2020Directory_FNL_FlippingBook
Bring Your Own Device (BYOD) Risks A critical issue is employees using their personal smartphones, tablets, and other personal devices to access nonpublic personal information of consumers through their employer networks. “BYOD” or “bring your own device” has become the shorthand expression for use of personal devices for business purposes. The benefits of BYOD often include reduced hardware costs for the company as well as greater employee satisfaction from using a single portable device for workplace and personal use. Notably, however, some states such as California may require that employers reimburse its employees for a portion of their employees’ cell phone bill if the employee uses the device for business purposes. Consult your counsel for more information on those state law requirements. However, BYOD use adds another element of security risk that should be addressed in your Safeguards Program. A comprehensive risk assessment should be conducted to assess whether employees are already using their own devices for dealership business and accessing nonpublic personal information of consumers in doing so. The risk assessment should identify the types of devices and security features available to select the best technical means for program implementation, and develop the specific policies and procedures governing BYOD administration and management. A good example is Multiple Device Management Software (MDMS) that controls all third-party devices accessing your system and sends and receives information from the device securely. Lack of physical control over the device should be high on the list for every dealership – the baseline assumption always is that the device will be lost or stolen, or at the very least, accessible to unauthorized third parties. Placing tracking devices on these devices if lost or stolen is a prudent security practice but may raise privacy concerns among employees. You should consult with your counsel concerning the use of tracking devices on an employee’s personal device, as it may raise certain legal issues under state privacy laws. Another good practice is to make it clear that combining business and personal communications on one device creates a risk of personal information being exposed when parties are in litigation. Employers, may, under certain circumstances, exercise the capability to wipe or erase all data remotely from any device used for business purposes – and that means the device may be wiped entirely, including personal photos and contacts. However, in some circumstances, employees should be given notice and the opportunity to preserve their personal photos and other non-business-related data prior to the device being wiped. Consult with your counsel to determine the appropriate course of action prior to erasing or wiping an employee-owned device. Dealerships also must consider various technical issues associated with its BYOD policy which may include the use of untrusted devices, wireless networks, or applications; support for multiple mobile operating systems; installation of security patches and software updates; and interaction with other systems for data synchronization and storage. Employees may resist the implementation of security software and measures on their personal devices as well as forced encryption of customer information in transit to and from the device and at rest on the device which is a best practice. Dealerships also must detect and prevent “jail breaking” of the device where the employee circumvents the organization’s security policies and measures, a practice that MDMS software can make more difficult. Consider having the dealership provide remote devices to employees that you can centrally manage and secure, subject to applicable state law. An alternative to BYOD is to supply your employees with corporate-owned and issued devices, which gives employers the greatest degree of control and access over the business-related data that is stored on the device.
HOT TOPICS
147 2020 MEMBERSHIP DIRECTORY & SERVICES GUIDE
Made with FlippingBook - Online catalogs