A version of this article first appeared July 6th, 2023, on JD Supra.
Companies continue to adopt Bring Your Own Device (BYOD) policies to save money and relieve employees of the “two-phone burden.” However, such policies come with clear risks. Companies must remain particularly concerned when an employee exits the company. What are the primary challenges associated with departing employees in a BYOD policy, and what steps should an employer take to mitigate those risks?
Without formal policies, procedures, and controls, employees may attempt to retain sensitive company data stored on their personal devices when they leave the organization for any reason. This data could include customer lists, financial information, trade secrets, strategic plans, M&A targets, PII, PHI, or intellectual property. If the data remains on the employee’s personal device, the likelihood that the information can get into the wrong hands increases. Data leakage occurs when internal custodians of corporate data transmit the data to an external party or retain it when they leave the company.
Mitigation Strategy: Management should implement multi-level departing employee policies and procedures to prevent or minimize data leakage. The policy must include formal steps to shut down the employee’s access to corporate systems as well as identify and preserve all company data from departing employees’ devices. Given the proliferation of remote work, companies require tools to perform many tasks remotely and quickly. Additionally, the policies should require a targeted data collection and analysis of departing employees’ personal devices to ensure that no proprietary company data has been retained, copied, printed, or transmitted. The company is urged to implement a Mobile Device Management (MDM) solution to guarantee protection. The MDM should allow IT personnel to remotely retain, preserve, and eliminate access to company data on the employee’s devices.
Intellectual Property Theft
Employees exiting the company may take the company’s intellectual property with them innocently or with malicious intent. The IP might include confidential information such as trade secrets, strategic plans, and other proprietary data. This risk is higher for those employees who have had ongoing access to the company’s proprietary information.
Mitigation Strategy: The organization should establish a clear policy prohibiting the storage of company documents or files on personal employee devices. Instead, employees should save all documents to a company-controlled cloud storage solution. While the employee has access to the content during employment, revoking access upon termination protects the company (and the departing employee) from future data theft and related consequences. The company should also conduct regular training sessions to educate employees on the importance of protecting intellectual property and other trade secrets from inadvertent exposure. A sophisticated document management system (DMS), which is an automated, cloud-based software solution for organizing, securing, capturing, digitizing, tagging, approving, and completing tasks with business files, is extremely effective in protecting corporate trade secrets and IP.
In addition to the above suggestions, businesses should implement the following proven mitigation techniques:
- Mandate the use of two-factor authentication (2FA) to access company data on both employee personal devices and company-issued systems. 2FA adds an extra layer of security by requiring employees to provide an additional layer of verification beyond usernames and passwords.
- Encrypt all company data regardless of its storage location. Encryption makes it much more difficult for unauthorized users to access sensitive data. If the company revokes the keys on departure, the employee loses access to data stored locally.
Are You Ready?
The risks associated with departing employees in a BYOD policy environment are significant. However, by implementing the strategies discussed above, your company can reduce these risks. You must have a clear exit policy, and each employee must agree to it in writing at hiring. Your IT personnel must be prepared to collect mobile data locally and remotely and implement proven security tools such as MDM, 2FA, and encryption. Your company can protect its data, intellectual property, and reputation by taking such steps.