Mobile Technology Use Policy: Administrative Memo B-19

ADMINISTRATIVE MEMORANDUM

COUNTY OF SAN MATEO

NUMBER: B-19

SUBJECT: Mobile Technology Use Policy

RESPONSIBLE DEPARTMENT: County Manager / Clerk of the Board

APPROVED: John L. Maltbie, County Manager

DATE: May 5, 2014

This memorandum replaces an earlier version of Memorandum B-19 dated October 22, 2007, which was limited to the acquisition and use of cellular telephones and personal digital assistants. This memorandum revises and expands the policy to cover the County’s acquisition of “mobile devices” and provision of such devices to employees. This memorandum also covers the use of such mobile devices to transact County business (including but not limited to accessing County information systems and technology) whether such devices are County-provided or personally-owned. It is San Mateo County’s policy that both the operation of County-provided mobile devices, as well as access to County information systems and technology from personally-owned devices, be appropriate and beneficial to the County and, by extension, its residents. The term “mobile devices” includes not only cellular telephones and personal digital assistants, but also smartphones, tablets and other mobile technologies.

Under this policy, County Departments may choose to either provide County-supplied mobile devices to specific workforce members or authorize specific workforce members to access the County’s information systems and technology with their personally-owned mobile devices. In either case, such authorized workforce members will be required to meet the specific requirements of this Mobile Technology Use Policy. It is the responsibility of each Department Head to provide a list of authorized department users to ISD on an annual basis. Further, each Department must consider the costs and benefits, as well as the potential risks, of providing such mobile devices and/or access to the County systems to each individual user.

County employees who are not exempt from the overtime provisions of federal and state law shall not perform work outside of their regular work schedule unless expressly authorized in writing and in advance by their Supervisor. Non-exempt employees, therefore, shall not utilize their County-provided mobile devices or access the County’s information systems and technology (whether through a County-provided or personally- owned device) outside their regular work schedule. Non-exempt employees working in an “on call” or “call back” status are considered to be working their “regular work schedule” during their “on call” or “call back” work period.

County of San Mateo Mobile Technology Use Policy

ISD Responsibilities Regarding County-Provided Mobile Devices and Personally- Owned Devices Configured to Transact County Business

1. ISD will manage and issue all County-owned devices as part of the County’s consolidated asset management program.

2. ISD will implement and maintain technology which provides mobile access to County email, calendar, contacts and other related services.

3. ISD will implement and maintain mobile device management (MDM) technology which enforces the appropriate security/data loss prevention policies, up to and including remote erase (wipe) of any registered mobile device, including personally owned devices.

4. ISD will bill each Department on a per-device basis for County-provided device acquisition costs, ISD support costs and licensing fees associated with providing mobile device access (whether on a County-provided or personally-owned device) to County email, calendar, contacts and other related services, and annually provide a list of all Department-authorized users for Department review.

5. ISD will provide limited technical support services for County-provided mobile device hardware.

6. ISD will not provide technical support services for personally-owned devices and will not install connectivity software on non-approved or “jail-broken” mobile devices.

7. ISD’s Service Desk will provide authorized users with vendor or County contact information for questions, customer support and problem resolution.

8. ISD will take prompt action when a user reports a lost or stolen device, including remotely wiping the lost or stolen device and assisting with any Risk Management inquiries.

9. ISD will maintain a list of mobile devices approved for use to access County information and technology systems and will supply a standard model mobile device based on best pricing and availability that is most appropriate given the request and the requirements. Supported devices include Basic Cellular Phones, Push-to-Talk Phones, Smartphones, Wireless Cellular Data Cards and Tablets (See Table of Supported Devices).

10. ISD staff that may assist with the software or settings on personally owned devices of County workforce members shall use reasonable efforts to protect the privacy of all personal information on the device and shall take reasonable steps to ensure that no personal data, including photos, videos, emails, text messages, is viewed, transferred, or copied from the device without the express permission of the device’s owner. ISD staff shall also take reasonable precautions to ensure that no personal data is deleted when installing, configuring or troubleshooting a user’s personal device. Finally, the County’s installation of software is not intended to provide the County with access to any of the User’s personal data, such as the User’s personal photos, videos, emails, and text messages, and such personal data is not intended to be a “public record” as defined by the California Public Records Act.

11. ISD shall provide a compatible hands-free device with each County-provided mobile device issued to a Department or User.

12. ISD shall register the phone numbers of all County-provided mobile devices on the national Do Not Call list.

13. ISD shall be responsible for receiving disconnected, replaced or nonfunctioning County-provided mobile devices. ISD shall, as appropriate, scrub the device’s memory, and, if appropriate, re-distribute or forward the device to surplus. ISD is responsible for ensuring that all information is cleared from the device and the SIM card and that any other device-related media storage is removed and destroyed.

Department Responsibilities Regarding County-Provided Mobile Devices and Personally-Owned Devices Configured to Transact County Business

1. Each department must outline its business requirements for: a) the County’s provision of mobile devices to department employees, contractors, or other service providers; and b) the authorization to access County systems by department employees, contractors, and other service providers (such as determining whether a user should have access to County email and calendar features on their personally owned mobile device). Such business requirements may include:

a. Enhancing the safety of the user;

b. Significantly improving productivity, resulting in measurable savings to the County;

c. Significantly improving responsiveness to emergency or crisis situations;

d. Safeguarding communications that are vital to the protection of life and property where use of other forms of communication is not safe, practical or available; or

e. Creating accessibility where delays could result in a loss to the County or where the effective and efficient functioning of the County is at stake.

2. County-provided mobile devices and/or access to County systems on personally- owned mobile devices shall only be supplied to employees upon request by a manager with final approval by the Director/Department Head or his/her designee.

3. Departments shall be responsible for limiting County-provided mobile devices to the minimum level necessary to conduct business, including:

a. Pooling of mobile devices wherever possible, rather than assigning mobile devices to individual workforce members (e.g., on call rotation device);

b. Selecting voice and/or data plans for such mobile devices that maximize needs and minimize cost, such as pooling of minutes within a group or Department; and

c. Limiting services and plan options to the minimum necessary to conduct County business.

4. When Countywide contracts for the acquisition of mobile devices and/or service plans for such devices are available, Departments are strongly encouraged to acquire devices and service through these agreements, but may acquire the same by other means if the price is lower or necessary services are not provided by a Countywide contract.

5. Department management shall periodically review its Users’ County-provided mobile device usage and shall work with ISD regarding review of mobile access to County systems for compliance with this policy. Departments may implement additional internal guidelines in furtherance of compliance with this policy.

6. Department management shall coordinate with ISD to ensure that each authorized user signs and complies with the requirements of this policy.

7. Department management shall report any violations of this policy or state or federal law by a workforce member to ISD, County Counsel and/or the County Compliance Officer as soon as possible.

8. Department management shall take appropriate action for violations of this policy, including user education, termination of use, or disciplinary measures, as appropriate (up to and including termination of employment).

9. Department management shall advise ISD when a workforce member has a change in status (e.g. change in role, separation from employment, extended leave of absence, etc.) that warrants a change in access.

10. Departments are responsible for payment of the device acquisition cost for County- provided devices, ISD support costs and the software license fee associated with providing access to County e-mail and other systems via mobile devices for each authorized (County-provided and/or Personally-owned) device on an annual basis. The service is provided on a per-device (not a per-user) basis. Accordingly, for one individual to have access on multiple personal devices, the department must approve each such authorization for access, keeping in mind the appropriateness of the added cost.

11. Department management shall take all necessary steps to insure that the Department’s non-exempt employees do not utilize their County-provided mobile devices or use their personally-owned mobile devices to access the County’s information systems and technology to perform work outside their normally scheduled working hours. Non-exempt employees on “on call” or “call back” work status are considered to be working their normally scheduled work hours during their “on call” or “call back” work period and are thereby permitted to access the County’s system through mobile devices as appropriate and in conformance with this memorandum.

12. Departments shall ensure that each County-provided mobile device is provided with a compatible hands-free device.

13. Department management shall be responsible for sending disconnected, replaced or nonfunctioning County-provided mobile devices to ISD for appropriate scrubbing of the device memory, and, if appropriate, re-distribution.

User Responsibilities Regarding County-Provided Mobile Devices and Personally- Owned Devices Configured to Transact County Business:

The User agrees as follows:

1. User will comply with all applicable laws regarding the use of his/her device including, without limitation, laws prohibiting cellular phone use (without a hands- free device) and texting during the operation of a vehicle, and laws concerning the confidentiality of any data that is accessed. User understands that, pursuant to applicable laws, certain exceptions to the above restrictions may apply to emergency services personnel while operating an emergency services vehicle.

2. User will comply with the safety instructions outlined in the device’s user manual and other local restrictions, as applicable, when carrying devices in non-user or limited use areas including, but not limited to, hospitals, libraries, and public meetings.

3. User will ensure that the device’s automatic screen lock capability is activated with a time-delay of no more than 10 minutes of idle time before the screen locks. This reduces the risk of unwanted exposure of County data.

4. User will restrict access to the device using a password at all times. User understands that he/she must activate an electronic lock/password on the device of at least six characters. User further understands that such password must be changed every 90 days.

5. User will notify the ISD Service Desk at 650-363-4108 within 24 hours of an actual or suspected loss or theft of the device.

6. In the event of an actual or suspected loss or theft of the device, User grants ISD permission to issue a remote wipe command to the device to restore it to factory settings, acknowledging that this process will erase all data on the device (including personal emails, notes, contacts, music, photographs) and understanding that it is the user’s responsibility to back up all such personal data, settings, and applications.

7. User agrees that by using a County-provided mobile device and/or transacting County business on his/her personally-owned mobile device (the transaction of such business including, but not limited to, accessing any County data, including email), the User is required to adhere to all County policies, including but not limited to this policy, the County’s EEO Policy, E-Mail Policy, Information Technology Security Policy, PHI Sanctions Policy, Portable Computing Policy and Social Media Policy (all available online at http://intranet.co.sanmateo.ca.us ), as such policies may be amended from time to time.

8. User agrees that his/her transmission of sensitive information (including but not limited to confidential, PII, PHI), whether in the subject, body or attachment to an email message, to a non-County email address (whether to a personal e-mail address or to a third party vendor/contractor to the County) must be secured by sending the message using the County’s email encryption tools. The user must include the following syntax in the subject line of each such message in order for the message to be encrypted: #SEC# The only exception to this procedure is for messages sent to an internal County email addresses (for example, destination email address ending in the following syntax: @co.sanmateo.ca.us, @smcgov.org, @smcare.org and @sanmateocourt.org, etc.)

9. Failure to follow legal requirements for the protection of County and any other sensitive information may result in serious consequences:

a. County employee user agrees that by failing to follow the legal requirements for the protection of information, he/she may be subject to discipline and/or legal and regulatory sanctions that may result in financial penalties and/or licensure revocation.

b. Non-County employee user (i.e. contractor) agrees that by failing to follow the legal requirements for the protection of information, he/she may be subject to termination of his or her (or his/her company’s) contract with the County and/or legal and regulatory sanctions that may result in financial penalties and/or licensure revocation.

10. User agrees not to use Short Message Service (SMS) (e.g., text messages) and/or Multimedia Service (MMS) messages for transmission of County-related sensitive information (confidential, PII, PHI).

11. Users should understand that attachments are converted when delivered to their mobile device and there is no guarantee of full fidelity based on the various hardware/software platforms available. Therefore, the user should read email attachments on a PC or laptop as appropriate.

12. User agrees to contact ISD or County Counsel, if appropriate, regarding any questions relating to this policy.

13. User understands that his/her compliance with the County’s Mobile Technology Use Policy is a condition to being authorized to utilize a County-provided mobile device, or to being granted access to County systems via a personally-owned device.

Additional User Responsibilities for County-Provided Mobile Devices:

14. When traveling internationally and authorized to conduct County business from such location, User agrees to notify ISD at least five (5) business days in advance of such travel (if possible) to ensure that the correct plan covers the destination. Manager’s approval will be needed before rate plans are changed or added.

15. User acknowledges that his/her failure to provide sufficient notice to ISD in advance of such travel may result in additional and unnecessary costs to the County and may result in disciplinary measures within the User’s department (if User is a County employee) or offsets to amounts due and/or contract termination (if User is a contractor).

16. User understands and agrees that the use of County-provided mobile devices shall be limited to official County business except in cases of emergencies (e.g., contacting children, doctors, or family members to inform of schedule changes and similar situations) or other de minimis and incidental personal usage which does not interfere with normal conduct of County business or incur additional charges to the County.

17. User agrees that all County-provided mobile devices and their contents remain the property of the County and are subject to regular audit and monitoring. User acknowledges and understands that he/she does not have a privacy interest in the contents of his/her County-provided mobile device.

18. User agrees that prior to separation from County service, User must turn in all County-provided equipment to his or her Manager or contracting County Department. If User is transferring to another County department, ISD must obtain advance written approval from User’s new and former Department before ISD will transfer the number and equipment to the new Department.

19. Devices that are being replaced or retired must be returned to ISD within 10 business days.

Additional User Responsibilities for Personally-Owned Mobile Devices:

20. User understands that, for any costs associated with personally-owned devices, the County will not reimburse User. User is responsible for maintaining their data plan and settling any service or billing dispute with their carrier. Individuals should take this into account when deciding whether they want to use a personally-owned device to transact County business

21. User agrees that if additional software is required on the device, it is the responsibility of the user. This includes mobile device manager tools and security profiles. In some cases, the user may need to temporarily hand over a personally- owned device to an ISD representative to troubleshoot problems with County- provisioned software on the device and provide ISD with any passcode that may be on the device. It is therefore recommended that the user reset their passcode before providing the device to ISD, or immediately change it after the device is returned.

22. User understands that no personally-owned mobile device shall be connected to or synchronized with County computers, laptops, servers, systems, or networks, without prior written authorization from the User’s Department Head or his/her designee.

23. User understands that, while ISD staff will take reasonable precautions to ensure that no personal data is deleted when installing, configuring or troubleshooting a user’s personally-owned device, such loss of personal data may occur from time to time and it is the User’s responsibility to back-up such personal data prior to ISD’s installation, configuration, or troubleshooting of the User’s device.

24. User understands that no County proprietary, sensitive, or confidential data shall be stored on a personally-owned device. User must remove all County data from the personally-owned device when it is being replaced or retired.

25. Devices must be kept up to date with manufacturer or network provided patches.

Hardware should be no more than two years old and software updates should be applied within 2 months of release.

26. User agrees that prior to separation from County service or User’s replacement or disposal of a personally-owned mobile device that has been configured to access County systems, User must allow ISD to remove software and settings from his/her personally-owned device to ensure that no County information remains resident in the device’s memory and that User will no longer have access to County systems. If the User is transferring to another County department, ISD must obtain advance written approval from User’s new and former department before ISD will transfer the personal device service to the new department.

Glossary

Terms Definitions
Confidential Data Information that is considered to be personally identifiable or protected.
County Workforce As used here “workforce” includes employees, contractors, volunteers, trainees, and other persons who provide services to, or on behalf of, the County of San Mateo.
Hands Free Device

Equipment that can be used to make or receive calls without the use of hands, typically Bluetooth headsets. In California, it is illegal to wear headphones or earbuds in both ears while driving. As of the date of this Administrative Memorandum, the use of earbuds in one ear is allowed by law.

See https://www.dmv.ca.gov/cellularphonelaws/

HIPAA Health Insurance Portability and Accountability Act. See the County’s Protected Health Information Policies (Administrative Memo B-25 and related departmental policies).
Idle Time Idle time is time interval between the last interaction with a computing device and the automatic locking of the device’s screen, at which point the user is required to enter a passcode to unlock the device to continue using it. Pursuant to this policy, any “mobile device” utilized to perform County work, including accessing the County’s network, shall be required to have an Idle Time of no more than 10 minutes.
Jail breaking Jail breaking means freeing your mobile device from the limitations imposed on it by your carrier, whether it is AT&T, Verizon, Sprint, etc., as well as any manufacturer restrictions. Jail breaking takes place when software installed on a mobile device “breaks open” the phone’s file system to allow the user to modify it.
PHI

Protected Health Information.

Health information means any information in any form or medium, that

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past,

present, or future payment for the provision of health care to an individual.

PII

Personally Identifiable Information.

PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

Remote Wipe Remote Wipe is a command that can be sent to a mobile device from a remote console that effectively erases all data from the device.
Smartphone A Smartphone is an electronic handheld device that integrates the functionality of a cellular telephone with that of a personal digital assistant (PDA) or other information appliance. Smartphones connect to the Internet via cellular and/or WiFi networks. Smart functionality incorporates a miniature keyboard and/or a touch screen for input, and often includes other technologies such as Global Positioning Service (GPS) and high resolution camera(s). Smartphone capabilities include, but are not limited to: Internet browser; e-mail, scheduling and contact management software; and the ability to read/edit documents, presentations and worksheets in a variety of formats.
Tablet A tablet is a portable computing device that uses a touchscreen as the primary input device. Tablet capabilities are comparable to those of Smartphones but without the traditional cellular phone service.
Users Synonymous with workforce members
Wi-Fi Wi-Fi is the standard way that Smartphones and Tablets connect to wireless networks.

 

Download B-19_User_Agreement_&_Departmental_Request_for_Access_to_County_Systems_Personally-Owned_Mobile_Device Form

Download B-19_User_Agreement_&_Departmental_Request_for_County-Provided_Mobile_Device Form

 

Table of Supported Mobile Devices

This table details the supported devices under this policy for both County-Provided and Personally-Owned Mobile Devices.

Types of Data allowable on the Mobile Device Mobile Device Manufacturers
Apple iOS * Android ¤

Research-

in-Motion

BlackBerry

Microsoft

Windows

Mobile OS

Apple iOS * Android ¤

Research-

in-Motion

BlackBerry

Microsoft

Windows

Mobile OS

Personally Owned Device County Provided Device
1 HIPAA/HITECH, CJIS, WIC, Confidential or Legislatively protected data may be viewed, accessed or stored on the device. S S S NS S S NS NS
2 Other Confidential or Sensitive data may be viewed, accessed or stored on the device. S S S NS S S NS NS
3 No confidential or Sensitive data will be viewed, accessed or stored on the device. S S S S S S NS NS

LEGEND:

S = Supported

NS = Not Supported

* For iOS devices, the version must be 6.x or above

¤ For all Android devices, an MDM application that containerizes email is required. Details about this app will be provided when the account is created.

Rev. 02/2014