Bring-your-own-device polices

By Robert Erven Brown, Esq.

Key considerations for developing one at your own church

The emerging transformation from paper to digital storage is a confirmation that the power of this technology can work for us — or against us.

If you’re going to allow staff to use their own devices at work, it’s important that each individual acknowledges a key tenet: It might be his or her device, but it’s your church’s data that’s being exposed to hackers and thieves. Always remember that if an app is free, then your church (and its data) is the product.

This is just of several great articles from “Social Media Risk Management: A Starter Kit” — an in-depth eBook from Church Executive. Download the eBook (at no cost) here.

Several mundane — yet critically important —organizational disciplines impact the effectiveness of our churches’ bring-your-own-device (BYOD) policies and procedures:

Have a seven-digit, mixed-character password.
Require that passwords be changed weekly or monthly.
Do random enforcement audits.
Require IT department approval before mobile apps involving donors / donations can be implemented.
Restrict addition of unauthorized apps to mobile devices which have access behind your church’s firewall.
Stage a system attack; see how well your system responds to a phishing, social engineering or malware infiltration.
Consider building in “bunkers” to limit access when a disgruntled volunteer or employee attempts to harm the organization, or if a laptop is stolen.
Carefully review the data lifecycle for obtaining financial giving records, bank account information, credit card data and background checks so that unnecessary information is destroyed and the destruction process is properly documented.
Consider a procedure for staff education to prevent online copyright and media liability violation, as well as a procedure for detection of the same.
Review your disaster recovery plan.
Test your disaster recovery plan.
Insist that staff report lost devices immediately upon loss.
Establish the data wipe protocol for lost devices.
Check with your IT people to see if it’s possible to sequester the data wipe so that personal photographs and music aren’t deleted as part of the protocol for a lost device.
This encourages employees to report lost machines more promptly — if they think their personal items aren’t going to be immediately destroyed as part of the wiping protocol, that is.
Control home use.
Require departing employees to have their device “whited” by your IT department. It’s not unusual to find that departing employees still have access
former employers’ email accounts weeks after they’ve left.
Consider prohibiting (or at least set guidelines for) Wi-Fi connections, such as in Starbucks. Educate staff on the realities of hacking and the costs of data loss. Again: It’s their device, but it’s the church’s data that’s at risk.
Remember this maxim: A naïve device user x doing something stupid = data loss. More data is voluntarily given away on the Internet than is stolen.
Be sure that none of your device users are continuing to use windows XP, due to loss of support.

Speaking of apps, new android apps are available from multiple stores. Unlike Apple apps, android “APK” apps can be site-loaded. In other words, these apps can be transferred directly from one phone to another. Thus, a coworker can now share his new version of Angry Birds in Korean with another coworker, phone to phone. This creates an entirely new threat matrix for cell phone and portable device users.

Additionally, the overall security policy must consider these elements:

Government regulators and government data collectors
Cyber criminals, malicious hackers and malicious attackers
Commercial data collectors and programmers

Educate your staff about the dangers of “trading” personal data for “free” stuff: Google plus, Yahoo, Facebook, LinkedIn, Instagram, etc. — all are sources of creating data, which are then resold by the companies which acquired it. This includes retail store loyalty accounts. Once again: If you’re not paying for it, then you’re not the customer — you’re the product.

Beware of personal file-encryption programs
These programs require you to purchase a private key to avoid loss of your data from a crypto locker. According to the 2014 Ponemon Study, the average cost of a data breach in the U.S. is just under $200 per record. (Note that this cost increased from $59-per-breach record between 2011 and 2014.) This study found the root causes in the 314 large-scale data breaches studied were:

Human error — 30 percent
System glitches — 30 percent
Malicious criminal attacks — 40 percent

As of June 1, 2014, there was no national breach notification law; but, three cyber security or privacy-related bills were pending in the U.S. Senate. There’s a patchwork state and territory laws dealing with data breach notification. Unfortunately, these laws lack uniformity and consistency.

An Arizona statute, for example, says anyone who conducts business in Arizona and owns or licenses unencrypted data that includes personal information must conduct a reasonable investigation to promptly determine if a breach has occurred. If it maintains unencrypted data, then that organization must notify and cooperate with the data owner, and then notify —in the most expedient manner possible — when a breach has occurred.

It’s under a statutory duty to determine the nature and scope of the breach, identify the individuals affected, and restore reasonable integrity of the data system as soon as possible. The notification may be written, electronic or by telephone.

This law may be enforced by Arizona’s Attorney General and can include up to a $10,000 civil penalty per breach of system if the violation is a willing and knowing one.

Robert Erven Brown is an attorney licensed to practice in Arizona. He and his nonprofit practice group work with nonprofits and churches, helping them manage key operations connected with their missions, visions and causes. As permitted by local Rules of Ethics, they collaborate with attorneys who are licensed in states other than Arizona.

He is the author of Legal Realities: Silent Threats to Ministries, which describes his Campus Preservation Planning© initiative — a comprehensive program designed to manage the wide array of risks facing non-profit organizations.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal, accounting or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. “From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations.” Simply reading this material this does not create an attorney/client relationship with Brown, as this article is general legal information, not legal advice. A formal attorney/client relationship will not be established until a conflict check is completed and an engagement letter has been signed by both the attorney and the client. No “informal” legal advice will be provided by telephone. Simply sending an e-mail to Brown will not create an attorney/client relationship.

RELATED RESOURCES:

Leave a Reply