Page 1 of 2 1 2
Thread Options
#1702306 - 05/23/12 01:20 PM Employee Owned Phone
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
We have several employees who use their cell phones for bank business. We want them to sign agreement that states they will protect customer data on their phone and that we have the right to inspect their phone. They do not want to sign the form stating they are giving up their privacy by signing. The two employees are the president and evp. Does any body require employees to sign an agreement when using their personal phone for bank business and does the agreement allow the bank to inspect the device?

Return to Top
Human Resources
#1702313 - 05/23/12 01:27 PM Re: Employee Owned Phone ATLbanker
edAudit Offline
Power Poster
edAudit
Joined: Jul 2008
Posts: 4,771
You are here
If it is there private phone why would you expect them to sign that you can inspect their phone?

If it is an issue them a bank owned phone.
_________________________
Opinions can be considered as coming from anywhere but my employer.

CAMS


Return to Top
#1702315 - 05/23/12 01:30 PM Re: Employee Owned Phone ATLbanker
1 Peter 5:7 Offline
Diamond Poster
1 Peter 5:7
Joined: Jun 2001
Posts: 1,339
TX
I think most banks provide and pay for phone services with the expectation that it is to be used for all bank business. If they leave, the phone is turned in. With personal phones you have no real way to ensure bank/customer information is being protected
_________________________
Opinions are mine not my employer's, and should not be taken as legal advice.

Return to Top
#1702323 - 05/23/12 01:43 PM Re: Employee Owned Phone ATLbanker
BurntSienna Offline
Diamond Poster
Joined: Aug 2006
Posts: 2,407
Midwest
This is definitely a huge concern for the bank. If bank business is being conducted on personal phones and you have had no agreement or "rules" in place, the bank cannot ensure that the customer data on those personal phones is protected and safe. And yet, the regulators require you to ensure exactly that.

My bank's IT policies clearly state that no bank business is to be conducted on any personal mobile devices. And anyone who needs to conduct bank business on mobile devices has the device purchased by, set up by, and issued to the employee by the bank and that bank-issued device is subject to inspection at any time and the employees are informed that there should be no expectation of privacy.

I'd say you have a real issue that could lead to regulatory citation and/or fines and you need to end the practice of allowing these employees to use their personal phones for bank business. Good luck.
Last edited by BurntSienna; 05/23/12 01:45 PM.
_________________________
"Gratitude makes sense of our past, brings peace for today, and creates a vision for tomorrow." - Melody Beattie

Return to Top
#1702324 - 05/23/12 01:44 PM Re: Employee Owned Phone ATLbanker
Bob The Banker Offline
Platinum Poster
Bob The Banker
Joined: May 2010
Posts: 958
What you are doing is potentially illegal. Without knowing the specifics of this, you asking the Bank be able to inspect their personal device that they own. I would touch base with an attorney.

Return to Top
#1702365 - 05/23/12 02:21 PM Re: Employee Owned Phone ATLbanker
tdogz Offline
100 Club
tdogz
Joined: May 2012
Posts: 229
If by "use their cell phones for bank business" you mean they use them to read & send emails, then the best option may be to have the exchange server require that they password-protect their phone. This should also let you remote wipe lost devices.
http://www.techrepublic.com/blog/smartph...activesync/1560

IMO, if you're going to have them sign some type of agreement, then all employees should have to sign it as part of your bank's technology use policy, and I wouldn't limit it to just cell phones. You can easily enter customer info into a personal computer, etc. I would also word it to say what the limits are on their use of bank data, not what limits they have on the use of their personal devices.

Return to Top
#1702386 - 05/23/12 02:45 PM Re: Employee Owned Phone ATLbanker
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
The phones are used to call customers. They may have customers names and phone numbers stored in their phones' memory. The phones do not access the network, nor do we have them set up for email. The president used to have a bank owned phone (Palm) but he did not like it. When the iphone came out he bought one and started using it.

Return to Top
#1702395 - 05/23/12 02:54 PM Re: Employee Owned Phone ATLbanker
J2C Offline
Diamond Poster
Joined: May 2004
Posts: 1,475
Big Brother knows and that's a...
Originally Posted By: ATLbanker
The phones are used to call customers. They may have customers names and phone numbers stored in their phones' memory. The phones do not access the network, nor do we have them set up for email. The president used to have a bank owned phone (Palm) but he did not like it. When the iphone came out he bought one and started using it.


so, they are using it for phone calls. what information is there to be compromised except a name and a phone number? I guess i am confused.
_________________________
My opinion is mine only- not my employer's!


Return to Top
#1702398 - 05/23/12 02:58 PM Re: Employee Owned Phone ATLbanker
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
My concern is name and phone number could be considered NPI and fall under information security.

Return to Top
#1702399 - 05/23/12 02:57 PM Re: Employee Owned Phone ATLbanker
J2C Offline
Diamond Poster
Joined: May 2004
Posts: 1,475
Big Brother knows and that's a...
We have bank cell phones that are issued to people who request them. Some of those people have a bank phone and a personal phone. Some only have the bank phone. The individuals that have the bank phone only sign an agreement and they are aware that those phone and anything on them are subject to e-discovery. On personal phones, the bank does not have any access to that information, it is private property.
_________________________
My opinion is mine only- not my employer's!


Return to Top
#1702419 - 05/23/12 03:07 PM Re: Employee Owned Phone ATLbanker
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
Do you allow employees to use their own cell phones to conduct bank business?

Return to Top
#1702476 - 05/23/12 04:20 PM Re: Employee Owned Phone ATLbanker
DeeQ Offline
10K Club
DeeQ
Joined: Dec 2002
Posts: 40,763
Turnpike Exit 10
Originally Posted By: ATLbanker
My concern is name and phone number could be considered NPI and fall under information security.


What if they are in the phone book, I don't consider it NPI.
_________________________
Get your facts first, then you can distort them as you please. - Mark Twain

Return to Top
#1702509 - 05/23/12 04:55 PM Re: Employee Owned Phone ATLbanker
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
Our problem is we are cheap. Instead of getting our officers cell phones like we should have, we let them use their own phone. Some officers, who don't use their phone much for business, dont' submit a bill for reimbursement. With the increased concern about bring your own device and identifying areas of high risk now we need to change our policies and it is causing some hurt feelings.

Return to Top
#1702514 - 05/23/12 04:58 PM Re: Employee Owned Phone ATLbanker
Matt_B Offline
Diamond Poster
Matt_B
Joined: Sep 2011
Posts: 1,648
A CU, Where Regs Don't Apply
I guess I would wonder more about voicemails and things that would contain actual NPI vs just the name and number. Is any data the customer is providing being securely stored and deleted and not accessible by others? Sounds like a sticky situation. Work-issued phones are much simpler to address, no doubt.
_________________________
Someone's about to get horned!

Return to Top
#1702522 - 05/23/12 05:17 PM Re: Employee Owned Phone ATLbanker
edAudit Offline
Power Poster
edAudit
Joined: Jul 2008
Posts: 4,771
You are here
Originally Posted By: ATLbanker
The phones are used to call customers. They may have customers names and phone numbers stored in their phones' memory. The phones do not access the network, nor do we have them set up for email. The president used to have a bank owned phone (Palm) but he did not like it. When the iphone came out he bought one and started using it.


How would anyone know the number being called is a customer and not family/friend.
_________________________
Opinions can be considered as coming from anywhere but my employer.

CAMS


Return to Top
#1702634 - 05/23/12 07:35 PM Re: Employee Owned Phone ATLbanker
Milby Offline
Platinum Poster
Joined: Apr 2007
Posts: 953
Tejas
I am in a sort of shock that so many of you guys have not addressed BYOD (Bring Your Own Device) yet. There are die-hard Android, iPhone, Blackberry, and Windows users at every bank (and ardent anti-Android, anti-iPhone, anti-Blackberry, and anti-Windows users); trying to implement a corporate one-phone fits all is going to be (1) expensive and (2) ultimatley failed. If you have not addressed BYOD, you need to. It is here, and your execs are going to demand it eventually. Adapt.

As tdogz said, you can push phone password requirements from your mail exchange server to protect emails on phones. For those that don't allow email access on smartphones, I would encourage you to join the 21st century and stop your policy of inhibiting productivity.

As for using the phone to call a customer... is this seriously a concern for you? It is a phone number and name - publicly available and, since you don't have email on the phones, not linked to the bank in any form or fashion. So, no - you can't require them to sign an agreement allowing you to seize their personal property and review it. And you can't reasonably tell someone to not use their mobile phone to talk to customers - sales and execs don't sit behind a desk 8 hours a day. They are out generating new business, which doesn't always happen between 9-5 at the bank's office.

Return to Top
#1702750 - 05/23/12 10:50 PM Re: Employee Owned Phone ATLbanker
ItNeverEnds CRCM Offline
Platinum Poster
Joined: Oct 2006
Posts: 992
Looking for my sanity
I'd have to chime in with Milby. We had bank issued phones and it just doesn't work. We changed our process and allow employees to use their own phones and submit a partial reimbursement, a set dollar amount to help cover the cost of the data package that most wireless providers require for corporate email access. A password is required at the server level so the user had to set a password to access email.

As far as using the phone to contact and/or store customer numbers, I can't imagine this is less worrisome than a physical address book/planner laying around in some sales or loan officer's car. With how attached people are to their phones, they're less likely to leave it laying around. IMHO.
_________________________
"The reason I talk to myself is because I'm the only one whose answers I accept."
- George Carlin

Return to Top
#1703081 - 05/24/12 06:56 PM Re: Employee Owned Phone ATLbanker
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
I feel like we have addressed BYOD. We have an agreement that the employee signs saying the bank allows them to use their device but we reserve the right to inspect the device. Some employees don't like that clause. With an employee using their own phone and the employee leaves how do you verify all bank information is removed? Do you inspect, do a remote wipe of the device or trust the former employee to do the right thing?

Return to Top
#1703097 - 05/24/12 07:20 PM Re: Employee Owned Phone ATLbanker
edAudit Offline
Power Poster
edAudit
Joined: Jul 2008
Posts: 4,771
You are here
Sorry but I am with the above posters. How can you "forced" employees to use their own phone and then require them to sign away their privacy?

I can imagine the lawsuit if as security is escorting your employee out of the building they are confiscating and or reviewing the employees private property.
_________________________
Opinions can be considered as coming from anywhere but my employer.

CAMS


Return to Top
#1703107 - 05/24/12 07:32 PM Re: Employee Owned Phone ATLbanker
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
I haven't forced any employee to use their own phone. They made the decision for themselves. My concern is to protect the bank and to figure out the best way to do so.

Return to Top
#1703117 - 05/24/12 07:41 PM Re: Employee Owned Phone ATLbanker
edAudit Offline
Power Poster
edAudit
Joined: Jul 2008
Posts: 4,771
You are here
That is why "forced" was in "". A good lawer will cause more issues with this even if it is not true. I do not see the issue of a phone number and a name (without the name being associated with the bank) as your issue.
_________________________
Opinions can be considered as coming from anywhere but my employer.

CAMS


Return to Top
#1703139 - 05/24/12 08:07 PM Re: Employee Owned Phone ATLbanker
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
I tend to agree after reading everybody's input. One issue that concerns me is the defintion of NPI. It states that a list containing publicly available information compiled from nonpublic information is considered NPI. The list of names and phone numbers on the phone is derived from NPI, the bank's computer system or loan applications, and should be considered NPI. A stretch? Maybe, but as you have said, "a good lawyer will cause more issues with this...."

Return to Top
#1703188 - 05/24/12 08:41 PM Re: Employee Owned Phone ATLbanker
edAudit Offline
Power Poster
edAudit
Joined: Jul 2008
Posts: 4,771
You are here
It is unfortunate that we can not have a policy an a risk mitigation for everything.

Saw a t-shirt (in an IT store)that said just when you make something foolproof they update the fool.
_________________________
Opinions can be considered as coming from anywhere but my employer.

CAMS


Return to Top
#1703212 - 05/24/12 09:18 PM Re: Employee Owned Phone ATLbanker
Milby Offline
Platinum Poster
Joined: Apr 2007
Posts: 953
Tejas
Originally Posted By: ATLbanker
My concern is to protect the bank and to figure out the best way to do so.

Perhaps it would be helpful to explain what you are trying to protect the bank from. Customer phone numbers are a non-issue; stored in a rolodex or notebook or business cards, they are out there. So what is the threat?

As I said above, allow approved people to access their outlook email and contacts. If they leave or they lose their phone, you remotly purge their phone of bank-owned info - emails and their outlook contacts. If you use that approach, you are now an innovator instead of an inhibitor, and you've mitigated whatever risk you see.

Return to Top
#1703299 - 05/25/12 01:35 PM Re: Employee Owned Phone ATLbanker
ATLbanker Offline
Gold Star
Joined: Sep 2005
Posts: 332
Georgia
If you allow employees to use their own device and they leave what do you do about all their emails, contacts and notes they may have on their phone?

Return to Top
Page 1 of 2 1 2

Moderator:  Andy_Z, Gayla Sherry