The time to think about Mobile Device Management (MDM) solutions and policies isn’t after employees start using various personal devices for work related activities. If employees are using unapproved smartphones, laptops, or tablets to do their jobs, they are essentially using unsecure devices to access your organization's critical data. Read more about how a Mobile Device Management solution can protect against compromised credentials and protect sensitive data while verifying who the user is.
To underscore the importance of mobile device management, Systems Engineering hosted a Lunch & Learn event and invited Elek Miller, an attorney at Drummond Woodsum, knowledgeable in privacy and data security, to speak about the use of personal devices for corporate data within the workplace. During the event, he stated, “You need to carefully consider your policies & procedures and document them prior to any employee using a device for work. It is one of the most important/first things you should do prior to implementing any MDM solution.”
Attendees were also provided with an overview of the five most common legal issues surrounding Mobile Device Management that he witnesses in his practice today. They are as follows.
1. Employee Privacy and Company Security
Employees have vital personal information on their devices and they typically don’t want their current or past employers to have access to it. However, when employees begin using their personal devices for work, written policy becomes key, especially if you ever need to wipe the device.
Have a plan for what happens in the event an employee leaves. Even though you have the technology to wipe a device after the employee is terminated, without prior notice, you may not have the right to do so legally. For example, common law damage claims state that if you own something and someone steals it, breaks it, or deletes it, the owner of that property can get reimbursed. In addition, invasion of privacy claims can be made by former employees whose devices have been accessed.
If there is a breach or a crime (say a device is lost or stolen), know what your right is in relation to an employee’s device. It’s not common knowledge that a company’s data/apps on a bring-your-own-device (BYOD) is the company’s property. Your policies need to make this point clear.
In addition, think about any contractual obligations your organization may have with clients and/or partners and how these terms should be incorporated into your policies.
2. Data Breach Response
49 states have data breach laws and each are a bit different. If you are breached you have to comply with those specific laws while understanding where and who has your data.
3. Compliance With Industry Standards
There are a variety of industry standards (HIPAA, PCI, SOX, GLBA, NCUA, etc.) that many businesses are required to comply with. Knowing which apply to your business and how to incorporate them within your policy helps you know whether or not your organization is meeting compliance regulations. This also mitigates risk to the fullest extent should a breach occur.
4. Wage and Hour Law
Mobile devices have made it easier for end-users to work from anywhere and at any time. With the Department of Labor rule change to extend overtime protections to nearly 5 million workers, you will need a policy in place to determine when it is permissible for a non-exempt employee to use his/her phone for work outside normal business hours. The rule, which went into effect on December 1, 2016, guarantees overtime pay to most salaried workers earning less than $47,476/year.
5. Litigation and Discovery
If there happens to be pending litigation, you are required to preserve any related business data even if it is on employee devices. Consider to what extent you would need to limit the amount of data stored on BYOD devices and have policies in place to clearly define your right to access the employee-owned device.
Mobile Device Management policies are put into place to protect the organization's data as well as the employee's privacy. Whether you are supplying devices to your employees or allowing them to use their own, first draft a policy that encompasses end-user stipulations, rights, and organizational rules.
To speak to a Systems Engineering representative about Mobile Device Management policies or any other IT security-related questions, email email@example.com call 888.624.6737. Clients, please reach out to your Account Manager.
Elek Miller is an Attorney at Drummond Woodsum practicing in the areas of intellectual property and technology, labor and employment, and general school law. He is a frequent presenter at conferences and events related to privacy and data security.