May 1, 2020

The Top 5 Considerations for “Bringing Your Own Device” Policies in Light of COVID-19

by Greg Tapocsi, Dinsmore & Shohl LLP

COVID-19 has seemingly changed the legal field’s traditional brick-and-mortar office dynamic with many law firms now permitting employees to work from home, or WFH. Although Governor DeWine has announced that Ohio’s economy will begin reopening on May 1, social distancing will be one of the key measures to reduce community spread and employees could be alternating between working at the office and WFH for the foreseeable future.

However, moving between a trusted office security environment and WFH can substantially increase cybersecurity risk. Before COVID-19’s onset, 26% of law firms experienced a cybersecurity breach of some fashion and the number of breaches will seemingly increase based on the transition to WFH. As a result, a growing number of law firms are considering “bring your own device (“BYOD”) policies. BYOD policies allow employees to connect their personal devices such as smartphones, tablets, or laptops to the firm’s network to perform employment-related obligations.

While BYOD policies can provide important benefits to firms, numerous legal and business concerns should be assessed when implementing such a policy. Here are the top 5 considerations to evaluate as part of your BYOD policy:

  • Security, security, security. It is crucial that your BYOD policy ensure that the appropriate security measures are implemented to keep your information safe. Options include:
    • Requiring complex password protection.
    • Limiting access to confidential information.
    • Requiring employee devices to have firm-provided security software installed and mandating that such software have the latest security updates prior to connecting to the firm’s network.
    • Barring the use of public WiFi to connect to the network.
    • Requiring multifactor authentication prior to each log-in.
  • Register approved devices. The benefits of BYOD are lost if you do not know what devices are accessing your firm’s network and who owns those devices. Your BYOD policy should delineate a clear procedure to register devices and you should keep a list of all approved devices that contains information such as the device’s owner and IP protocol.
  • Acceptable use. Your firm must clearly define what it considers acceptable use, which could include blocking access to certain websites or apps while connected to the firm’s network. Another item to evaluate is whether camera features on employee devices must be turned off while on the firm’s premises.
  • Offline communications. Employees may be drawn to connect with each other via text messaging or private social media messaging instead of secure email platforms. Your BYOD policy should prohibit communication regarding confidential information via unsecured methods and you should remind your employees to use their best judgment when talking about work matters.
  • Employee Privacy. Employees are often concerned that BYOD policies might lead to inappropriate access to health, financial, and personal information. One solution is to utilize a mobile device management program to create a virtual wall between personal information and work information. Even if your security protocols result in passive monitoring of employee personal information, your BYOD policy should notify employees of the same.

Tapocsi
Before COVID-19’s onset, 26% of law firms experienced a cybersecurity breach of some fashion and the number of breaches will seemingly increase based on the transition to WFH.