I’ve always been amazed by insurance companies in litigation. Despite the fact that a ruling in one particular case went badly for them, they usually won’t appeal it. Even if it’s clear that their insured is worse off as a result. Even when it’s obvious that the ruling was contrary to law. Even if there’s a near certainty of victory in a higher court.
They have a reason: it makes more sense to endure one (or more) bad ruling than to risk the bad ruling becoming a bad law.
Believe it or not, the same principle applies to your office’s security policies, especially any policy you have addressing “Bring Your Own Device” (BYOD). While I generally feel that any policy is better than no policy, the wrong policy can actually be quite destructive. It can decrease employee satisfaction, decrease productivity, increase costs, and even increase your security risks.
So it’s a no brainer. You need the right BYOD Policy for your law firm. What is the right BYOD Policy for your firm, you ask (even if you didn’t)? It’s probably different for your firm than the next. Here’s how to create the right BYOD policy for your law firm:
1) Identify and clearly state your BYOD Policy’s purpose.
One of the most important parts of any effective security policy is buy-in. If your employees don’t have a role in crafting your BYOD Policy, you’ve already made a huge mistake. But even if you’ve brought in your employees, you need to make sure they know and understand why the policy is necessary. After all, their awareness of security risks, as well as their consequences, are what really protects your firm.
So spell out your BYOD Policy’s purpose up front. Make sure it’s clear, particularly for employees who may not have been with you when the policy was drafted. It’s important. Say so.
2) Determine and define the “permissible use” of personal devices.
Knowing why rules are there is important. But irrelevant if nobody knows what, exactly, the rules are. Here’s where you really get into how your policy will apply. Will you allow limited personal use of devices while on your law firm’s network? (I recommend doing so, but it’s up to you!) Does your policy clearly and expressly inform your employees that all other office policies, including rules about ethics, apply to use of their personal devices? If you want to avoid employment litigation, it better!
Here is also where you want to decide if you’re going to restrict the apps that your employees can download. On one hand, it decreases your security risks, as you’re able to block vulnerable apps. On the other hand, it makes your staff feel like the device is a little less “theirs.” It’s a tough call.
3) Set up a clear, unambiguous procedure for registering approved devices.
BYOD can really be great, but if you don’t know what devices are accessing your network, or who owns the ones that do, then you’re just looking for trouble. Determine how you’re going to register devices, but it should be required. Your IT Manager should have a list of each device, and it’s IP protocols, directly attached to the name of the owner.
This is an ideal section to inform employees that they will be required to install or maintain certain security apps or features on their devices. Additionally, this can also be an ideal place to clearly lay out the responsibilities of the user and the responsibilities of the IT Manager concerning the devices. Let your employees know that they can expect your IT Manager to responsibly perform those tasks, while unambiguously informing them what’s expected of them if they want to register their device.
4) Determine what security requirements to make part of your BYOD Policy.
This section is the heart of your BYOD Policy, so make it count. What will your password requirement be (note that I didn’t make it optional, you MUST require passwords)? Will you require multi-factor authentication? Are you going to require installation of Mobile Device Management software?
There are a lot of ways to decrease the security risks caused by BYOD, but don’t forget that each additional measure reduces the convenience your employees gained. Too onerous a BYOD Policy and your employees will start looking for ways to use their devices without complying, or will simply refuse to use them at all.
5) Define your data policy.
The whole point of a BYOD Policy in your law firm is to protect your clients’ confidential information. The whole reason that you need the policy in the first place is that their confidential information is now going to be located on your employees’ mobile devices. Here’s where you determine where and how that data is stored.
Are you going to require that company data be segregated at all times from personal data? I highly recommend doing so. You may also want to designate certain apps for company-data only, requiring your employees to use a different app for personal data. Make sure that this section includes information regarding the potential that you may need to remote-wipe the company data from the device. Failure to do so, and failure to indicate the situations when remote-wipes may be performed, is just begging for a lawsuit.
6) Determine and describe how you’re going to protect your employees’ privacy.
I’ll admit it, this is the tough part. In reality, this is the part where you’re making rules and boundaries for yourself, and putting in writing that you’ll comply with them. Remember – this is a security policy, not an employee monitoring policy. Let your employees know that you value their contribution to the business. After all, they’re the ones paying for these devices.
However, don’t forget a little CYA. If your security protocols might result in monitoring – even passively – of personal emails, phone calls, or text messages, then say so. A little protection goes a long way.
7) Make sure your employees read and sign!
That CYA I just mentioned? Well, it doesn’t mean a thing if a disgruntled former employee claims he never read the policy and you can’t prove him wrong! But there’s actually an even more important, and more basic, reason to get your employees to sign the policy: security is critical.
The awareness of your employees is critical to an effective BYOD Policy. If you’re interested, check out our template BYOD Policy, which we’ve drafted based on our considerable experience addressing the BYOD issue.