Privacy Lawyer Recommends Best Practices for Mobile Device Policies to Address Security, Privacy and Regulatory Concerns

Share Article

Companies are increasingly allowing their employees to use their own personal mobile devices, such as laptops, tablets, and smartphones, to remotely access work resources. This “bring your own device” trend can present certain security and privacy risks for companies, says privacy lawyer Aaron Messing of OlenderFeldman LLP, especially in regulated industries where different types of data require different levels of security. At the same time, companies need to also be mindful of employee privacy laws.

“Ideally, you want to create mobile security policies that make end-users happy by giving them device-freedom while keeping corporate data safe and secure,” says Messing.

Most individuals now have personal mobile devices, and companies are finding it increasingly convenient to allow employees (and in certain situations, independent contractors) to access company data and networks through these personally owned devices. However, when an organization agrees to allow employees to use their own personal devices for company business, it loses control over the hardware and how it is used. This creates security and privacy risks with regards to the proprietary and confidential company information stored or accessible on those devices, which can lead to potential legal and liability risk. Similarly, when employees use the same device for both personal and professional use, determining the line between the two becomes difficult. Privacy lawyer Aaron Messing of OlenderFeldman LLP says that one important area that companies often overlook is proper handling of employee departures. “When an employee leaves the organization, there must be a way for the company to retrieve any proprietary or sensitive information from the employee’s mobile device and prevent future access to the network.” Similarly, the policy should address issues of device turnover. When an employee sells, gives away or throws away a device used for company business without securing proprietary or confidential data, the risk of unauthorized access increases dramatically.

Messing recommends address these issues preemptively by formulating a comprehensive “bring your own device” (BYOD) policy. This policy should address the issues associated with the storage of sensitive data on personal devices, as well as the legal and privacy issues that arise with the mixture of work and personal information. “Whether your company chooses to adopt a BYOD program or not,” says Messing, “be sure you have a clearly defined mobile device policy in place that outlines what is and is not acceptable and clearly states what the company’s expectations are.”

As a condition of permitting access to the company network, Messing recommends that employees be required to formally consent to an acceptable use policy during device enrollment. This policy should require proactive security features, such as device autolocking, and as well permit reactive measures, such as remote data wiping, in certain appropriate circumstances. “Ideally, you want to create mobile security policies that make end-users happy by giving them device-freedom while keeping corporate data safe and secure,” says Messing. An effective policy should be a customized solution to a particular company’s challenges and issues. “One size fits all policies that aren’t followed or implemented can be worse than having no policy at all.”

However, concerns for company data must be balanced against the rights employees may have under applicable privacy laws. Many organizations already track employee behaviors and preferences without considering the privacy implications of their actions. Mobile devices often contain (and as such can reveal) lots of personal information, considering that mobile devices are almost always with the employee, and turned on with a data signal. It is important to ensure that the information that is collected via employees’ mobile devices is used appropriately and transparently, to minimize any invasion of privacy, by providing notice of employer practices and aligning the use of new technologies with a robust internal privacy program.

To discuss privacy laws and regulations, BYOD device policies, regulatory compliance or ecommerce law for your business, please feel free to contact Aaron Messing, Esq., CIPP by phone at 908-624-6293 or by email at amessing(at)olenderfeldman(dot)com. OlenderFeldman LLP is a full-service law firm providing customized business, financial, technology, privacy, intellectual property and litigation services. We work with diverse clients ranging from startups to multinationals, and can tailor solutions to fit your business needs.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Aaron Messing, Esq., CIPP
Visit website