Data Breach

In a study by the Ponemon Institute published in February, organizations often do not know if and what kind of data is leaving their networks through non-secure mobile devices.   The study’s results are based on information collected across 14 industry sectors from 49 U.S. companies.  Let’s focus on data breach for just a moment.  For the first time in seven years, both the organizational cost of data breach, and the cost per lost or stolen record, have declined.   The organizational cost has declined from $7.2 million in 2010 to $5.5 million in 2011.  That’s a 24 percent decrease.   The most important category from a cost perspective is that of the so-called “lost business” costs.  This includes abnormal turnover of customers, increased customer acquisition activities, reputation losses, as well as diminished goodwill.  The costs that fall into this category have decreased by 34% compared to 2010.  More than a third of the breaches that Ponemon studied were the result of lost or stolen devices, including laptops or USB thumb drives that contained confidential or sensitive information. 

With employees using personal devices such as Smartphone’s, tablets, laptops, etc., the potential for loss of data increases.  How does an organization manage the risk associated with BYOD? In 2010, the U.S. Supreme Court held that employers have the right to access all communications on corporate-issued devices.  However, the court didn’t address a company’s right to access information on an employee’s personal device.  (Cisco Systems announced on March 20^th that they were expanding services to “enable companies to manage and secure private mobile devices used by employees at work,” aiming to benefit from the trend widely known as BYOD or Bring Your Own Device.)

As an employer, should you have a BYOD policy?  To determine the content or need of a policy, thoroughly analyze the following:

The legal regulations you face.  The inherent security concerns for your industry, you ability to manage and oversee the use of these devices, and most importantly, the sensitivity of the information your employees handle.

If you decide to implement a BYOD policy, HR Daily Advisor has some recommendations:

Initiate a “wipe” policy. Require your employees to download software that allows you to remotely access and wipe devices. That provides protection if devices are lost or stolen. Additionally, there are software programs that can sequester work-related information into a software “sandbox,” creating a virtual folder in the personal device.

Require written agreements. Once you locate software that fits your needs, have your employees sign a written agreement that discloses all risks associated with the software (such as information loss) and requires them to download it onto any device that will be used to access work-related information.

Make the privilege exclusive. Allow only certain employees to have the privilege of using personal devices (exclude personnel who frequently handle sensitive data or personally identifiable information). Further, limit the type of information that’s accessible from a personal device (e.g., e-mail).

Make device inspection a part of the exit interview. Have employees consent in writing to have their devices inspected at exit interviews. Also, obtain permission to remotely wipe the device of any terminated employee.

Don’t allow employees to store corporate information on personal devices. Have them sign a written agreement that they will not store any corporate information on their personal devices.

Require employees to produce their devices for inspection. Have them sign a written agreement that they will turn over their personal devices for inspection upon a legitimate request.