While many companies have been worried about the security risks of implementing a BYOD (Bring your own Device) program, Lou Milrad, a corporate attorney based in Toronto, wrote on IT World Canada that the combination of business and personal technology is more than just a cybersecurity issue. In fact, there are many legal concerns that should take precedence in risk management plans.
"Understandably, these threats remain top of mind, recognizing that there is organizational responsibility for maintaining (i) the non-disclosure of 'personal information' as mandated under the applicable federal and provincial privacy legislation (that covers all of the organization's employees, customers, suppliers), in addition to (ii) strict protection of the soft assets of the organization, namely its commercially sensitive and valuable business information and associated intellectual property," Milrad wrote.
Another complexity of BYOD is the access obtained by employees both inside and outside of the company firewall. The use of consumer-focused services like Gmail or Yahoo, as well as social networking platforms, puts personal profiles and corporate information on the same device and raises the risk for cross-contamination. Companies now need to work hard to create sensible BYOD policies that can cover both the personal and business risks of the BYOD network while avoiding the legal risk of having security so tight that it snoops on the personal information of employees.
To begin, Milrad wrote on IT World Canada that companies should start looking at the policies other organizations have in place, if they are willing to share, asking what has worked and what may not be working for them This can help businesses get a better idea of which areas they may need to fortify and which they can be a bit more flexible.
The first area Milrad suggests companies look at regarding their BYOD system is the general duty of care under the legal system, meaning each executive and employee alike must take care of the system as if it was their own.
"Early implementation of a best practices approach, that embraces appropriate employee education and training may well preclude your organization from third party liability, financial or otherwise, arising through employees' or consultants' personal failure to comply with all applicable regulatory, privacy, IPR and confidentiality obligations," he wrote on IT World Canada. "In addition, carefully drafted liability disclaimers can to a certain extent reduce general liability. The BYOD strategy and resulting policy should always reflect a keen observance of this general duty of care."
Other things for organizations to keep in mind, according to Milrad, include:
- There is a "perfect storm" of personal and public information coming together, so businesses will need to decide which aspects of both of these worlds employees can utilize in a BYOD program
- Jailbroken or rooted devices, which may be used to get around certain security precautions, could end up costing the organization a lot of time, money or even their reputation if the breach is serious enough
- Employees should be trained and educated for security and legal best practices to help segment and protect private and corporate assets
- Businesses need to be aware of the laws of their state and country when it comes to electronic communication and ecommerce transaction, as there could be certain compliance rules that not every company will meet in a BYOD program
Privacy of employees
David Navetta of InfoLawGroup suggested that one area businesses cannot overlook in a BYOD program is the privacy of its employees. A lot of this will come down to how organizations monitor employee behavior on devices owned and issued by corporations versus how they do it for devices brought from home.
"In all, companies need to carefully consider their intended goals when it comes to monitoring their employees' use of their own devices, and balance those goals against these privacy concerns and potential legal limitations," he said. "Organization's should make their employees aware of the privacy trade-offs and the reasonable expectations of privacy related to their use of a personal device for work."
There will be times when companies feel the need to investigate the goings on of devices, but each situation may call for a different action to be taken by the business. For example, if there needs to be an image retrieved from a device, there will likely be some personal information that goes along with this, which could put the company in some legally murky waters. The business may not be able to preserve all of the data on the device, which could mean facing spoliation problems in court or perhaps even missing out on key information in a court of law.
In the end, Navetta wrote that companies need to work through these issues from the start to reduce the liability risks they may face over the long haul of any BYOD program.
Consumerization News from SimplySecurity.com by Trend Micro