Network security

An Employer’s Guide to Employee Privacy and BYOD

Dan Virgillito
August 24, 2018 by
Dan Virgillito

Introduction

For years, employers have turned to Bring-Your-Own-Device (BYOD) policies with the hope of boosting productivity. BYOD is a concept that allows employees to use devices in the workplace they are already familiar with. In fact, more than 67 percent of personnel in the U.S. bring their own devices to work. At the same time, BYOD enables employers to manage every aspect of incoming devices, from outbound communications to the type of apps they can host. But with this control comes the potential for intruding on users' privacy.

Before we begin, one brief note: these suggestions are strictly intended for those corporations and businesses that are based in and do business strictly in the United States. If your organization has offices in different countries and wishes to apply these scenarios as detailed in this article, then those nation's laws would have precedence. In these instances, it is best to consult with an attorney.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Privacy-Related Concerns Persist Over BYOD Implementations

When it comes to employee privacy, BYOD policies can be a double-edged sword for most businesses. Presently, technological enforcement exceeds the law in most states, resulting in some gray areas regarding personnel's privacy rights. For example, employers can remotely wipe data from an individual's device once their employment is concluded without worrying too much about the person's private data (which could be in the mix).

But organizations should be aware that legal consequences can sneak up on them at any time if they're not watchful.

For example, the Fourth Amendment protections protects individuals when they hold a reasonable expectation to privacy. If a company's BYOD policy doesn't take consent from an employee before accessing his/her device, the firm becomes ripe for class-action lawsuits. Additionally, federal laws like the CFAA (Computer Fraud and Abuse Act) can be used by staffers to sue employers for violations of their privacy and legal protections based on the employer's invasion of personal devices used in the workplace.

The desire for privacy has even ignited movements such as #ResetTheNet, where supporters are seeking to get all sites leveraging SSL to protect end users. Although an amiable request, it can place companies in an uncomfortable position. Employers can't view the threats being routed on their networks unless they start intercepting incoming traffic, exposing all transmitted information.

Due to such complexities, employers need to spend time with corporate council, human resources and whoever has a stake in operations to craft policies that balance workers' concerns about privacy with compliance and security requirements of using enterprise data.

Striking a Balance Between Company Security and Employee Concerns

Fortunately, employers can avoid the pain points of BYOD by making some careful decisions.

Take Consent

An employer's will to monitor or sometimes access a smartphone or tablet could be constrained by the fact that the company does not own the gadget. However, he/she can steer clear of legal problems by obtaining express consent about the purposes of using, collecting and disclosing data on employees' device. Additionally, a written notification is needed for remote wiping of BYOD devices, since such measures might remove personal data or property.

Consider Third-Party Servers

Mobile device management (MDM) system can be an additional line of defense against device security risks. However, the privacy of employees is at risk if employers don't incorporate a mechanism that distinguishes corporate content from personal information. MDM policies should, therefore, list privacy exceptions, activities that are prohibited and applications that are banned or allowed. A viable-to-restrictive mobile device management system is the use of virtual resources where data is kept on third-party servers. No information is held on the devices after users log out from the accounts and close the sessions.

Integrate an Acceptable Use Policy with BYOD Initiatives

When an employer has a conventional mindset, chances are employee-owned devices are already treated and covered like desktop PCs, notebooks, and other gadgets on the corporate network. On the other hand, allowing staff member's devices to potentially connect to a VPN for personal browsing creates some doubt about what behaviors may not or may be permitted. That's where an acceptable use policy can be used to fully cover the rear. It would address questions like:

  • Should sanctions be imposed on personnel who browse objectionable content on their devices through a VPN?
  • If a VPN tunnel is set up on a device and then an employee posts to Twitter, is that a violation?
  • What rights do employees have to copy data from their smartphones or tablets to an external storage device, such as a hard disk?

Parameters like these must be established by companies as part of a BYOD acceptable-use policy. Well-framed, comprehensive acceptable use policies can help shift cost to the employees and reduce monitoring burden on employers for non-strategic devices.

Be Modest When Imposing Controls

Imposing impractical controls can dampen employee productivity. This is a lesson that many stakeholders learn the hard way when they configure device settings without first assessing how it will affect users. For instance, incorporating a complex passcode or limited activity time-outs is a recipe for disaster, cultivating heated support calls and noncompliance. Instead, a better approach would be to mandate modest PINs, supported by secondary authentication where needed. In a nutshell, employers should seek a balance between risks and freedom for each use case.

Offer Ongoing Support

Employers can work with their organization's IT team to help employees use their devices more efficiently. To some extent, this would minimize the need to control BYOD devices proactively. However, support should be offered at all stages of the BYOD lifecycle, from the onboarding phase to decommissioning. The right support infrastructure will ensure that all mobile devices are configured correctly, are free from malware and have the latest security applications installed. The approach can also be convenient when it comes to improving overall satisfaction of employees, as they see the company cares about them by offering them more freedom to carry out a variety of tasks on their personal devices.

The privacy issues that could arise with the implementation of an organization-wide BYOD scheme may be just enough to dissuade employers, but there are countless firms out there who have managed to create a balance between privacy and security successfully. By taking written consent, imposing modest controls and having an acceptable-use policy put in place beforehand, employers can minimize legal risks and litigation associated with BYOD adoption.

Sources

BYOD Statistics Provide Snapshot of Future, Insight

10 Reasons Why the Fourth Amendment Third Party Doctrine Should Be Overruled in Carpenter v. US, TeachPrivacy

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Not Authorized! Employees and Computer Fraud, Wisconsin Lawyer

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.