Nothing captures the meaning of the Holidays (it is surprising how many winter festivals/holidays one could choose from or – cynically speaking – could use to develop a religious discrimination claim) than the giving and receiving of gifts, especially tech gadgets. And this invariably means employers will ring in the new year with an influx of new technology devices, e.g., iPads, tablets, smart phones, etc., coming into the workplace.
For companies, it is important for their IT managers, CIOs and other company leaders to make informed decisions when it comes to determining the best way to manage the influx of these tech gadgets into their organizations.
Workplace Technology Use Policies
Employee owned devices should be addressed in a Workplace Technology Use Policy. Such a policy will cover the full range of issues at the intersection of technology and employee issues, such as email use, social media policies, and Internet use.
But before an employer chooses to address employee-owned technology devices, it is important for employers to understand and evaluate the benefits and risks in order to ultimately determine what makes the most sense for the business.
In regard to risks, a few areas that come to mind that employers should consider include the following:
- Illegal Software & Violation of Software Licenses: Regardless of what the hottest device happens to be this season, it is always a good time for employers to remind their employees that non-company software cannot be introduced (uploaded or downloaded) onto company property without the express written approval of an appropriate manager and that all such software must be properly licensed and registered for the company’s use within the terms of any applicable licenses.
- Handling Company & Customer Information: Employers must determine and enforce how company or customer information will be treated. If employers allow such information to be transmitted between the company and employee owned devices, it is imperative that employers and employees exercise a great degree of caution in securing and handling all company and customer information. It is also a good practice to have some sort of audit trail so that the company will know who has what and when. This type of access information will also come in handy if an employer needs to later prove an employee misappropriated company assets on his or her way to working for a competitor. At the very least, employers should require employees to secure their technology devices with strong passwords and encrypting all company data stored on employee owned devices.
- Not all Data is Created Equal: It is also important for employers to educate employees as to what company data will not be permitted to be transferred to employee-owned devices. Consider for example that regulations governing certain types of data, such as health information protected under the Health Insurance Portability and Accountability Act (HIPAA) and HIPAA’s Security Rule requires that electronic protected health information (EPHI) be treated in certain ways. Additionally, many industries have regulatory obligations that require certain data, such as personally identifiable information, to be encrypted.
- If Nothing Else, Encrypt the Data Before it Leaves the Company: Even if there are no legal or regulatory requirements for data to be encrypted, employers should insist that any company data transferred to an employee owned device must be encrypted. One reason for this requirement is because many data breach laws, including Michigan’s data breach law, contain specific exemptions and protections for businesses if there is a data breach of encrypted data. In other words, if there an employee owned device is lost or stolen, a company limit or outright avoid the need for costly breach notifications if the customer information was encrypted.
Conclusion
Implementing a company technology use policy comes down to balancing business, legal, and practical considerations. Specifically, IT-management policies with rigid parameters regarding what devices are acceptable for corporate use will often provide the most protection to the business. But the broad appeal and adoption of tech gadgets by officers, managers, and employees make such a rigid approach unfeasible. But these two competing interests must be resolved with an understanding of the applicable risks and legal requirements.