Bring It On!
So a while back I wrote a piece on BYOD (Bring Your Own Device), and spoke about what exactly the benefits are to employers, businesses, and employees. However, along with all of those benefits are a plethora of risks and dangers that are associated with BYOD. First off, let’s begin with the definition of BYOD, which is: “the use of employee owned mobile devices such as smartphones and tablets to access business enterprise content or networks.” Sounds simple, right? NOT! When exercising a BYOD environment, a business enjoys many benefits, such as improved employee self and job satisfaction, increased workflow and efficiency, and even the ability for employees to work flex schedules, or even from home. It even becomes a huge advantage for the IT department of the business as the costs normally associated with hardware purchases are minimized, since the devices are mostly purchased and owned by the employee.
However, when a business does allow employees to use their own devices, when they do access company information it opens up the issue of whether or not the company is now fully subscribing to its own data protection policy. Reason being is simply because the employee owns and supports the device, therefore affording the company with little or no control of how and when it is utilized, versus a device that is owned by the company and loaned to the employee while in their employ.
This is a major issue that the company must analyze and address before allowing or establishing a BYOD policy and allow employees to use their own smartphones or tablets in the work environment. In addition, an employer also loses the ability to maintain a watchful eye over whether an employee is texting for personal or business use when the boss witnesses a worker on their phone. This may be counterproductive to my statement above, regarding employees and finding BYOD as a way to be more productive and efficient.
Before allowing employees to not only BYOD but to actually use it during the normal course of a business day, and for a business only purpose, the employer must address a number of issues. For example, the company needs to make certain that the business information of the company will not be merged in any way, shape or form with the employee’s personal data. Furthermore, the employer needs to ascertain that in the event the employee loses the device, it may be rendered unusable and wiped clean: remotely and immediately. What is recommended, among other things, is that when an employer makes the business decision to permit BYOD and enable their employees to partake in this practice, the company establishes security measures, and implements a regularly scheduled audit of all devices accessing the network. In addition, the company should also establish a method of protecting data that is accessed by the device, by obtaining one of the few products that are now becoming available on the market for the management of data transferred across cellular and Wi-Fi networks, and over to a personal handheld device in order to maintain that level of data security and integrity. This is known as “Ring-fencing data” and “Sandboxing”. This method and process maintains data within a secured app, so that in the event the device is lost the data may not be accessible and is easily retrieved via a backup maintained by the company and stored in the cloud.
Although there are a number of processes that an employer may put in place in order to maintain the security of data, all of these procedures are worthless if the employee doesn’t understand, enact, and respect the fact that this is not something to be taken lightly, and that these policies must be followed perfectly and religiously. The worker must also understand that the use of BYOD is a privilege that the employer bestows upon the employee, with the hope that this will assist the worker in doing their job more easily and efficiently.
What is also recommended is that the employer limits what type of data is to be processed on the personal device, and can that data be encrypted. Also, how long should data be allowed to remain resident on the device, and how should the data then be transferred from the employee to the corporate server.
Antivirus software should also be installed on the personal device and the employee must also be made aware of the fact that they must adhere to company acceptable use policies, in order to not place the data or company in jeopardy. A monitoring system should also be set in place, in order to determine if the employee is placing the company at risk due to their own personal habits and entertainment choices by places that they visit on the internet. Other suggested best practices of a BYOD policy may also include a method of tracking the device such as via GPS, but it must maintain a level of protecting the privacy of the individual as well.
Another risk posed to the employer is how does an employee now dispose of a device that it owns? Some cellular providers offer a “trade-in discount” and since the employee owns the device it is their prerogative on how they wish to dispose of it. However, what about the intellectual property that is stored on the device that belongs to the employer? Does this fall under the purview of “an employee not having the right to destroy any company owned software or information” that is typically written in every employee handbook? An added potential issue is “Repetitive Stress Syndrome,” or more commonly known as “Blackberry thumbs” What happens if the employee claims that due to the BYOD policy of the company, the employee developed this injury and is now claiming a workers compensation claim? Where is the burden of proof falling, on the employee who needs to prove that the injury was from their work at the office, or from their evening texting and Facebook visits? Or does it fall on the employer, who now has to prove that the injury was not work related.
One more risk a company faces is whether or not their Cyber Liability policy will respond to a loss incurred by the negligence of an employee who fails to protect data and suffers a breach on their personally owned device. Some carriers are saying that this would not be a covered loss since the device is not the property of the employer, however others are taking the position that it would be a covered loss because the data belongs to the insured company. Either way, it is its policy thoroughly and discuss this with its carrier in order to determine whether or not coverage exists before a claim is filed, so that if it is not covered you can secure the proper forms ahead of time.
Certain businesses are even more susceptible to these types of losses, not only because of a cyber-breach, but also due to the necessity of maintaining detailed and accurate records and documentation of conversations that transpire between the company and its clients. The insurance business is certainly no stranger to this professional requirement.
For instance, let’s take a simple, hypothetical situation that may easily occur in an everyday life of the typical insurance agent. An insured texts a member of your staff at the office, on your employee’s phone, and states to the CSR that they just purchased a brand new car, and that since they paid cash for it (why would anyone do that in the first place) they do not want comp and collision. The CSR then proceeds to add the vehicle for liability only, texts back to the insured that “it’s covered as requested” and the insured is happily on his way home from the car dealer with their new car…only to text his friend (while driving) about his new car, and not paying attention to the road proceeds to drive directly into the nearest 7-11 store… literally, right through the front plate glass window.
Now of course the insured is looking for coverage for collision, and your CSR vividly recalls the text messages that clearly state that the insured did not want collision coverage. However, the employee dropped the phone in the sink while visiting the restroom after taking the text message from the insured, rendering it inoperable and unable to retrieve the text message. Nice Errors & Omissions claim you have there, don’t, you?!?!
So how can that have been prevented? Well, with the right agency management system, this E&O claim would not be an E&O claim at all. For instance, EZLynx has recently released an enhancement to its agency management system that includes the ability to text with an insured. The way it works is this: an agency is assigned its own personal texting telephone number, which is then distributed to its clientele. The insured has the ability to text a message directly to the agency which is recorded in its entirety in the client file of the EZLynx agency management system, time stamped and dated, and is uneditable. The agency employee who receives the text may respond to the insured directly through the EZLynx agency management system which, once again, is documented in the same fashion in the client’s file, and the message is immediately transmitted directly to the insured’s cellphone.
In our example case above, if this agent was using an EZLynx management system, the only other entry in the text message would have been from the agent to the insured, asking them to “make mine a cappuccino!”
Until next time, have a wonderful, safe, and healthy summer! Ciao for now![