GNYADA 2019 Membership Directory & Services Guide

Bring Your Own Device (BYOD) Risks A critical issue is employees using their personal smartphones, tablets, and other personal devices to access nonpublic personal information of consumers through their employer networks. “BYOD” or “bring your own device” has become the shorthand expression for use of personal devices for business purposes. The benefits of BYOD often include reduced hardware costs for the company as well as greater employee satisfaction from using a single portable device for workplace and personal use. However, BYOD use adds another element of security risk that should be addressed in your Safeguards Program. A comprehensive risk assessment should be conducted to assess whether employees are already using their own devices for dealership business and accessing nonpublic personal information of consumers in doing so. The risk assessment should identify the types of devices and security features available to select the best technical means for program implementation, and develop the specific policies and procedures governing BYOD administration and management. A good example is Multiple Device Management Software (MDMS) that controls all third-party devices accessing your system and sends and receives information from the device securely. Lack of physical control over the device should be high on the list for every dealership — the baseline assumption always is that the device will be lost or stolen, or at the very least, accessible to unauthorized third parties. Placing tracking devices on these devices if lost or stolen is a prudent security practice but may raise privacy concerns among employees. Another good practice is to make it clear that intertwining business and personal communications on one device creates a risk of personal information being exposed when parties are in litigation. Employers should have the right and capability to wipe or erase all data remotely from any device used for business purposes – and that means the device may be wiped entirely, including personal photos and contacts. Dealerships also must consider various technical issues, which include the use of untrusted devices, wireless networks, or applications; support for multiple mobile operating systems; installation of security patches and software updates; and interaction with other systems for data synchronization and storage. Employees may resist the implementation of security software and measures on their personal devices as well as forced encryption of customer information in transit to and from the device and at rest on the device which is a best practice. Dealerships also must detect and prevent “jail breaking” of the device where the employee circumvents the organization’s security policies and measures, a practice that MDMS software can make more difficult. Consider having the dealership provide remote devices to employees that you can centrally manage and secure, subject to applicable state law.

2019 membership directory & services guide / hot topics

Record Retention and Disposal An Information Security Program should also include a written document retention and disposal policy.

State Data Security Laws States are also enacting strict data security laws that apply to all organizations that maintain information about their residents. For example, some states:

PG 137