The Tablet of Compliance Disaster: Avoiding the Perils of Bring Your Own Device Policies

As Americans, our smartphones and tablet devices are essential elements of the information wardrobe, and we are so attached that we never leave home without them. For many Americans, losing a mobile device brings greater fear than losing a wallet or a purse. Based upon this mentality, it is no wonder that as many as ninety percent (90%) of employees perform work-based tasks from their personal devices, and employers have responded by implementing bring-your-own-device (“BYOD”) policies whether they choose to pay the costs (in some states such as California this is mandatory) or not.

Performing Work Based Tasks on Personal Devices Has Significant Issues

Let’s return to the fear of losing a device that was discussed above. Joe is a registered nurse working at a pediatric clinic. While away on a conference Joe sits down at the airport gate to have a Face Time chat with his family before boarding the plane. After ending the conversation, Joe leaves his phone plugged into the charging station he was using and boards the plane leaving his phone behind. Panic ensues at 30,000 feet.

Joe stores confidential patient vaccination records and other work-related on his phone. Since Joe did not put a password on his phone, the information is now accessible to anyone who finds Joe’s phone. Unfortunately for Joe, an Internet troll found Joe’s phone and posted confidential information about Joe’s patients on his pro-vaccination blog, which publicly calls out parents who choose not to vaccinate their children. Joe and the clinic he works for have just committed major HIPAA and other privacy-related violations.

A Well-Crafted Policy Can Reduce the Risk of Violations

While Joe’s story may seem fantastic and unbelievable, something very similar happened in a train station in New York in late January 2015. Therefore, if your business is going to use a BYOD policy it is extremely important that your employees be fully educated and aware of all potential privacy violations and follow the minimum guidelines set forth in this article in order to reduce the risk of violations.

Outline the Permissible Work-Related Uses of a Personal Device

Your policy should document the allowed work-related uses of personal devices. In Joe’s case, it would have been wise to prohibit employees from transferring confidential information to their personal devices and instead store such information on a company owned, password-protected device.

Ensure that Security Protocols are Followed at all Times

The policy should clearly outline that employees are required to use adequate password and virus-protection measures in order to reduce the risk of a situation like Joe’s from occurring. Today’s smartphones feature wiping mechanisms in the event that a device is lost or stolen, and it is essential that employer policies require employees to have such security measures in place.

Update Human Resources Policies to Include Statements on Privacy

Review social media and other privacy policies to ensure that they are consistent with the BYOD policy. All too often we see employees post work-related information to social media accounts by accident. When mixing personal and work-related uses it is important that all of the HR policies be consistent.

Engage in Privacy Related Training Courses for all Supervisors and Employees

There is simply no substitute for online-based training courses that review the relevant employment and privacy laws that are relevant to BYOD policies. With more and more information available to employees, there is a greater likelihood that it could be co-mingled with personal information and ultimately violate a myriad of laws. Accordingly, the employer is best protected by engaging in short, cost-effective employee privacy training that reviews the risks of exposing client, employee, or patient data.

Syntrio’s team of experts are ready to show you more about our vast learning management systems, which include a variety of employee-privacy based courses to suit all needs. If you feel you need more specific training to your particular business or industry we would be more than happy to create a custom course for you. Contact Syntrio for more information and remember to follow us on Twitter, Google Plus and LinkedIn for daily updates on employment law and compliance issues that may impact your business!


Employee Privacy is No Laughing Matter: Issues Facing Companies Can Prove Costly

Unless it is part of your company policy it is unlikely your managers would think to share salary information between employees. Indeed, such a practice would be shocking to many employees who regard this information as a matter of personal privacy and don’t want it spread all over the office. Likewise, HIPAA and other laws prohibit employers from sharing health information about employees who take leave. Those same employees expect that their personal matters are only to be shared by themselves when they choose to do so.

Although these concepts seem simple, more than ever employers are failing to take adequate training steps to ensure that employee personal information is safeguarded. Indeed, although technological advances have streamlined human resources administrative matters, thereby simplifying record keeping practices, they have also exposed employee personal information and data on far too many occasions.

In a bygone era, mountains of paper housed employee information. This information was frequently kept in locked file cabinets in or near the human resources manager or other administrative professional’s office. With the transition to online data storage, the revelation of extremely personal employee details is as simple as a mistaken “reply all” to an email. No policy is going to prevent this type of privacy breach. Indeed, the only manner of reducing the risk is to engage in active, online employee privacy training to teach everyone the proper methods of safeguarding employee data. Admittedly, just because managers and employees are required to take a course in employee privacy does not mean that they are going to be 100% effective, but at least there is precedent within the office that your company is serious about protecting employee privacy, and your employees will be armed with the proper tactics to make their data and information as safe as humanly possible.

Compounding the problem of implementing adequate online activity procedures is the National Labor Relations Board. Although most employers think of the NLRB in union-labor settings, it is an broad-reaching government agency that is beginning to attempt to regulate policies in non-union settings by claiming that certain privacy and social media policies violate employees’ right to concerted activity. Although you may be making policies attempting to safeguard employee privacy by restricting online activity and access you may actually be violating the law!

Because employee privacy is a complicated area of the law without any true guidance other than case law it is extremely important that you schedule focused, online training courses to put your managers and employees in the right frame of mind to protect employee information. By taking the user through real-life scenarios he or she is better able to understand the reasons behind the policies in place and will feel more comfortable with the policies for protection of employee information.

Syntrio can help train your managers on the nuances of employee privacy protection that will help formulate effective policies that keep you compliant with the law, and at the forefront of compliance. Contact Syntrio for more information and remember to follow us on Twitter, Google Plus and LinkedIn for daily updates on employment law and compliance issues that may impact your business!