Run: Mobile Device Encryption Policy

This policy establishes minimum security requirements for company-managed mobile devices, including encryption, biometric or passcode access, remote wipe authorization, and incident reporting. The policy is intended to protect company information, customer data, employee data, and other confidential information while supporting lawful workplace practices and employee rights under applicable law.

This policy applies to all company-managed mobile devices, including smartphones, tablets, and any other portable devices issued by the company or configured for business use. It applies to all employees, contractors, interns, and temporary workers who use such devices. **California employees:** any collection, monitoring, or retention of device data must be evaluated for privacy obligations under the CCPA and other applicable California privacy laws. **Employees covered by the NLRA:** this policy will not be applied to restrict protected concerted activity under Section 7 of the NLRA.

For purposes of this policy, the terms below have the meanings listed in the Definitions section. Where a term is not defined here, it should be interpreted in a manner consistent with company security standards and applicable law.

1. **Encryption required:** All company-managed mobile devices must use device-level encryption enabled by default and maintained at all times. 2. **Approved access controls:** Devices must be protected by an approved passcode, PIN, password, or biometric access method. Where biometric access is used, a passcode fallback must also be enabled. 3. **Automatic lock:** Devices must auto-lock after a reasonable period of inactivity as configured by IT. 4. **No shared credentials:** Employees may not share device passcodes, unlock codes, or authentication tokens. 5. **Software and updates:** Users must not disable security updates, mobile device management controls, or endpoint protection tools installed by the company. 6. **Data handling:** Confidential, personal, and regulated data must be stored and transmitted only through approved applications and services. 7. **No unauthorized modifications:** Jailbreaking, rooting, or bypassing security controls is prohibited. 8. **Privacy and lawful use:** The company will limit device monitoring and data collection to legitimate business, security, and compliance purposes and will apply any required notice or consent procedures.

### Device Setup and Enrollment - IT will enroll company-managed mobile devices in the company’s mobile device management platform before issuance. - IT will confirm encryption, screen lock, and remote wipe capability are enabled before the device is assigned. - Users must complete any required security training before receiving access. ### Access and Use - Users must keep devices in their possession or secured when not in use. - Users must not store passwords in unsecured notes, messages, or unapproved applications. - Users must comply with all data classification and retention requirements when using mobile devices. ### Loss, Theft, or Compromise Reporting - Users must report a lost, stolen, or compromised device to IT and HR or Security immediately, and in no event later than the end of the same business day. - The report must include the device type, last known location, time discovered missing, and whether sensitive data may be involved. - IT may disable access, reset credentials, and initiate remote wipe without further notice when necessary to protect company data. ### Remote Wipe and Return - The company may remotely wipe a device if it is lost, stolen, compromised, or not returned upon separation. - Users must cooperate with remote wipe, credential reset, and device return procedures. - If a device contains personal data, the company will make reasonable efforts to limit the wipe to company data where technically feasible, subject to security needs and legal requirements. ### Incident Escalation - Security incidents involving regulated, confidential, or personal data must be escalated to the Security or Privacy team immediately. - IT and HR will document the incident, preserve relevant logs, and determine whether additional notifications or remediation steps are required.

- **Employees and device users:** follow access, encryption, and reporting requirements; protect the device from unauthorized use; and cooperate with investigations and remediation. - **Managers:** ensure team members complete required training and promptly report suspected policy violations. - **IT administrators:** configure devices, maintain encryption and remote wipe capabilities, apply security updates, and respond to incidents. - **Security/Privacy team:** assess incidents, coordinate containment and notification decisions, and maintain incident records. - **HR:** support policy acknowledgment, disciplinary actions, and employment-related communications. - **Policy holder:** owns this policy, approves exceptions, and ensures periodic review.

Failure to comply with this policy may result in access suspension, device retrieval, documented warning, mandatory retraining, a performance improvement plan (PIP), or other disciplinary action up to and including termination, consistent with applicable law and company policy. The company will apply discipline in a good-faith, non-discriminatory manner and will consider reasonable accommodation requests through the interactive process where required by the ADA. Nothing in this policy is intended to interfere with protected rights under the NLRA or to affect wage-and-hour rights under the FLSA.

Any exception to this policy must be approved in writing by the policy holder, IT Security, and HR, with a documented business justification, risk assessment, compensating controls, and expiration date. Exceptions may not be granted where they would create an unacceptable security, privacy, or legal risk.

This policy will be reviewed at least annually and updated as needed to reflect changes in technology, security risks, and applicable law. Revisions must be approved by the policy holder and communicated to affected users before becoming effective, unless an immediate change is required to address a security incident or legal obligation.