• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cloud Computing   »   BYOD introduces novel legal challenges to IT

BYOD introduces novel legal challenges to IT

  • Posted on:March 4, 2013
  • Posted in:Cloud Computing, Privacy & Policy
  • Posted by:
    Trend Micro
0

While many companies have been worried about the security risks of implementing a BYOD (Bring your own Device) program, Lou Milrad, a corporate attorney  based in Toronto, wrote on IT World Canada that the combination of business and personal technology is more than just a cybersecurity issue. In fact, there are many legal concerns that should take precedence in risk management plans.

"Understandably, these threats remain top of mind, recognizing that there is organizational responsibility for maintaining (i) the non-disclosure of 'personal information' as mandated under the applicable federal and provincial privacy legislation (that covers all of the organization's employees, customers, suppliers), in addition to (ii) strict protection of the soft assets of the organization, namely its commercially sensitive and valuable business information and associated intellectual property," Milrad wrote.

Another complexity of BYOD is the access obtained by employees both inside and outside of the company firewall. The use of consumer-focused services like Gmail or Yahoo, as well as social networking platforms, puts personal profiles and corporate information on the same device and raises the risk for cross-contamination. Companies now need to work hard to create sensible BYOD policies that can cover both the personal and business risks of the BYOD network while avoiding the legal risk of having security so tight that it snoops on the personal information of employees. 

To begin, Milrad wrote on IT World Canada that companies should start looking at the policies other organizations have in place, if they are willing to share, asking what has worked and what may not be working for them This can help businesses get a better idea of which areas they may need to fortify and which they can be a bit more flexible.

The first area Milrad suggests companies look at regarding their BYOD system is the general duty of care under the legal system, meaning each executive and employee alike must take care of the system as if it was their own.

"Early implementation of a best practices approach, that embraces appropriate employee education and training may well preclude your organization from third party liability, financial or otherwise, arising through employees' or consultants' personal failure to comply with all applicable regulatory, privacy, IPR and confidentiality obligations," he wrote on IT World Canada. "In addition, carefully drafted liability disclaimers can to a certain extent reduce general liability. The BYOD strategy and resulting policy should always reflect a keen observance of this general duty of care."

Other things for organizations to keep in mind, according to Milrad, include:
– There is a "perfect storm" of personal and public information coming together, so businesses will need to decide which aspects of both of these worlds employees can utilize in a BYOD program
– Jailbroken or rooted devices, which may be used to get around certain security precautions, could end up costing the organization a lot of time, money or even their reputation if the breach is serious enough
– Employees should be trained and educated for security and legal best practices to help segment and protect private and corporate assets
– Businesses need to be aware of the laws of their state and country when it comes to electronic communication and ecommerce transaction, as there could be certain compliance rules that not every company will meet in a BYOD program

Privacy of employees
David Navetta of InfoLawGroup suggested that one area businesses cannot overlook in a BYOD program is the privacy of its employees. A lot of this will come down to how organizations monitor employee behavior on devices owned and issued by corporations versus how they do it for devices brought from home.

"In all, companies need to carefully consider their intended goals when it comes to monitoring their employees' use of their own devices, and balance those goals against these privacy concerns and potential legal limitations," he said. "Organization's should make their employees aware of the privacy trade-offs and the reasonable expectations of privacy related to their use of a personal device for work."

There will be times when companies feel the need to investigate the goings on of devices, but each situation may call for a different action to be taken by the business. For example, if there needs to be an image retrieved from a device, there will likely be some personal information that goes along with this, which could put the company in some legally murky waters. The business may not be able to preserve all of the data on the device, which could mean facing spoliation problems in court or perhaps even missing out on key information in a court of law.

In the end, Navetta wrote that companies need to work through these issues from the start to reduce the liability risks they may face over the long haul of any BYOD program.

Consumerization News from SimplySecurity.com by Trend Micro

Related posts:

  1. HR could play leading part in BYOD success
  2. BYOD Best Practices – Three pitfalls you can’t afford to ignore
  3. BYOD is everywhere, now what?
  4. Mobile enterprise introduces new security challenges

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Digital Transformation is Growing but May Be Insecure for Many
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, ę—„ęœ¬, ėŒ€ķ•œėÆ¼źµ­, å°ē£
  • Latin America Region (LAR): Brasil, MĆ©xico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Ɩsterreich / Schweiz, Italia, Š Š¾ŃŃŠøŃ, EspaƱa, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.