PEDs—portable electronic devices such as laptops, PDAs, pocket drives, and memory cards—are in your office by the dozens. Are they putting confidential data at risk? Generating unexpected overtime? Destroying productivity? It’s time for a separate PED policy.
First, courtesy of our sister newsletter, the Safety Daily Advisor, let’s consider the various laws that relate to the information your company has.
- Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires plan administrators for group healthcare plans to take steps to secure medical information.
- Americans with Disabilities Act (ADA). The ADA requires an employer to maintain medical information about employees in confidence.
- Family and Medical Leave Act (FMLA). The FMLA requires an employer to maintain medical information about employees in confidence.
PEDs are changing your employees’ work habits, but for better or worse? Find out (and get all your specific questions answered) at BLR’s 90-minute audio conference, PDAs, Blackberries, and iPhones: How to Manage Their Use to Avoid Employment Law Problems and Other Headaches. Get more information.
- State unemployment laws. Generally, state employment laws require unemployment information to be maintained in confidence.
- State workers’ compensation laws. Generally, state workers’ compensation laws require that workers’ compensation matters be maintained in confidence.
- Disclosure of data breaches. Many states now require companies to disclose any security breaches of their databases. This may include information stored on portable electronic devices.
- Identity theft. Employees or customers may sue a company for negligence in connection with identity theft as a result of lax security procedures for personal data.
- Discarding personal data. Federal and state laws may require the proper disposal, i.e., the destruction of, personal data before it is discarded.
- Disclosure of private facts. If a portable device containing personnel information is stolen, and the information is publicized, the employee may be able to sue for publication of private facts.
And all that’s to say nothing of your own proprietary data, customer lists, marketing data, and trade secrets. To guard against the liability and to manage risk, it’s probably time to create a separate security policy specifically for PEDs.
Points to Cover
In drafting a PED security policy, some of the points you should cover, according to BLR’s popular SmartPolicies, include:
- Encryption. Require encryption of all data on portable electronic devices such as mobile computers or devices that carry confidential records.
- Pass phrases. Instead of passwords, require the use of pass phrases containing letters, numbers, and symbols. Require changes in pass phrases periodically.
- Authentication. When using a portable electronic device for remote access, require a two-step authentication where one of the steps is provided by a device separate from the device gaining access. When accessing the PED alone, also require a two-factor step: (1) a user name and a pass phrase to turn on a laptop and (2) a user name and pass phrase to access encrypted data on the laptop.
- Wireless networks. Secure wireless networks with firewalls and passwords.
Almost all of your employees are sporting at least one PDA, iPhone, Blackberry®, or portable disk drive. Think it’s time to exercise some control? BLR’s 90-minute audio conference, PDAs, Blackberries, and iPhones: How to Manage Their Use to Avoid Employment Law Problems and Other Headaches is coming to the rescue May 7. Find out more.
- Storage. Use a cable lock for laptops, and place them and other PEDs in locked storage when not in use.
- Timeout function. Use a “time-out” function for mobile devices requiring user re-authentication after 10 minutes of inactivity.
- Identification. When feasible, require that the PED be marked as property of the company.
- Records. Require the Information Technology (IT) department to record the model number and serial number of all PEDs and store digital photographs of each device.
- Logs. Automatically create a log for access to the portable device and a log for accessing the confidential data on the device.
- Copying. Allow copying or extracting access only with two-factor authentication.
In tomorrow’s Advisor, we’ll look at additional points to cover and tell you about a timely new audio conference that covers PED policies in depth.
Other Recent Articles on HR Policies & Procedures:
Are your Greeters Ready to Deal with a Violent Visitor?
Workplace Violence Is Not Beyond Your Control
Our Telecommuters Are at Work—Or Are They?
Ban Cell Phones While Driving? Could Backfire