To facilitate the ability of round-the-clock communication regardless of location, some companies issue mobile devices to their employees for business use, while others find it more economical to allow employees to use their personal mobile devices to transact company business. However, if a company allows employees to use their own mobile devices to conduct work-related business, it must make sure to protect against the release of company-related confidential and private information. While companies go to extraordinary measures to implement security in connection with information stored on company servers, the same diligence must be applied to employees’ use of mobile devices. Companies must develop and require employee compliance with corporate policies that specifically address the use of personal mobile devices for company business.
This article addresses some of the safety measures companies should consider to protect against risks associated with allowing employees to use their own devices to conduct company business.
Develop and implement a mobile device policy. Many companies that issue mobile devices for employees have a mobile device policy. But it is also important to have a mobile device policy addressing employees’ use of their own devices to conduct work-related business. Without policies addressing all devices used to conduct company business, regardless of owner, it is impossible to institute effective safety precautions for the devices in use.
Require password protections for mobile devices. Much attention has been paid to ensuring that laptop computers are password protected. But mobile devices are just as likely to be lost or stolen. Requiring passwords on all employee-owned devices used for business is an easy way to protect information.
Institute the capability to lock mobile devices remotely. Applications that allow the user to lock and wipe a mobile device remotely are easy to download. Employers may want employees who deal with the company’s most sensitive data to download this precautionary application on their device. A caveat for disclosure to employees is that use of this application will wipe out the employee’s personal information as well.
Determine the extent of access provided to employees using a mobile device. Will the company allow employees to use a mobile device only to access e-mail or also to access other corporate information? Access to e-mail is necessary if an employee communicates for business. Does the company want employees to have remote access to other company-related data? Granting employee access via a mobile device to corporate data beyond e-mail should be a conscious decision, not one made by default.
Restrict the types of applications that can be downloaded. Such a restriction is a difficult policy to enforce if employees use their own mobile devices to conduct business. Yet compliance is important because each time an application is downloaded, the user runs the risk of also downloading malware that has the potential to hack into the company’s server (if the device is connected to the server).
Require employees to download anti-malware and antivirus software on their devices. Companies are vigilant about updating antivirus software on company computers. But the same precaution should be taken regarding hand-held devices that are connected to the company’s server. This is an inexpensive protection.
Consider the enhanced protections for e-mail versus text messages. Does your company encrypt personal information before it is sent via e-mail? If an employee’s device is connected to the company server, then they have the capacity to send encrypted e-mail. But text messages will not be encrypted. If employees send “private” or “confidential” information in text messages, such messages are routed through a third party communication company and not through your company’s server. Companies do not have the ability to protect information that has been transmitted through a text message.
Encourage employees to update operating systems. Users of mobile devices frequently receive messages asking if they want to update their operating systems. Companies should encourage their employees to accept these updates. Keeping the most up-to-date operating system on the mobile device is important.
Integrate document management policies with mobile device use. Beyond the protection of sensitive data, one of the most challenging aspects of allowing employees to use their own mobile devices to conduct company business is the preservation of data. The company must ensure that the integrity of the company’s document management system is maintained without compromise. In addition to their routine preservation of materials, companies must have a plan for dealing with litigation holds in the event of litigation. Document requests today often contain requests for text messages as well as e-mail communications. Accordingly, be sure your company’s document management policy addresses the use of employee-owned mobile devices.
Check insurance coverage. A company that allows employees to use personal mobile devices to conduct business should determine whether its insurance coverage provides protection from (1) privacy breaches from a personal device if the information has not been released through the company server, (2) privacy breaches from an outsider hacking into the personal device, and (3) third party liability if confidential information is stolen from an employee’s device.
The following examples pose issues your company may want to raise with its insurance broker. Assume that an employee saves a confidential Word document directly to the employee’s mobile device (i.e., it is no longer on the company’s server). Is a release of this information covered? Assume that an employee sends a text message containing confidential information that is intercepted or released. Because this message is transmitted through a communication provider and not the company’s server, is this incident covered if a claim results from the release? Your company’s review of its insurance policies should include not only any cyber policies (if the company has them) but also policies that cover errors and omissions (E&O), directors’ and officers’ (D&O) liability, and commercial and general liability (CGL).
A word to the wise should be sufficient: Do not wait until you have a claim to determine if coverage applies or even if you have purchased appropriate coverage. Be proactive and audit your coverage now.