or records retention policies Both Other causes of action, such as invasion of privacy, could apply 21

Bring Your Own Device WAGE AND HOUR CONCERNS 22

Fair Labor Standards Act (FLSA) Classifies employees as exempt or nonexempt Nonexempt employees generally have the right to overtime or comp time for time worked beyond 40 hours Includes all time suffered or permitted to work Applies if employer knows or has reason to know employee performed work 23

FLSA and BYOD Checking and answering e-mail, phone calls and voice mail during nonwork hours may constitute compensable time for nonexempt employees Possible FLSA violations Failing to compensate employee properly for hours worked Failing to keep accurate time records Could subject employer to fines and entitle employee to back wages and damages, including attorney fees 24

Bring Your Own Device MANAGING THE RISK 25

Complex Issue Risks to BYOD apply to both employer and employee No one-size-fits-all solution Depends on the needs and resources of government entity and employees May differ between departments and positions Multidisciplinary approach may yield best results 26

Conduct a Risk Assessment of Current BYOD Use Who is using a personal mobile device for work purposes? Exempt vs. nonexempt employees How often is the device used for work purposes? Why is the employee using his or her personal device? How is government data being accessed or stored on the device? What data or information is being accessed or stored? How is the data or information classified under the MGDPA? What security measures are in place on device? 27

Consider Ongoing and Future BYOD Use Do the benefits of BYOD outweigh the risks posed and the potential cost of managing those risks? What is the organization s comfort level with BYOD? Are there certain positions or certain uses that are not acceptable risks for BYOD? 28

The IT Component Analyze technological capabilities and capacity Review capacity of IT staff to support employee personal devices and any BYOD requirements Assess the feasibility of implementing technological strategies for BYOD 29

Technological Strategies Password/passcode protection Encryption Virtual or remote access Mobile device management software 30

Mobile Device Management Software Placed on employee s personal device but controlled by employer Features can include Password protection and encryption Remote locking of device Remote wipe of the device Tracking lost or stolen device through GPS Restricting application installation 31

Mobile Device Management Software Disadvantage: Improper use could raise issues under Fourth Amendment or federal and state laws Remote wipe of device may delete entire device Unauthorized tracking of employees after hours Best practice: Written informed consent 32

Educate Employees Employees must also weigh benefits of BYOD against the risks and responsibilities Employees have a crucial role in managing and mitigating any risks 33

Mitigating the Risks Password/passcode to protect personal devices Encrypt any workrelated data to the extent possible Use the device s screen lock function Do not download or store private government data on the device unless necessary Keep work and personal information separate to the extent possible 34

Mitigating the Risks Report a lost or stolen device immediately Be selective about the applications downloaded Avoid using cloud-based backup or synchronizing with home computers for work-related data Do not let friends and family use the device unless access to work data is segregated or password protected 35

Mitigating the Risks Comply with data privacy policies and any other retention requirements, such as litigation holds Inform the government entity if no longer using the device for work purposes Remove or protect any work-related data prior to receiving technical support or repair 36

Consider Developing a BYOD Policy Set forth conditions for BYOD use Detail expectations and responsibilities for employee using his or her own device for work Policy should be consistent with federal and state laws and collective bargaining agreements 37

Other Considerations Incorporate BYOD into the exit interview procedure Develop procedures for preserving data that may be needed after the employee s departure Require that all work-related data be wiped off of employee s personal devices when terminating employment Revise related policies as necessary to include work-related data stored on dual-use devices 38

Implement the Program/Policy Train employees on the policy requirements Educate staff implementing the policy regarding the risks and legal restrictions Be prepared for some employees to end BYOD 39

Avoid FLSA Violations If permitting nonexempt employees to BYOD, consider policy or guidelines outlining appropriate use Require all nonexempt employees to keep accurate records of hours worked whether on or off duty, including time reviewing and responding to e-mails or telephone calls Remind exempt and nonexempt employees on leave not to read or respond to work-related e- mail (other than for reasons directly concerning their leave) Educate employees and supervisors about the policy and consistently enforce it 40

Ask Questions and Share Experiences DISCUSSION 41

You re Invited: MCIT s 2014 Regional Risk Management Workshops Plan Now to Attend Rochester: Sept. 4 Marshall: Sept. 10 Mankato: Sept. 11 Crookston: Sept. 17 Grand Rapids: Sept. 18 St. Cloud: Sept. 24 Fergus Falls: Sept. 25 It s for You! Commissioners Department heads Supervisors Human resources professionals Risk managers/safety coordinators Sessions cover: issues related to claims/coverage, human resources, risk control and governance. Registration begins May 1. Check MCIT.org/training.aspx for details. 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback