Bring Your Own Device CLE summary
Hello everyone! Last Friday, May 10th, the Center for Information Technology Policy (CITP) at Princeton hosted a webinar on Bring Your Own Device (BYOD) policies and sandboxing technology. The video is available on CITP’s YouTube channel and below, but here’s a brief summary.
The speakers were:
- Bart Huffman, Partner at Locke Lord LLP
- Andy Aiello, Chief Operating Officer at OpenPeak, Inc.
- Keith Epstein, General Attorney and Associate General Counsel on Advanced Mobility Solutions at AT&T
Huffman introduced the talk by outlining the ways in which workplaces have changed: instead of desktop computers populated with a few pieces of software chosen by an IT professional, many employees are using their own devices, populated with software of their own choosing, to complete business-related activities. There is a lot of potential for greater productivity and effectiveness in this approach, but also a number of security risks to be aware of.
Huffman described the issue of BYOD policies as dealing with the “intersection of privacy and security,” in that the devices are both very personal and consistently with the employee, as well as hosting potentially sensitive company information. The key, Huffman said, is boundaries, set up ahead of time and known to everyone.
Next, Aiello took over to discuss mobility, describing the field as a child: constantly bouncing around, trying new things, but overall developing towards something more mature. The field has developed exponentially in the past few years, bringing with it a few key concerns that businesses need to address through a set of policies: Security Policies, Employee Policies, and Business Policies.
Epstein then delved into the particulars of BYOD policies. Some basic security measures, like password-protecting a smartphone, not accessing unsecured wireless networks, and not leaving a phone’s Bluetooth on “discoverable” mode, can do a lot towards protecting the device itself - and yet, many people don’t use them. Thus, these types of basic security measures are a great start to a BYOD policy. Epstein suggests checking out the federal government’s Bring Your Own Device policy as an example.
He also listed the challenges facing businesses seeking to develop a BYOD policy:
- balancing productivity and employee satisfaction with control of the company’s data,
- adapting policies and infrastructure to rapidly changing technologies,
- being able to reassure shareholders that the company’s data is safe,
- ensuring that security and confidentiality regulations are complied with, and
- controlling costs.
To address these challenges, the primary elements of any BYOD policy include:
- IT infrastructure to interface with mobile devices
- technology tools to manage connectivity and connected devices
- a policy document clearly articulating the responsibilities of the employer and employee
- training and an acknowledgment mechanism to verify the employee understands and accepts policy terms
- periodic policy reviews to adapt to changing needs and technologies
Epstein emphasizes that bringing one’s own device to work is a privilege, not an entitlement. Establishing this within the policy makes control of data easier, because inappropriate use can then result in revocation of the privilege.
The policy should also establish both the employer’s and the employee’s expectations with regards to privacy, duty of care of the device, disciplinary actions, what happens if the employee leaves the company, and reimbursement for the data plan and repairs. Furthermore, acceptable use of the device should be defined, as well as which applications and software are acceptable. However, it’s important not to be too device-specific, since any device you mention will probably be replaced by a new version within the next year. Establish who will provide support for the device and which types of devices (smartphones, tablets, notebooks, etc) are allowed. Finally, be sure to specify which security measures should be taken, including remote access and wipe of data in the case of loss or theft (unless the data is virtualized or encrypted).
Additionally, there are some responsibilities of the employer which, under a BYOD policy, will fall to the employee. For example, records retention, data protection, industry-specific standards and regulations (such is HIPAA) will all become at least the partial responsibility of employers. Furthermore, you’ll need to consider off-the-clock work done by employees - what if they go home and do additional work after business hours? Will they be compensated? What happens if they go overseas and have to give up their device - what steps should be taken to protect data?
Next, Aiello returned to the podium to discuss several concepts related to BYOD. For one, “containerization” or “app wrapping” is a way to separate the work and personal functions of the same device and secure those third-party apps at the same time. Content management is the curation of what’s on the device.
Aiello also discussed the basics of securing data: AES-256 encryption is good for data “at rest,” or in one place, while VPN is good for data that’s mobile. Then, there should be a secure storage space for those apps and balancing employee convenience with data security. He also went over some techniques for enhancing app-level security.
Finally, Huffman opened the floor to questions. He and the other panelists answered a few questions about containerizaiton, security keys, the protection of company data in the event of litigation, Cloud security, the pace of change in the mobile marketplace, and other topics before concluding the training.
Happy Dance Like a Chicken Day!