Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Mobile Device Policies for the
Workplace
Kathleen M. Porter, Esq., Partner, Robinson & Cole LLP
CIPP/US, International Association of Privacy Professionals
Member, Cyberspace Law Committee, American Bar
Association, Business Section
© 2012 Robinson & Cole LLP
Mobile Devices
Portable, handheld
devices that allow
people to access data,
applications and
information from
where ever they are.
__________________
o Wireless
o Voice/text/email/
Internet capable
PDAs
Laptops
Tablets
Smart phones
Storage disks
Pagers
Navigational
devices
Mobile Devices – We Love Them!
• Productivity
• Personal Choice
• Cost
• Generational Shift
• Dual Use
• Portability/BYOD
Mobile Devices Not Typically Covered
in Existing “Electronic Use” Policies
• Company property (hardware,
software, phones and devices)
• Company provided service and
access (voice and e-mail, wireless,
remote and Internet access)
• Provided to enable employees to
perform duties
Mobile Devices Not Typically Covered
in Existing “Electronic Use” Policies
Therefore….
– Company owns all records or data
– Employee has no expectation of privacy
– Company has right to access and view data
and communications created, stored,
received at any time; with or without notice
• business-related or personal
• disclose to law enforcement or government
officials or to other third parties
Electronic Use Policies - Outdated
Often not even a recognition of employee
accessing personal web-based password
protected accounts from work equipment or
device.
Need a Policy for Mobile Device
Use in the Workplace
• Needs to Be a Collaborative Effort
– IT
– HR
– Legal
Need a Policy for Mobile Device
Use in the Workplace
• Cost and Resources
– Permitted and supported devices,
manufacturers, models, operating systems,
platforms, mobile networks, etc.
– Company or employee-devices or a
combination
– Allowance or stipend for employee
purchase of device or service.
Need a Policy for Mobile Device
Use in the Workplace
Policy Decisions
• Fair Labor
Standards Act
(FLSA)
• Affects Device and
Access Eligibility
Agui v. T-Mobile
Inc.
Rulli v. Richard
Ellis, Inc.
Oprah - non-
exempt employee’s
time sheet 800+
hours in 17 weeks -
$32,000 in
overtime pay.
Policy also needs to address what
happens when device is lost…..
• 17,500 USB sticks left in
pockets of clothes at 500 UK
cleaners*
-- 4X more in 2010 than 2009
• Thousands of handheld
devices left in the taxis, hotel
bars, rooms and lobbies,
malls.*
*Information from surveys by Credant Technologies
Or stolen….
• 48 NASA notebooks and mobile devices stolen
between April 2009 and April 2011.
• One stolen in 2011 was unencrypted. Contained
command & control codes for the International Space
Station.
How to Obtain Acceptance?
• Electronic Use Policy – use of equipment is
acceptance of terms.
• Mobile Device Policy
– Employee wants to connect device to network
– Important to authenticate device
– Require log-in with click-thru agreement
whereby employee accepts policy
– Don’t just allow access if have login and
password
Loss/Theft Vulnerabilities
• Loss of Confidential Data
• Loss of Work Product/Productivity
• Negative PR
• Reporting reluctance
– Fear loss of personal data
– Fear disciplinary action
Loss/Theft Vulnerabilities
• Massachusetts 201 CMR 17.00
Mandates encryption of all “personal
information” stored on devices
• Oct. 31, 2007- Sept. 30, 2011 Report
– 75 devices lost/misplaced; 1 encrypted
• 1.2 million pieces of information compromised
– 290 devices stolen, 12 encrypted
• 220,000 pieces of information compromised
• Data breach notification costs/time/exposure
Cases Shaping Policies
City of Ontario, Cal. v.
Quon, 130 S. Ct. 2619
U.S. Supreme Court
2010______________
– Employer owned
pager and service
– Personal messages
to girlfriend
– Written policy
allowed monitoring’
and prohibited
personal use
– Supervisor allowed
behavior that
differed from policy
– Employee
terminated for
excessive, highly
personal texts
– Termination upheld
because of policy,
tailored monitoring
Mobile Device Policy – Summary
Written Policy
• Tailored to specifics
• Give notice to employee
• Condition access to acceptance
of policy
• Monitor only to protect
interests (scope and duration)
• Consider type of behavior
and communication
(illegal, productivity,
privileged etc.)
• Require encryption
Mobile Device Policies at Work
• Policy Alone Often Insufficient
– Compliance
– Reporting Reluctance
• Mobile Device Management
– Initial and Ongoing Authentication
– Black/White App List
– Selective Remote Wipe
– Push Updates
– Active Monitoring and Security
Consider Use Outside the U.S.
• Need to comply with
U.S. export laws
regarding physical or
electronic
transmission of
controlled data
outside the United
States.
• Check device and
review policy with
employees prior to
overseas travel.
Consider Use Outside the U.S.
Other jurisdictions may have
different rules on mobility,
e.g., privacy of personal
information; required
authorization to monitor,
access or remote wipe.
Allow for Changing Technology
• Allow for amendments and updates to
reflect changing technology, models and
devices.
• Allow for IT, HR and legal and MDM
vendor to issue periodic updates/alerts for
security and changes, etc.
Questions?
Kathleen Porter
Robinson & Cole LLP
617.557.5989