Business Policies Regarding Data on Personal Devices

Kevin Enders offers Some Comments on Business Policies Regarding Data Protection at the Discrete Level

I’ve given speeches during which I talk about data loss at the discrete level – nothing involving hacking, or massive theft – but data lost by individual employees in ways they don’t consider.  During these speeches, I get a lot of glazed over looks and sudden looks of concern.  It seems no one ever mentions any of this to the individual contributors.  Hence, they’re surprised when it’s shown to them just how easy it is to lose sensitive data.

There are two key points to remember:

  • Ensure that your employees realize what devices contain data
  • Ensure that they know what to do with devices they are discarding or sending somewhere

Make sure they know what contains data – it’s simple, but yet not so simple.

Everyone knows that their computer hard drive contains data.   That’s easy.  They also sort of realize that their jump drives and phones can contain company data also.   I say they “sort of know” because they realize that data is on these devices, but treat these devices with far less concern than the hard drive in their laptop. 

What they often don’t know is that there are storage devices in fax machines, printers, copiers, and many other office devices.  These can’t be overlooked when it comes time to replace them or send them to another department.

Make sure they know what to do with these storage devices when they are done with them

The most common complaint I hear from the individuals at the speeches is that they don’t ever know what to do with storage devices or business appliances when they are done with them.  Hence, hard drives end up in storage closets, jump drives get thrown away (!), required data destruction actions just sort of get overlooked in the name of “getting this thing out of here”. 

Educate your employees on the data destruction strategies your company uses.  Make sure they know with whom to speak if they have questions.  Arm them with the knowledge and the resources to make sure they do the right thing.  Remember, your customers don’t care that ignorance caused the data leak of their sensitive personal data.   They only care that it happened.