BYO Device and Remote Work Policies — Tips for Employers and Employees
As various areas of the country are implementing another set of stay at home orders due to COVID-19, and with employees in other areas traveling for the holidays, employers must once again consider whether they will allow their employees to work from home or on the road using their personal devices, and if so, what they can do to balance convenience with company data security. When considering these questions, employers and employees should consider the following tips to allow for a smooth, secure transition to working remotely on personal devices.
Tips for Employers
First, and most importantly, employers should ensure that they have robust data and technology policies in place covering employees who bring their own devices or work remotely. These policies should cover, at a minimum, data storage, account credential standards, account or device sharing, and sequestration between personal and workplace information. When drafting these policies, employers should emphasize the seriousness of keeping company data confidential, and impress upon employees that they have a responsibility to keep this data safe, even if they are using their personal devices to access or store it. Employers should have their employees review these policies and sign an acknowledgement form showing that they understand them prior to using their personal devices to access company data or work remotely.
Unfortunately, an employer’s work is not necessarily done merely because it adopts a stringent set of bring-your-own-device or remote work policies. Because employees’ devices are owned and controlled by them, an employer will have no way to verify whether employees are properly complying with the employer’s policies. While this will not be wholly resolved short of providing all remote workers with company-owned and managed devices, there are steps employers can take to emphasize the importance of following bring-your-own-device and remote work policies.
Employers would be prudent to periodically remind employees of their data protection responsibilities at regular intervals. If, for example, a company requires its employees to change their passwords every 90 days, the company should be prepared to remind their employees of this responsibility every 90 days. The company may also want to reattach their bring-your-own-device and remote work policies to these reminder emails, so employees are prompted to refresh themselves on any policies they may have forgotten or have relaxed. Employers should also ask employees to verify that they have reviewed the relevant policies when these reminders are sent, so employers can ensure their remote employees are continuing to observe them.
Utilize Cloud Services, if Possible
Lastly, employers should consider utilizing a cloud storage service in which remote employees can store workplace information. This will help mitigate some of the risk that comes with allowing employees to bring their own devices or work remotely by giving employees a secure location to store documents, thus discouraging on-device storage, and by giving the company greater control over who can access company data. Using a cloud storage service comes with other benefits, as well, such as allowing collaborative editing on documents and preventing competing or duplicitous drafts of documents being shuffled back and forth over email. Google Drive, Microsoft OneDrive, and Dropbox are some of the most popular options, all of which offer both personal and enterprise plans.
Tips for Employees
Use a Password Manager
First, employees should strongly consider using a password manager application to create and store workplace log-in information. (And to follow best practices, they would do well to do the same for their personal accounts.) A good password manager application will store all of an individual’s log-in information for their various accounts, including website credentials, computer passwords, Wi-Fi passwords, and even banking information. Better still, most popular password managers include the ability to randomly generate passwords of varying lengths based on user-defined criteria (such as requiring certain numbers, special characters, or upper/lower case letters). This allows users to quickly and easily generate and store much stronger passwords than they would be able to come up with and remember on their own and removes any temptation of repeating passwords for convenience. Some of the highest rated password manager applications available are 1Password, Dashlane, Bitwarden, and LastPass, the latter two of which have limited free tiers.
Use Folder and Application-Specific Passwords
In an ideal world, an employee would be the only individual using any device containing company data; however, this is almost never the case when it comes to personal devices. Families routinely share laptops and tablets, and family members often answer the phone or check notifications for each other when one is out of the room or has their hands full. That said, there are still steps employees can take to protect company information on their personal devices, even when other individuals may be logged in and using them.
As best practice, employees should password protect any work folders they store on their personal devices and ensure that these passwords are different from their device password. Further, employees should never stay logged in to their online accounts, email, or cloud storage applications, so that a password to use these services is required every time they sign in to the device. Lastly, on mobile devices, employees should set their notification settings to prevent mobile applications, such as Outlook, from showing message content on the mobile device’s lock screen, to avoid passersby from seeing any company information.
Keep as Little Work-Related Information on Personal Devices as Possible
Lastly, and perhaps most simply, a good way for employees to keep work-related information safe while working remotely is to keep as little of it on their personal devices as possible. Employees should leverage cloud storage services, if provided by their employer, to avoid saving company data on their personal devices. If an employee’s workplace does not use a cloud storage system, the employee should consider purchasing an external, password-protected hard drive so they can better sequester company information from their personal accounts. These steps will help prevent loss of sensitive employer information or loss of works in progress in the event an employee’s personal device is compromised by loss, virus, or damage.
This article is a publication of MWH Law Group LLP and is intended to provide general information regarding legal issues and developments to our clients and other friends. It should not be construed as legal advice or a legal opinion on any specific facts or situations. For further information on your own situation, we encourage you to contact the author of the article or any other member of the firm.
© MWH Law Group LLP 2020. All rights reserved.
CONTACT ATTORNEY LOGAN S. KRAUS
Logan S. Kraus
Associate Attorney, West Des Moines
1501 42nd St., Suite 465, West Des Moines, IA 50266
P: (515) 453-8509 / F: (515) 267-1408