The Tablet of Compliance Disaster: Avoiding the Perils of Bring Your Own Device Policies

As Americans, our smartphones and tablet devices are essential elements of the information wardrobe, and we are so attached that we never leave home without them. For many Americans, losing a mobile device brings greater fear than losing a wallet or a purse. Based upon this mentality, it is no wonder that as many as ninety percent (90%) of employees perform work-based tasks from their personal devices, and employers have responded by implementing bring-your-own-device (“BYOD”) policies whether they choose to pay the costs (in some states such as California this is mandatory) or not.

Performing Work Based Tasks on Personal Devices Has Significant Issues

Let’s return to the fear of losing a device that was discussed above. Joe is a registered nurse working at a pediatric clinic. While away on a conference Joe sits down at the airport gate to have a Face Time chat with his family before boarding the plane. After ending the conversation, Joe leaves his phone plugged into the charging station he was using and boards the plane leaving his phone behind. Panic ensues at 30,000 feet.

Joe stores confidential patient vaccination records and other work-related on his phone. Since Joe did not put a password on his phone, the information is now accessible to anyone who finds Joe’s phone. Unfortunately for Joe, an Internet troll found Joe’s phone and posted confidential information about Joe’s patients on his pro-vaccination blog, which publicly calls out parents who choose not to vaccinate their children. Joe and the clinic he works for have just committed major HIPAA and other privacy-related violations.

A Well-Crafted Policy Can Reduce the Risk of Violations

While Joe’s story may seem fantastic and unbelievable, something very similar happened in a train station in New York in late January 2015. Therefore, if your business is going to use a BYOD policy it is extremely important that your employees be fully educated and aware of all potential privacy violations and follow the minimum guidelines set forth in this article in order to reduce the risk of violations.

Outline the Permissible Work-Related Uses of a Personal Device

Your policy should document the allowed work-related uses of personal devices. In Joe’s case, it would have been wise to prohibit employees from transferring confidential information to their personal devices and instead store such information on a company owned, password-protected device.

Ensure that Security Protocols are Followed at all Times

The policy should clearly outline that employees are required to use adequate password and virus-protection measures in order to reduce the risk of a situation like Joe’s from occurring. Today’s smartphones feature wiping mechanisms in the event that a device is lost or stolen, and it is essential that employer policies require employees to have such security measures in place.

Update Human Resources Policies to Include Statements on Privacy

Review social media and other privacy policies to ensure that they are consistent with the BYOD policy. All too often we see employees post work-related information to social media accounts by accident. When mixing personal and work-related uses it is important that all of the HR policies be consistent.

Engage in Privacy Related Training Courses for all Supervisors and Employees

There is simply no substitute for online-based training courses that review the relevant employment and privacy laws that are relevant to BYOD policies. With more and more information available to employees, there is a greater likelihood that it could be co-mingled with personal information and ultimately violate a myriad of laws. Accordingly, the employer is best protected by engaging in short, cost-effective employee privacy training that reviews the risks of exposing client, employee, or patient data.

Syntrio’s team of experts are ready to show you more about our vast learning management systems, which include a variety of employee-privacy based courses to suit all needs. If you feel you need more specific training to your particular business or industry we would be more than happy to create a custom course for you. Contact Syntrio for more information and remember to follow us on Twitter, Google Plus and LinkedIn for daily updates on employment law and compliance issues that may impact your business!