In our last post, we illustrated how ubiquitous mobile devices and chat/collaboration apps have become in society. The presence of mobile devices extends to the workplace as well and how mobile devices are used in the workplace can significantly impact the way an organization addresses eDiscovery and compliance practices.
Policies for Mobile Device Management
Some people think that there are two choices when it comes to policies for the use of mobile devices in the workplace – company issued or personally owned. There are actually four choices along the spectrum of employee freedom and flexibility vs. organizational control. They are (from most flexible to most controlled):
- Bring Your Own Device (BYOD): Employees have freedom over device choice.
- Choose Your Own Device (CYOD): Employees can choose among employer approved devices and IT can enforce certain security policies on the device.
- Company Owned, Personally Enabled (COPE): The employer provides the device and enforces security on the device, but the employee can use it for personal use as well.
- Company Owned, Business Only (COBO): The employer provides the device, and their policy only permits its use for business purposes.
Obviously, the policy most popular with employees is BYOD, which gives employees the most freedom and flexibility and 83% of companies have a BYOD policy of some kind. Organizations embrace BYOD because it increases employee mobility, employee satisfaction, and reduces costs.
However, as Uncle Ben told Peter Parker (aka, Spiderman): “With great power comes great responsibility.” In a recent survey, only 51% of respondents said their organizations that allow BYOD devices have a security policy for BYOD. Lack of a BYOD policy hampers organizations when data from those devices may need to be collected for discovery or compliance needs. A formal BYOD policy is a must to establish formal expectations of the device holder and protect your organization’s interests.
Five Principles to Consider for BYOD Policies
In 2018, The Sedona Conference® published its Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations. The Commentary is primarily focused on five principles for BYOD. The first two principles are focused on whether an organization should allow or require BYOD devices and how to develop and implement a BYOD program. The last three principles are focused on discovery obligations when it comes to BYOD devices.
Here are the five BYOD principles:
Principle 1: Organizations should consider their business needs and objectives, their legal rights and obligations, and the rights and expectations of their employees when deciding whether to allow, or even require, BYOD.
Principle 2: An organization’s BYOD program should help achieve its business objectives while also protecting both business and personal information from unauthorized access, disclosure, and use.
Principle 3: Employee-owned devices that contain unique, relevant ESI should be considered sources for discovery.
Principle 4: An organization’s BYOD policy and practices should minimize the storage of––and facilitate the preservation and collection of––unique, relevant ESI from BYOD devices.
Principle 5: Employee-owned devices that do not contain unique, relevant ESI need not be considered sources for discovery.
Addressing these principles is key to the success of your organization’s BYOD policy.
Five Best Practices for Effective BYOD Management
With those principles in mind, here are five best practices that will maximize the effectiveness of your organization’s BYOD policy and program:
- Require Employees to Sign a BYOD Agreement: A notable comment to Principle 2 above is “Organizations should consider requiring employees to agree to the terms of the BYOD policy.” Doing so establishes expectations for employees regarding privacy on the devices and their obligations to make those devices available for investigation and litigation. That goes for any updates to the BYOD policy as well.
- Consider Establishing a List of Banned Apps: Not all apps are safe – many are known to have security risks and those can lead to your organization’s data being compromised. IT should stay up to date on which apps might be at risk and consider keeping an updated list of banned apps to be communicated to employees.
- Provide MDM or Other Security Software: It’s a good idea to consider implementing a Mobile Device Management (MDM) solution to directly administer mobile devices to segment business data and use from personal data and use. You could also extend policies for use of Virtual Private Network (VPN) or Remote Desktop Protocol (RDP) to mobile devices for any resources not accessed through secured cloud platforms.
- Establish Clear Security Policies and Provide Training: Extend security policies (such as promptly applying operating system updates and discouraging the use of public Wi-Fi) to mobile devices and provide training to ensure that they’re being followed.
- Wipe Company Data When Employees Depart: When an employee leaves the company, they may be allowed to take their device with them, but not your data. Wiping company data off mobile devices should be part of the offboarding process. An MDM solution will facilitate that process.
Many of these best practices apply to any mobile device management policy, not just BYOD.
The manner in which an organization addresses eDiscovery and compliance practices for mobile devices starts with its policy for the use of the devices. A strong policy for use of mobile devices that protects your rights and enforces security is key to addressing those practices.
For more regarding Cimplifi security, privacy, and compliance services, click here.