three keys to mastering byod€¦ · three keys to mastering byod chuck cosson ... views expressed...
TRANSCRIPT
![Page 1: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/1.jpg)
Three Keys to Mastering BYOD
Chuck Cosson ·T· · ·Mobile· Senior Corporate Counsel, Privacy (425) 383-4114 [email protected]
Views expressed are my own and do not necessarily reflect the views of T-Mobile US
This document does not constitute legal advice.
![Page 2: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/2.jpg)
OVERVIEW OF SESSION
• Step 1: Privacy Considerations
• Step 2: Breakout sessions
– Group 1: issue checklist
– Group 2: draft privacy notice
– Group 3: acceptable use policy
• Step 3: Assessment
![Page 3: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/3.jpg)
PRIVACY CONSIDERATIONS
• Fair notice and employee expectations for personal data sent over company networks;
• Practical security considerations to protect data from unauthorized access /disclosure;
• Incident response / investigation.
![Page 4: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/4.jpg)
LEGAL CONTEXT
• Computer Fraud and Abuse Act
– 18 USC § 1030
– State Laws on Unauthorized Access*
• Electronic Communications Privacy Act
– 18 U.S.C. §§ 2510–2522
• Common Law Privacy Issues
– Trespass to Chattels
– Invasion of Privacy
• International Laws May Also Apply
*See http://www.ncsl.org/issues-research/telecom/computer-hacking-and-unauthorized-access-laws.aspx
![Page 5: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/5.jpg)
SOME RULES OF THUMB
• Don’t be afraid to start early.
• Take a multi-disciplinary approach. – Legal, security, privacy, IT, risk management, and HR;
– Consider multiple goals to arrive at an integration that works for your organization;
• Don’t under-invest in internal training.
• Consider usability as well as security. – Security requirements that create costs or user
frustrations are susceptible to bypass attempts, inconsistent implementation or weak adoption rates.
![Page 6: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/6.jpg)
NOTICE TO EMPLOYEES
• Common approaches to providing notice:
• Company “acceptable use policy” is provided to employee;
• “Splash screen” reminder is displayed when logging in;
• Regular privacy and security training for employees;
• Employee manuals or internal online resources.
• Common key elements of notice content:
• Security software may remotely wipe a device in case employment ends or the device is lost;
• Litigation holds may require employee to surrender the device and/or indefinitely retain data;
• Monitoring of online activity can and will occur.
![Page 7: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/7.jpg)
SECURITY POLICIES
• Required Device Installations or Controls
– PIN or Swipe lock on Device
– Anti-Badware software
– Remote wipe capability / Data segregation
– Restrictions on Rooted or Modified Devices
• Network Side Policies
– Server access controls
– Special credentials, passwords, or authentication steps
![Page 8: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/8.jpg)
POLICY DRIVERS
• Legal considerations integrated with:
–Morale
–Productivity
–Company Culture
–Cost Considerations
• Stakeholders:
–Legal
–HR
–IT and Information Security
![Page 9: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/9.jpg)
BREAKOUT SESSION
Three Key Takeaways: • How to draft an employee privacy policy addressing a BYOD scenario
• Drafting an acceptable use policy for personal devices connected to company tools
• Creating an issue checklist to determine what BYOD issues your organization faces
Breakout Activities: • Review the draft document provided for your group
– Group 1: Employee privacy policy
– Group 2: Acceptable use policy
– Group 3: Issue Checklist
• Appoint a “scribe” to markup the document with questions, edits, additions
• Appoint a “spokesperson” to readout the group’s observations
![Page 10: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/10.jpg)
PRIVACY/SECURITY POLICY • Specify company principles/standards for BYOD
• Detail expectations of privacy:
– Requirements for personal devices to be granted access;
– Personal data in company-provided applications;
– List circumstances of monitoring of personal device.
• List security requirements for devices & servers.
• Expressly provide for investigative access to data.
• Explain what happens when:
– Device is lost or stolen
– Employee leaves the company
– Protective software is not installed or uninstalled
![Page 11: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/11.jpg)
ACCEPTABLE USE POLICY
• Require employees to acknowledge policy
• Clearly define boundaries /prohibited uses
– Explicit content, hate speech,
– Leaking of proprietary information
• Consider rules for social media / cloud use
• Determine if policy banner can be displayed to BYOD employees logging in
![Page 12: Three Keys to Mastering BYOD€¦ · Three Keys to Mastering BYOD Chuck Cosson ... Views expressed are my own and do not necessarily reflect the views of T-Mobile US ... ISSUE CHECKLIST](https://reader030.vdocuments.us/reader030/viewer/2022021512/5ae338437f8b9ad47c8df8d6/html5/thumbnails/12.jpg)
ISSUE CHECKLIST
• Risk Types
• Monitoring of Employees
• Current Policies
– Acceptable Use Policy
– Security and Privacy
• Prospective Policies