Tag Archives: BYOD

Cyber Security 101

The Financial Industry Regulatory Authority or “FINRA” recently published its Report on Selected Cyber Security Practices.  FINRA is a self-regulatory organization within the financial industry, an industry that is highly motivated by information privacy and cyber security concerns.  When FINRA releases information and recommendations on these topics, we should all take notice. The Financial Industry Regulatory Authority, or “FINRA,” has recently published its Report on

The report highlights several areas of ongoing concern to many employers:

  • Establishing appropriate written information privacy and cyber security policies and procedures;
  • Maintaining security at branch or satellite offices;
  • Training employees to recognize and respond to phishing attacks;
  • Learning to detect and defend against insider threats (such as disgruntled employees);
  • Conducting reasonable security testing; and
  • Reducing the spread of malicious software via employee-owned devices.

Every employer depends on the availability of their computer systems daily and possesses valuable information such as trade secrets, proprietary business information, and personally identifiable information regarding their employees.  However, many employers, especially those that operate outside of the healthcare and financial industries, are often unaware of the information privacy and cyber security risks their organizations are exposed to, until a security breach or attack occurs.

To avoid making costly mistakes, employers in all industries should take a basic inventory of the information they possess and the risks posed by the release, interruption, or deletion of that information.  This inventory can then be used to make wise decisions concerning reasonable security controls, such as adequate user authentication and/or a “Bring Your Own Device Policy” governing employee use of personal electronic devices.

Additionally, policies should be drafted and implemented to avoid creating a result that may cause an insurer to deny a claim for damages in the event of a breach of security.  Policies should not generally be aspirational; rather, they must reflect controls that have been implemented.  For example, a company may intend to start requiring two-factor authentication to access certain company accounts, as required by its written policy, and fail to follow up with the necessary implementation.  If those accounts are compromised, an insurer may deny a claim because the company knew there was a heightened risk to those accounts and failed to adequately protect them.

Written policies should also include sufficient detail to provide appropriate security while allowing for reasonable deviation in implementation.  A company may be tempted to provide minute details regarding actions to be taken in response to a breach.  But, if the company fails to adhere to all of those detailed provisions, the insurer may find cause to deny payment for some portion of the company’s damages.

The cost of implementing most of FINRA’s recommendations will vary depending on a company’s needs and financial commitment to security.  Some companies justifiably strive to turn their network and computer systems into a digital “Fort Knox,” by implementing costly controls recommended by various organizations.  While that may not be possible for everyone, all companies can benefit from implementing controls that are appropriate and cost effective for their size and industry, including the controls discussed above.

Eliza Scott Jones is an associate with Woolf, McClane, Bright, Allen & Carpenter PLLC and a former computer programmer and security professional. She provides counsel for legal matters related to information privacy and cyber security.

Tagged , ,

BYOD? Legal Risks of Bring Your Own Device Policies

In our 24/7 society it seems everyone carries a smartphone.  We feel the need to be able to access email, surf the internet, text message and make and receive calls anytime, anywhere.  And many employers want their employees to be reachable anytime, anywhere.  As a result, many employers are going “BYOD” and adopting Bring Your Own Device Policies.  But going BYOD creates certain legal risks.  Employers need to know those risks and how to minimize their exposure to them.

The primary legal risks associated with going BYOD include:

  • Loss of confidential information due to the loss or unauthorized access of the employee’s device.
  • Wage and hour issues, such as a non-exempt employee using the device to work overtime or a minimum wage violation because the fees and expenses for the device reduce the employee below minimum wage for each hour worked.
  • Discrimination and harassment.
  • Employee negligence – the employee has an accident while using the device which results in a worker’s compensation claim, a claim by an injured third party, or both.
  • An overbroad BYOD policy which inhibits “concerted activity” in violation of the National Labor Relations Act (“NLRA”)

To minimize these risks employers should adopt a BYOD policy.  An effective BYOD policy should:

  • State that mobile device management software will be installed on the employee’s device which allows the employer to remotely “wipe” the device if necessary.
  • State that the employer is not responsible for personal data loss.
  • State that the employee has no expectation of privacy in the information stored on the device.
  • State that the employer can monitor and preserve all data on the device.
  • Require employees to sign the policy consenting to the terms.
  • Prohibit the use of the device outside of the employee’s normal work hours unless expressly authorized to do so.
  • Prohibit the use of the device for work while on unpaid leave unless expressly authorized to do so.
  • Ensure that the fees and expenses for the device do not reduce the employee below minimum wage.
  • State that time worked using the device will be counted as compensable time.
  • Prohibit the use of the device for discrimination or harassment.
  • Prohibit the use of the device when driving or operating equipment.
  • Prohibit the storing of information from prior employers.
  • State the protocols that will be followed in the case of an employee’s resignation or termination.
  • Specify any other prohibited uses.
  • State that the employee must notify management immediately in the event their device is lost, damaged or stolen.
  • Contain an NLRA disclaimer.
  • State that the BYOD Policy may be revoked at any time.

Adopting an affective BYOD Policy which contains these elements will help those employers who choose to go BYOD minimize the risks from doing so.

Tagged , , ,

BYOD? What Employers Need to Know About Bring Your Own Device Policies

Check out my PowerPoint presentation BYOD on the legal risks of a Bring Your Own Device Policy and guidelines for drafting a BYOD Policy.

Tagged , , , ,