Wednesday, July 22, 2009

Cell Phones: An Employer's Dilemma

If cell phones were used only for making phone calls, the employer’s dilemma would not be quite as difficult as it has now become. However, cell phones are used for Internet access, text messaging, photos, email and the occasional phone call. Since nearly every employee has a personal or company-issued cell phone, the use of these devices creates headaches related to productivity, privacy, safety and legal issues.

Cell phones have become indispensable tools for today's workforce. While these devices provide productivity benefits, they also pose new risks to organizations. It's becoming increasingly important for today's employers to implement effective cell phone use policies, both to limit liability and improve safety. Other than the most obvious risks, why should exporters be more concerned about the use of cell phones on the job?

The U.S. Government restricts the release of the following information to foreign nationals in the U.S. and abroad through export regulation and embargoes:

• critical technologies,
• technical data/software code,
• equipment,
• chemicals/biological materials, and
• other materials, information and services

Penalties for violating export control regulations include fines, loss of export privileges, personal liability and damage to the organization’s reputation.

Still unsure why exporters should care about cell phones in the office? Let’s define what constitutes an export. Exports include the following:

• Shipment of a controlled item or good
• Transmission (including fax, digital or hand-carried) of controlled information related to a controlled item
• Release or disclosure (including verbal or visual) of any controlled technology, software or technical data either in the U.S. or abroad
• Use or application of controlled technology on behalf of, or for the benefit of, any foreign person or entity, either in U.S. or abroad
• Exports can occur when you provide foreign persons “access” to technical information. For example, by hosting a visitor, hiring a consultant, using outside legal/translation services, giving tours of your business, making presentations, participating in casual conversations and sending emails, faxes, etc.
• Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad

Get the picture? If not, think about your employees taking the picture of confidential business documents. That’s right! Many cell phones have cameras that could be used to take pictures of restricted data. Get the message? Think about the emails or messages that may be stored on that phone. What if that phone is taken on a plane destined to a foreign destination and having it inspected and/or seized by a foreign customs organization?

Now that we have the big picture, what should the employer do? The answer to that question is complex and must take a variety issues into consideration, such as the type of business, information employees have access to, ownership of the phones, use of phones, type of phones, etc.

Although many companies already have confidentiality and privacy policies in place, we’ve provided a few suggestions for consideration.

· Employees need to be aware and acknowledge in writing that they’re not allowed to take pictures and send them to? sales contacts, technical personnel, etc. without going through your office’s documented compliance procedure.
· Visitors should not be given access to goods or information that is subject to export controls unless cell phones have been checked in by Security or the visitors are escorted and informed that photography is prohibited.
· Foreign visitors should not be allowed the use of cell phones or other photographic or recording equipment while touring a facility.

For company issued cell phones, the following actions can be taken to protect cell phones and company information.

· Install and configure additional security controls such as encryption, remote content erasure, firewall, antivirus, intrusion detection, anti-spam and virtual private network (VPN) software
· Back up data frequently
· Install user authentication, content encryption and other available security facilities
· Use remote password reset and locking .
· Install controls to restrict application downloads, access and use.
· Establish controls to restrict camera, microphone and removable media use.
· Inform employees that company issued phones are company property and are subject to search at any time.

1 comment:

Anonymous said...

Wow -- had not even considered some of this stuff! Thanks for the information!