Legal Corner: Embracing Mobility

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

June 01, 2013
Legal Corner
Richard Sheinis

Let’s face it, is there any development in technology that has made our lives more fun, and allowed us to work more efficiently than mobility?  We now carry our workplace with us, as long as we have our tablet, our laptop or even our smartphone. Wherever sales people might be, they can book a wedding, reserve space for a conference or take a payment. Effective use of mobile devices can lead to improved employee job satisfaction, increased morale, increased job efficiency and increased job flexibility.


It has been said that with great power, comes great responsibility. The power of mobility brings with it the responsibility of security. This includes the security of the data that is stored on mobile devices, as well as data that is sent to or from mobile devices, and data to which an employee can have access through a mobile device. There has been a great increase in the volume of malicious software created for mobile devices. Apps have become a prime avenue for hackers to gain access to mobile devices.

As technology advances at light speed, the challenge to secure data can seem daunting. While no security program or security software can guarantee that data will never be lost or stolen, a few basic mobility program principles can go a long way toward protecting data, and allow individuals to reap the benefits of mobility.

These principles will put users on the yellow brick road to making the most of mobility, while minimizing security concerns:

1. Decide what type of mobile program fits the company best. 
Will company-owned devices be provided to your employees, or will employees provide their own devices as part of a BYOD (bring your own device) program? These programs are not mutually exclusive. Companies might provide devices to some employees, while others will need to use their own personal devices.

Each program has its own risks and benefits.  When the company provides the device, it has more control over its use and security.  A BYOD program might be less expensive, but it is less secure and might result in double pocket syndrome, where employees have two tablets, two smartphones or two laptops.  Some features will be the same for both programs, but others will be different. Companies need to decide what programs best fit their budget, their culture and their needs for security.

2. Take mobile security seriously.
Do not allow employees to use whatever device they choose, with whatever programs they choose, and think these devices are secure as long as they have a password. Passwords do not constitute a security program. Use a vendor that can provide a mobile device software platform that will support the different devices their employees use, in a secure manner. Different platforms are available to control how data flows to and from the devices, the cloud or servers. A mobile device platform will also have security features such as encryption and remote locate, lock and wipe-ability. Don’t forget that removable media, such as thumb drives and CDs, also must be addressed in a mobile device program.
 
3. Integrate IT, human resources and legal professionals in the development of the mobile device program.
Every program will have aspects that draw from each of these disciplines.  An IT professional can address security software issues, but he or she probably would not consider whether certain practices might violate employment laws. Have a point person, who can be from any of these disciplines, coordinate the effort, but make sure to get input from each department.
 
4. Decide how to address privacy concerns, especially if the company has a BYOD program. 
When employees use their mobile devices for business and personal matters, the line between the two can be blurred. More than one employer has gotten sued for invasion of privacy because they looked at an employee’s personal email while investigating a work-related issue.

5. Have an employee agreement that states all the terms and conditions of the mobile program. 
This will let the employees know how they can use their devices, and what is expected of them. Let the employee know if the company will be monitoring the Internet traffic or location of the device. Explain the legitimate expectations that employees can have, especially regarding privacy, when they use a mobile device for work. Adequate communication through an employee agreement is critical for avoiding problems later in the relationship.

6. Decide how to address post-employment issues.
How will the company handle security if an employee quits and refuses to return the device or the data that is contained on the device? Consider if the company will allow an employee to keep, or possibly purchase, a company-owned device that he or she has been using.

7. Who will be responsible for damage or repairs to the mobile device? 
When a device is lost or stolen, data security is not the only issue. Companies should know ahead of time who will pay the cost of the lost or stolen device.

8. There are a number of ways that an employee can create legal liability for the employer through the use of a mobile device.
The company can be liable if the employee accidentally loses or discloses data. There can be liability if the employee intentionally steals data for his own use, or even to sell the data to a third party. An employee can make a statement, often through the use of the Internet and social media, that can result in a claim of defamation, harassment or even improper use of confidential information. A good mobile policy and agreement should seek to curtail activity that can lead to company liability, and to the extent possible, assign liability to the employee if he or she violates company policies or agreements.

9. Occasionally, the company could receive legal process pertaining to information or data on a mobile device. 
This might include a subpoena from a law enforcement agency or a legal event hold notice (LEHN) in private litigation. However if this arises, the company might be required to freeze the data on the device so that it is not lost or destroyed. Employees must understand that if they receive such process they need to notify the company, and cooperate by providing access to the device. Similarly, if the company experiences a data breach, the employee must provide the company with immediate access to the device if it is needed as part of the breach investigation and response.

10. Make sure to comply with any statutory or regulatory requirements that are often based upon the state in which the company or the employee is located.
While there is much more detail that goes along with all of these considerations for an effective mobile program, these principles should get companies on their way to establishing a mobile program to enhance their business.

Richard Sheinis is a partner in the data security and privacy group at Hall Booth Smith, PC in Atlanta.? He is a certified international privacy professional (CIPP-US), and can be reached at (404) 954-6954 or rsheinis@hallboothsmith.com.  Follow him on Twitter: @SheinisCyberLaw.

©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

 
 


Related Articles
want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.