Earlier, I published the first part of a checklist for employment lawyers developing technology policies.
Part one covered:
- Acceptable Use of Corporate Technology
- Security Compliance
- Electronic Privacy
- Data Governance
- Trade Secrets/Confidential Information
- Social media
- NLRB Compliance (and Caution)
This part covers:
- Cellphone/Mobile Device
- ADA Policy/Accommodations
- Data Retention Across Devices and Apps
- Technology and Data Services Acquisition
- Require adherence to all company policies, including acceptable use of corporate technology policy.
- Establish a use-in-vehicles/Safe Use policy.
- Ensure that users understand that personal data is the sole responsibility of the user.
- Restrict the use of those apps for company-related communications that cannot be adequately brought into compliance with your document retention policy.
- Ensure compliance with NLRB use policies.
- See ADA, below .
- Company owned
- Affirmatively recite ownership of device.
- Outline permissible personal use (including that it may not interfere with company business).
- Ownership of wireless number upon termination.
- Specify permissible devices or procedures for having a device approved.
- Specify security policy for cell phones, including reporting lost phones with company data.
- Set out expectations regarding any management software installed on a device.
- Establish your level of support for the device, including support, help desk limits, responsibility for data back up.
- Allocate ownership of apps and data.
- Determine whether any third-party apps will be banned from BYOD devices.
- Disclaim liability for destruction of non-employer data due to employer-installed software or intentional wipes to protect corporate information.
- Establish a process for review of requests for IT-related accommodations that ensures that requests for accommodation are reviewed by a competent authority.
- Ensure that users who use devices that connect to the network, smartphones in a company-owned or BYOD context or desktop computers that any information stored about the employee’s PHI may be viewable by the company.
- See Acquisition, below.
Data Retention Across Devices and Apps
- Require employee to maintain business records consistent with the company’s record retention policy on whatever device or app that record is created.
- Prohibit the use of devices and apps for business purposes which do not behave consistently with the company’s record retention policy (e.g., snapchat).
Acquisition of Hardware and Software
- Ensure that acquisitions are free from any code that can materially impede your networks, devices and data. This should include a specific discussion of the programming languages being used and/or a specification that any programming be done using memory- and type- safe language and/or adhering the strictest best coding practices in a language that is neither (such as C++).
- Ensure that hardware and software security are baked in at the development stage and not as an afterthought.
- Acquired software should use and implement any required or recommended security patches or upgrades
- Allocates risk through indemnity and insurance requirements.
- If your data is being held by the vendor, ensure that your agreement:
- Sets out definition of confidential information
- Sets out a definition of a security breach
- Requires that the vendor provide reasonable hardware, software and physical security.
- Where necessary, sets out the level of security to be met, such as remaining in full compliance with Payment Card Industry Data Security Standard (“PCI DSS”)
- Ensures that notification of an incident is prompt (reasonably proximate to the incident) and persistent (trying multiple avenues to reach your team)Establishes the level of service the vendor will provide you during an incident (24/7)
- Ensures compliance with all applicable federal and state, and foreign privacy and data protection laws, as well as all other applicable regulations and directives.
- Ensures notification in the case of a subpoena of your data
- Establish data ownership and ensure that data can be retrieved by you in a commercially usable matter regardless of any breach by either party and which survives the term of the agreement.
- Ensure that software and hardware are compliant with all EEO and ADA requirements.
- The centrality of data and system integrity to a company’s reputation, brand, equity and even survival dictate a new, higher level of response for violations of these policies.
- Ensure that certain post-promulgation communications constitute an update of the policy and are included by reference in the policy.
- Design policies and procedures that are sensitive to human cognitive capabilities and limits. For instance, password policies should be rationally designed to ensure usability and effectiveness. (More on this in a future post).
- This list bears a stubborn resemblance to that found at the University of Iowa.
This checklist is evolving and may be updated periodically.