SlideShare una empresa de Scribd logo

10 Legal Challenges in Creating a BYOD Policy - Lou Milrad

Lou Milrad
Lou Milrad
1 de 2
By: Lou Milrad O verheard recently at a BYOD sympo- sium: “We’ve now gone from main- frame computers to desktops and on to the coffee shop.”This says it all. While today’s workplace environment reflects IT consumerization through wide- spread proliferation of consumer mobile de- vices that include an array of smartphones, tablets, and netbooks, a host of enterprises still lack strategies regarding mobile device management (MDM) and in particular, strategies that are coupled with a formal- ized and well-articulated set of mobile use policies. This combining, in the workplace, of personal and business technology on a single device is of mounting concern to cor- porate IT departments – it reflects a chang- ing dynamic that challenges those that are responsible for the particular technology being used by employees to do their jobs. This challenge applies to both institutionally provided and employee-owned devices. It is critical for IT departments to comprehend the nature and power of the smartphone and tablet devices that are connecting to their networks so that access to their net- works is not only convenient and secure, but also authorized. While workplace access through previ- ously furnished corporate devices may well be covered under the organization’s earlier articulated Acceptable Use Policy (AUP), the array of mobile devices that are being independently adopted by employees that enjoy access privilege or capability (whether authorized or not) that is augmenting a host of IT-related governance and liability con- cerns, particularly, those relating to privacy and security breaches. Understandably, these threats remain top of mind, recognizing that there is organizational responsibility for maintaining (i) the non-disclosure of “per- sonal information” as mandated under the applicable federal and provincial privacy leg- islation (that covers all of the organization’s employees, customers, suppliers), in addition to (ii) strict protection of the soft assets of the organization, namely its commercially sensitive and valuable business information and associated intellectual property. A further complication is the potential use by employees, on both sides of the firewall, of cloud-based personal e-mail services such as Gmail or Yahoo, as well as their personal postings through a variety of social media sites such as Facebook and LinkedIn. We’re now witnessing personal emails com- ing into corporate servers through services that include AOL, Gmail or Yahoo. Information, in the nature of organizational assets, is now transforming from the workplace to the Cloud. Corporate emails are leaving the enterprise through BYOD users forwarding them onto their own personal accounts. In an effort to reduce security risks, orga- nizations are beginning to focus on creating BYOD policies that will both support and protect mobile devices. Hence, the necessity to create a BYOD program that introduces a phased rollout for “empowered” workers. As prerequisites to any such program and as a first consideration, there is an absolute need to define the necessary MDM and the re- quired mobile security tools, together with a well-considered and articulated BYOD policy. Given the number of considerations, the BYOD policy should be developed prior to committing to any technology and should start off by reviewing any previously existing Acceptable Use Policy (AUP) with a view to updating, enhancing, or replacing that policy or integrating that policy with the BYOD one. While not necessarily applicable in all in- stances, there are a variety of legal issues re- quiring attention as part of the overall policy, and for this reason, organizations need to include their in-house lawyer or legal depart- ment, or external counsel, in the preparation and/or revitalization of a previously enforced policy. Start the process by requesting copies of what BYOD policies or structures might already be in place with colleague organiza- tions and don’t be surprised if portions are redacted by those that are willing to share – also recognize that there may be some hesitancy in sharing given that the policy itself might be designated as “internally confidential”. In starting, it is important to bear in mind that the BYOD policy will need to be well balanced and be void of any unauthorized monitoring techniques, or sanctions that are considered invasive, or disproportional pro- hibitions. Otherwise, there’s a real possibility that any evidence gathered in support of the policy, might well be excluded in court. The following (not in any particular order of priority) are the key legal risk issues that need to be considered as part of your organi- zation’s strategy in developing and imple- menting the policy: 1. General Duty of Care under our Legal System In drafting the BYOD policy, we must remain mindful of the fact that our legal system recognizes that every person and every en- tity, whether public or private, has a general duty of care. Early implementation of a best practices approach, that embraces appropri- ate employee education and training may well preclude your organization from third party liability, financial or otherwise, arising through employees’ or consultants’ personal failure to comply with all applicable regula- tory, privacy, IPR and confidentiality obliga- tions. In addition, carefully drafted liability disclaimers can to a certain extent reduce general liability. The BYOD strategy and resulting policy should always reflect a keen observance of this general duty of care. 2. Privacy (Personal Information) We have the makings of a perfect storm with the convergence on one device of both personal and corporate data and which pres- ents a complication - the trusteeship by the organization of personal information of the person using the BYOD device coupled with possible access, handling and disclosure of personal information of others stored on the corporate servers. A workplace surveillance strategy may also be envisioned and in which event, employers will need to have in place, and made easily available and accessible, a data surveillance policy. Will the company be permitted access to an employee’s own emails and text messages (SMS) on a per- sonal smartphone or tablet used by that em- ployee for work? And what about browsing history, installed software and other data? 3. Data Security and Protecting Data Integrity Employees will need to be educated as to what constitutes acceptable use. There is a fundamental duty upon the organization to take reasonable steps to protect the infor- mation it holds from misuse and loss and from unauthorized access, modification or disclosure. It’s about the data - not the device and the ability to separate “personal” from “business” while also ensuring data is backed up, and that relevant documents are not deleted. Consider the procedures that are required for separating personal from work- related data, so as to ensure that appropriate non-delete, backup and redundancy features are implemented. Restrict access to highly sensitive Confi- 10 legal challenges to creating a BYOD policy The company’s acceptable use policy isn’t enough to cover employee-owned devices, lawyer Lou Milrad writes Copyright © 2013 from CanadianCIO by IT World Canada Inc., 55 Town Centre Court, Suite 302 Scarborough, ON M1P 4X4
dential Information (refer to item 5. below). 4. Prohibition against “Jail Breaking” or “Rooting” While it is important to include strict prohibi- tion against “Jail Breaking” or “Rooting” employees’ devices, it is critically important to communicate to employees the underly- ing rationale supporting this prohibition and the associated security risks. Trojans, mobile malware, and pirated software are often associated with “Jailbreak” sites. It is important to point out the possible legal sanctions associated with bypassing digital rights management restrictions intended to protect copyrighted works; other concerns to be recognized, on this side of the firewall, include direct access to locked file systems, user interfaces, and normally hidden or locked network capabilities. Additionally, Rooting or Jail Breaking a device to run a free Wi-Fi hotspot may well violate the contract service terms thereby providing affected carriers with cause to terminate subscribers contracts. Also, there is the potential risk of loss of manufacturer’s warranty and carrier throt- tling for BYOD. 5. Confidential Information Employees and others acting on Company’s behalf are responsible for protecting the Company’s confidential information, includ- ing trade secrets (whether the company’s own or those entrusted to it by third parties), from unauthorized disclosure whether inter- nal or external, deliberate or accidental. It is critical to secure a written, signed confidential disclosure agreement before taking any steps to disclose confidential information to a party outside of the organi- zation. While a general manager or technical director might well possess the necessary signing authority, it is suggested that a me- dium to high level member of management, such as a vice president, be the designated party responsible for signing confidential disclosure agreements. In addition to main- taining a fully signed copy of that document, a log recording the date, time and location of signing should likewise be maintained for future reference. For a comprehensive discussion around “confidential information” , please refer to this author’s article in the September 2012 issue of CIO Canada “For your organization’s eyes only - IT governance requires vendor relation- ships that treat confidentiality as job one. How to make sure your contract includes it.” 6. Licensing & Intellectual Property Rights It is important to recognize that the enter- prise’s various software applications may be licensed to the company under a variety of software proprietors’ individual or collective strategies - software and service services providers typically have fairly compre- hensive and detailed fees-based licensing structures and charges that range from a per user, or per device type of license, to a number of users concurrently accessing the software from a single location, through to an enterprise wide arrangement. Therefore, it is critically important to spend time care- fully reviewing the terms of use under such applicable licenses to ensure that corporate implementation of BYOD technologies will not breach the licensing terms in place with the software and providers. Allowing employees to use company applications on their own devices, for example, may breach the company’s current licensing agreement. Consider also the licensing terms for the BYOD applications and the accompanying licence rights - what are the limitations, to whom do they apply (largely dependent on whether it is the company or the em- ployee that signs up with the provider), and are they, or will they be in violation of any existing third-party contracts or corporate policies? It is incumbent upon the company, as well as the employee, to mitigate against potential intellectual property and contrac- tual claims from third parties. 7. Employee-Employer relationship Employees are obligated to respect the company’s confidential information, includ- ing business and trade secrets, lists of sales leads, and other proprietary data and to keep and maintain the confidentiality of such corporate assets after termination of an employment contract. Criminal prosecu- tion may result from any failure to maintain the confidentiality of such information, par- ticularly if intentionally misappropriated. In addition, companies often require employ- ees, consultants, contractors, and free- lancers to sign confidentiality agreements (NDA’s) to establish a legal framework for non-compliance. Organizations become challenged in gathering proof of a breach of confidentiality and enforcing policy when people store any such proprietary data on their own personal iPhones, Androids, and other smartphones or tablets. Therefore, an absolute requirement of a BYOD policy needs to require employees (and project consultants, etc.) to permit the company to check out their device when they leave the company to make certain that all confiden- tial information has been deleted. The actual timing of the checking procedure becomes a critical factor. 8. Electronic Communications, Document Preservation and Evidentiary Obligations While not really part of a BYOD policy or of this article, CIOs need to be mindful of gen- eral legal requirements governing electronic communications and e-commerce. Perhaps, more aligned with a BYOD strat- egy are document retention requirements arising under private contracts as well as under diverse statutory schemes that include provincial and federal and corporation acts, income tax as well as privacy-related legisla- tion. Legal retention requirements may also apply to documents comprising employment records, workplace safety, and pension bene- fits. In addition, in any civil or criminal matter, there’s a legal framework for introducing into evidence any electronically stored informa- tion (ESI). Hence the need to become aware of document retention (and destruction) laws and policies as well as those pertaining to digital evidence. 9. Insurance and Liability Considerations Review applicable insurance policies for coverage/non-coverage, as the BYOD policy will need to consider how liability will be apportioned between the individual and the organization. Pay particular attention to the protection and compliance with all Intellec- tual Property Rights (IPR – see 6. Licensing & Intellectual Property Rights above) and licensing issues. Is the employee or organiza- tion to be responsible for lost or stolen de- vices? What about responsibility for malware or virus attacks on BYOD device? Does the employer’s existing insurance provide cover- age for employee owned devices that are part of a BYOD policy? Who is to be specified as responsible for replacement upon theft or loss should employer’s insurance coverage not provide for employees device coverage – it is necessary to identify in a BYOD policy whether the user or company will be liable for loss or theft of BYOD devices (particularly important if the organization’s insurance policies cover an employee-owned device being used under a BYOD policy. 10. Training & education Implementation and adherence to a policy can only be effective if there has been proper training and education for employees and those others having access to corporate information. Companies are well advised to organize programs that will serve to familiar- ize employees with the strategy and with the thinking that preceded implementation of the BYOD policy. Lou Milrad is a well known Toronto-based business lawyer that assists public & private sector clients with legal services relating to technology licensing and associated legal strategies, IT procurement, commercialization, cloud computing, open data, and public-private alliances. In addition to being the creator and editor of “Computers and Information Technology”, a 4 volume series of IT legal precedent licenses, services, supply, and database contracts and published through the Carswell Division of Thompson Reuters and now into its 16th release. Lou also acts as external General Counsel to each of MISA (Municipal Information Systems Association) and URISA (Urban & Regional Information Systems Association), and for 13 years, acted as external General Counsel to ITAC (Information Technology Association of Canada). Lou can be reached at 647-982-7890 or through lou@milrad.ca or via http://www.milradlaw.ca. Copyright © 2013 from CanadianCIO by IT World Canada Inc., 55 Town Centre Court, Suite 302 Scarborough, ON M1P 4X4

Recomendados

No byod policy? Time to grasp the nettle
No byod policy? Time to grasp the nettleNo byod policy? Time to grasp the nettle
No byod policy? Time to grasp the nettle
Logicalis
 
Cyber liabilty
Cyber liabiltyCyber liabilty
Cyber liabilty
Maran Corporate Risk Associates, Inc.
 
Cyber Liabilty: A new exposure for businesses
Cyber Liabilty: A new exposure for businesses Cyber Liabilty: A new exposure for businesses
Cyber Liabilty: A new exposure for businesses
Maran Corporate Risk Associates, Inc.
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
Yarko Petriw
 
CMIT 425 RISK ASSESSMENT PAPER
CMIT 425 RISK ASSESSMENT PAPERCMIT 425 RISK ASSESSMENT PAPER
CMIT 425 RISK ASSESSMENT PAPER
HamesKellor
 
Ten Commandments of BYOD
Ten Commandments of BYODTen Commandments of BYOD
Ten Commandments of BYOD
K Singh
 
IDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based SecurityIDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based Security
arms8586
 
How Secure Is Cloud
How Secure Is CloudHow Secure Is Cloud
How Secure Is Cloud
William Lam
 

Recomendados

No byod policy? Time to grasp the nettle
No byod policy? Time to grasp the nettleNo byod policy? Time to grasp the nettle
No byod policy? Time to grasp the nettle
Logicalis
 
Cyber liabilty
Cyber liabiltyCyber liabilty
Cyber liabilty
Maran Corporate Risk Associates, Inc.
 
Cyber Liabilty: A new exposure for businesses
Cyber Liabilty: A new exposure for businesses Cyber Liabilty: A new exposure for businesses
Cyber Liabilty: A new exposure for businesses
Maran Corporate Risk Associates, Inc.
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
Yarko Petriw
 
CMIT 425 RISK ASSESSMENT PAPER
CMIT 425 RISK ASSESSMENT PAPERCMIT 425 RISK ASSESSMENT PAPER
CMIT 425 RISK ASSESSMENT PAPER
HamesKellor
 
Ten Commandments of BYOD
Ten Commandments of BYODTen Commandments of BYOD
Ten Commandments of BYOD
K Singh
 
IDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based SecurityIDC: Top Five Considerations for Cloud-Based Security
IDC: Top Five Considerations for Cloud-Based Security
arms8586
 
How Secure Is Cloud
How Secure Is CloudHow Secure Is Cloud
How Secure Is Cloud
William Lam
 
1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main
Caio Sanchez Christino
 
The Accidental Cloud: Privacy and Security Issues in a BYOD World
The Accidental Cloud: Privacy and Security Issues in a BYOD WorldThe Accidental Cloud: Privacy and Security Issues in a BYOD World
The Accidental Cloud: Privacy and Security Issues in a BYOD World
mkeane
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänster
Transcendent Group
 
News letter oct 12
News letter oct 12News letter oct 12
News letter oct 12
Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
Clearswift f5 information_visibility_reducing_business_risk_whitepaper
Clearswift f5 information_visibility_reducing_business_risk_whitepaperClearswift f5 information_visibility_reducing_business_risk_whitepaper
Clearswift f5 information_visibility_reducing_business_risk_whitepaper
Marco Essomba
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
CompTIA
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
e.law International
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2
olambel
 
art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1
Marlon Moodley
 
IT Policy
IT PolicyIT Policy
IT Policy
Sherri Booher
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to Know
TechSoup
 
Protecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksProtecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaks
SocialKwan
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
Dr Dev Kambhampati
 
Ccs16
Ccs16Ccs16
Ccs16
Andrey Apuhtin
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
DFickett
 
Information Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate DataInformation Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate Data
TechWell
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
Skillspire LLC
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2
Donald Jennings
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
PortalGuard
 
Sample IT Policy
Sample IT PolicySample IT Policy
Sample IT Policy
Clarknuber
 
08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239
#TheFraudTube
 
Leveraging byod
Leveraging byodLeveraging byod
Leveraging byod
ManageEngine
 

Más contenido relacionado

La actualidad más candente

The Accidental Cloud: Privacy and Security Issues in a BYOD World
The Accidental Cloud: Privacy and Security Issues in a BYOD WorldThe Accidental Cloud: Privacy and Security Issues in a BYOD World
The Accidental Cloud: Privacy and Security Issues in a BYOD World
mkeane
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
e.law International
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2
olambel
 
art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1
Marlon Moodley
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to Know
TechSoup
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
Dr Dev Kambhampati
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
DFickett
 
Information Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate DataInformation Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate Data
TechWell
 

La actualidad más candente (20)

1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main1 s2.0-s0167404801002097-main
1 s2.0-s0167404801002097-main
 
The Accidental Cloud: Privacy and Security Issues in a BYOD World
The Accidental Cloud: Privacy and Security Issues in a BYOD WorldThe Accidental Cloud: Privacy and Security Issues in a BYOD World
The Accidental Cloud: Privacy and Security Issues in a BYOD World
 
Frukostseminarium om molntjänster
Frukostseminarium om molntjänsterFrukostseminarium om molntjänster
Frukostseminarium om molntjänster
 
News letter oct 12
News letter oct 12News letter oct 12
News letter oct 12
 
Clearswift f5 information_visibility_reducing_business_risk_whitepaper
Clearswift f5 information_visibility_reducing_business_risk_whitepaperClearswift f5 information_visibility_reducing_business_risk_whitepaper
Clearswift f5 information_visibility_reducing_business_risk_whitepaper
 
Quick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for BusinessesQuick Start Guide to IT Security for Businesses
Quick Start Guide to IT Security for Businesses
 
Secure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documentsSecure dataroom whitepaper_protecting_confidential_documents
Secure dataroom whitepaper_protecting_confidential_documents
 
Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2Ssi Data Protection Solutions V0.2
Ssi Data Protection Solutions V0.2
 
art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1art - MM Transformer - CIO Council (09-16) v1
art - MM Transformer - CIO Council (09-16) v1
 
IT Policy
IT PolicyIT Policy
IT Policy
 
Security and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to KnowSecurity and Privacy: What Nonprofits Need to Know
Security and Privacy: What Nonprofits Need to Know
 
Protecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaksProtecting Intellectual Property in the Age of WikiLeaks
Protecting Intellectual Property in the Age of WikiLeaks
 
FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)FTC- Internet of Things (January, 2015)
FTC- Internet of Things (January, 2015)
 
Ccs16
Ccs16Ccs16
Ccs16
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Information Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate DataInformation Obfuscation: Protecting Corporate Data
Information Obfuscation: Protecting Corporate Data
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
 
Jennings it security overview 1 2
Jennings it security overview 1 2Jennings it security overview 1 2
Jennings it security overview 1 2
 
Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...Portal Authentication: A Balancing Act Between Security Usability and Complia...
Portal Authentication: A Balancing Act Between Security Usability and Complia...
 
Sample IT Policy
Sample IT PolicySample IT Policy
Sample IT Policy
 

Similar a 10 Legal Challenges in Creating a BYOD Policy - Lou Milrad

BYOD- A Productivity Catalyst
BYOD- A Productivity CatalystBYOD- A Productivity Catalyst
BYOD- A Productivity Catalyst
Packet One
 
Maa s360 10command_ebook-bangalore
Maa s360 10command_ebook-bangaloreMaa s360 10command_ebook-bangalore
Maa s360 10command_ebook-bangalore
IBM Software India
 
Maa s360 10command_ebook-bangalore[1]
Maa s360 10command_ebook-bangalore[1]Maa s360 10command_ebook-bangalore[1]
Maa s360 10command_ebook-bangalore[1]
IBM Software India
 
REVIEW OF GOOGLE’S CYBER SECURITY POLICYNAMEINSTRUCTOR’S N.docx
REVIEW OF GOOGLE’S CYBER SECURITY POLICYNAMEINSTRUCTOR’S N.docxREVIEW OF GOOGLE’S CYBER SECURITY POLICYNAMEINSTRUCTOR’S N.docx
REVIEW OF GOOGLE’S CYBER SECURITY POLICYNAMEINSTRUCTOR’S N.docx
joellemurphey
 
OC CIO Roundtable BYOD
OC CIO Roundtable BYODOC CIO Roundtable BYOD
OC CIO Roundtable BYOD
Jim Sutter
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker Dealers
Broadridge
 

Similar a 10 Legal Challenges in Creating a BYOD Policy - Lou Milrad (20)

08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239
 
Leveraging byod
Leveraging byodLeveraging byod
Leveraging byod
 
BYOD- A Productivity Catalyst
BYOD- A Productivity CatalystBYOD- A Productivity Catalyst
BYOD- A Productivity Catalyst
 
Bring your own device guidance
Bring your own device guidanceBring your own device guidance
Bring your own device guidance
 
Exemplo de política BYOD
Exemplo de política BYODExemplo de política BYOD
Exemplo de política BYOD
 
BYOD: Six Essentials for Success
BYOD: Six Essentials for SuccessBYOD: Six Essentials for Success
BYOD: Six Essentials for Success
 
Maa s360 10command_ebook-bangalore
Maa s360 10command_ebook-bangaloreMaa s360 10command_ebook-bangalore
Maa s360 10command_ebook-bangalore
 
Maa s360 10command_ebook-bangalore[1]
Maa s360 10command_ebook-bangalore[1]Maa s360 10command_ebook-bangalore[1]
Maa s360 10command_ebook-bangalore[1]
 
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)
PACE-IT, Security+ 4.2: Mobile Security Concepts and Technologies (part 2)
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
REVIEW OF GOOGLE’S CYBER SECURITY POLICYNAMEINSTRUCTOR’S N.docx
REVIEW OF GOOGLE’S CYBER SECURITY POLICYNAMEINSTRUCTOR’S N.docxREVIEW OF GOOGLE’S CYBER SECURITY POLICYNAMEINSTRUCTOR’S N.docx
REVIEW OF GOOGLE’S CYBER SECURITY POLICYNAMEINSTRUCTOR’S N.docx
 
BYOD SCOPE: A Study of Corporate Policies in Pakistan
BYOD SCOPE: A Study of Corporate Policies in PakistanBYOD SCOPE: A Study of Corporate Policies in Pakistan
BYOD SCOPE: A Study of Corporate Policies in Pakistan
 
BYOD - Highlights of "Consumerization"
BYOD - Highlights of "Consumerization"BYOD - Highlights of "Consumerization"
BYOD - Highlights of "Consumerization"
 
Managing BYOD in Corporate Environments
Managing BYOD in Corporate EnvironmentsManaging BYOD in Corporate Environments
Managing BYOD in Corporate Environments
 
BYOD
BYODBYOD
BYOD
 
Mobile Device Policy Template
Mobile Device Policy Template Mobile Device Policy Template
Mobile Device Policy Template
 
OC CIO Roundtable BYOD
OC CIO Roundtable BYODOC CIO Roundtable BYOD
OC CIO Roundtable BYOD
 
OC CIO BYOD
OC CIO BYODOC CIO BYOD
OC CIO BYOD
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
 
Mitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker DealersMitigating Data Security Risks at Broker Dealers
Mitigating Data Security Risks at Broker Dealers
 

Más de Lou Milrad

Lou's cips tips
Lou's cips tipsLou's cips tips
Lou's cips tips
Lou Milrad
 
Legal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLegal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud Services
Lou Milrad
 
Open Data Solutions - Managing the Risk & Economic Development - 2012 AMCTO O...
Open Data Solutions - Managing the Risk & Economic Development - 2012 AMCTO O...Open Data Solutions - Managing the Risk & Economic Development - 2012 AMCTO O...
Open Data Solutions - Managing the Risk & Economic Development - 2012 AMCTO O...
Lou Milrad
 

Más de Lou Milrad (10)

Lou's cips tips
Lou's cips tipsLou's cips tips
Lou's cips tips
 
Harnessing Open Data as a Tool for Municipal Investment Attraction
Harnessing Open Data as a Tool for Municipal Investment AttractionHarnessing Open Data as a Tool for Municipal Investment Attraction
Harnessing Open Data as a Tool for Municipal Investment Attraction
 
Open Data - Legal Framework & Municipal Economic Development Opportunities
Open Data - Legal Framework & Municipal Economic Development OpportunitiesOpen Data - Legal Framework & Municipal Economic Development Opportunities
Open Data - Legal Framework & Municipal Economic Development Opportunities
 
Milrad open data presentation nov. 2014
Milrad open data presentation nov. 2014Milrad open data presentation nov. 2014
Milrad open data presentation nov. 2014
 
The CIO and professionalism A legal perspective on the value of IT industry a...
The CIO and professionalism A legal perspective on the value of IT industry a...The CIO and professionalism A legal perspective on the value of IT industry a...
The CIO and professionalism A legal perspective on the value of IT industry a...
 
Professionalism, Ethics, IT & the Law - CIPS Ontario
Professionalism, Ethics, IT & the Law - CIPS OntarioProfessionalism, Ethics, IT & the Law - CIPS Ontario
Professionalism, Ethics, IT & the Law - CIPS Ontario
 
Public-Private Partnerships - Business & Legal Issues
Public-Private Partnerships - Business & Legal IssuesPublic-Private Partnerships - Business & Legal Issues
Public-Private Partnerships - Business & Legal Issues
 
Legal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud ServicesLegal Challenges in Contracting for Cloud Services
Legal Challenges in Contracting for Cloud Services
 
Open Data Solutions - Managing the Risk & Economic Development - 2012 AMCTO O...
Open Data Solutions - Managing the Risk & Economic Development - 2012 AMCTO O...Open Data Solutions - Managing the Risk & Economic Development - 2012 AMCTO O...
Open Data Solutions - Managing the Risk & Economic Development - 2012 AMCTO O...
 
Ownership rights in map products - an Intellectual Property perspective.
Ownership rights in map products - an Intellectual Property perspective.Ownership rights in map products - an Intellectual Property perspective.
Ownership rights in map products - an Intellectual Property perspective.
 

10 Legal Challenges in Creating a BYOD Policy - Lou Milrad

  • 1. By: Lou Milrad O verheard recently at a BYOD sympo- sium: “We’ve now gone from main- frame computers to desktops and on to the coffee shop.”This says it all. While today’s workplace environment reflects IT consumerization through wide- spread proliferation of consumer mobile de- vices that include an array of smartphones, tablets, and netbooks, a host of enterprises still lack strategies regarding mobile device management (MDM) and in particular, strategies that are coupled with a formal- ized and well-articulated set of mobile use policies. This combining, in the workplace, of personal and business technology on a single device is of mounting concern to cor- porate IT departments – it reflects a chang- ing dynamic that challenges those that are responsible for the particular technology being used by employees to do their jobs. This challenge applies to both institutionally provided and employee-owned devices. It is critical for IT departments to comprehend the nature and power of the smartphone and tablet devices that are connecting to their networks so that access to their net- works is not only convenient and secure, but also authorized. While workplace access through previ- ously furnished corporate devices may well be covered under the organization’s earlier articulated Acceptable Use Policy (AUP), the array of mobile devices that are being independently adopted by employees that enjoy access privilege or capability (whether authorized or not) that is augmenting a host of IT-related governance and liability con- cerns, particularly, those relating to privacy and security breaches. Understandably, these threats remain top of mind, recognizing that there is organizational responsibility for maintaining (i) the non-disclosure of “per- sonal information” as mandated under the applicable federal and provincial privacy leg- islation (that covers all of the organization’s employees, customers, suppliers), in addition to (ii) strict protection of the soft assets of the organization, namely its commercially sensitive and valuable business information and associated intellectual property. A further complication is the potential use by employees, on both sides of the firewall, of cloud-based personal e-mail services such as Gmail or Yahoo, as well as their personal postings through a variety of social media sites such as Facebook and LinkedIn. We’re now witnessing personal emails com- ing into corporate servers through services that include AOL, Gmail or Yahoo. Information, in the nature of organizational assets, is now transforming from the workplace to the Cloud. Corporate emails are leaving the enterprise through BYOD users forwarding them onto their own personal accounts. In an effort to reduce security risks, orga- nizations are beginning to focus on creating BYOD policies that will both support and protect mobile devices. Hence, the necessity to create a BYOD program that introduces a phased rollout for “empowered” workers. As prerequisites to any such program and as a first consideration, there is an absolute need to define the necessary MDM and the re- quired mobile security tools, together with a well-considered and articulated BYOD policy. Given the number of considerations, the BYOD policy should be developed prior to committing to any technology and should start off by reviewing any previously existing Acceptable Use Policy (AUP) with a view to updating, enhancing, or replacing that policy or integrating that policy with the BYOD one. While not necessarily applicable in all in- stances, there are a variety of legal issues re- quiring attention as part of the overall policy, and for this reason, organizations need to include their in-house lawyer or legal depart- ment, or external counsel, in the preparation and/or revitalization of a previously enforced policy. Start the process by requesting copies of what BYOD policies or structures might already be in place with colleague organiza- tions and don’t be surprised if portions are redacted by those that are willing to share – also recognize that there may be some hesitancy in sharing given that the policy itself might be designated as “internally confidential”. In starting, it is important to bear in mind that the BYOD policy will need to be well balanced and be void of any unauthorized monitoring techniques, or sanctions that are considered invasive, or disproportional pro- hibitions. Otherwise, there’s a real possibility that any evidence gathered in support of the policy, might well be excluded in court. The following (not in any particular order of priority) are the key legal risk issues that need to be considered as part of your organi- zation’s strategy in developing and imple- menting the policy: 1. General Duty of Care under our Legal System In drafting the BYOD policy, we must remain mindful of the fact that our legal system recognizes that every person and every en- tity, whether public or private, has a general duty of care. Early implementation of a best practices approach, that embraces appropri- ate employee education and training may well preclude your organization from third party liability, financial or otherwise, arising through employees’ or consultants’ personal failure to comply with all applicable regula- tory, privacy, IPR and confidentiality obliga- tions. In addition, carefully drafted liability disclaimers can to a certain extent reduce general liability. The BYOD strategy and resulting policy should always reflect a keen observance of this general duty of care. 2. Privacy (Personal Information) We have the makings of a perfect storm with the convergence on one device of both personal and corporate data and which pres- ents a complication - the trusteeship by the organization of personal information of the person using the BYOD device coupled with possible access, handling and disclosure of personal information of others stored on the corporate servers. A workplace surveillance strategy may also be envisioned and in which event, employers will need to have in place, and made easily available and accessible, a data surveillance policy. Will the company be permitted access to an employee’s own emails and text messages (SMS) on a per- sonal smartphone or tablet used by that em- ployee for work? And what about browsing history, installed software and other data? 3. Data Security and Protecting Data Integrity Employees will need to be educated as to what constitutes acceptable use. There is a fundamental duty upon the organization to take reasonable steps to protect the infor- mation it holds from misuse and loss and from unauthorized access, modification or disclosure. It’s about the data - not the device and the ability to separate “personal” from “business” while also ensuring data is backed up, and that relevant documents are not deleted. Consider the procedures that are required for separating personal from work- related data, so as to ensure that appropriate non-delete, backup and redundancy features are implemented. Restrict access to highly sensitive Confi- 10 legal challenges to creating a BYOD policy The company’s acceptable use policy isn’t enough to cover employee-owned devices, lawyer Lou Milrad writes Copyright © 2013 from CanadianCIO by IT World Canada Inc., 55 Town Centre Court, Suite 302 Scarborough, ON M1P 4X4
  • 2. dential Information (refer to item 5. below). 4. Prohibition against “Jail Breaking” or “Rooting” While it is important to include strict prohibi- tion against “Jail Breaking” or “Rooting” employees’ devices, it is critically important to communicate to employees the underly- ing rationale supporting this prohibition and the associated security risks. Trojans, mobile malware, and pirated software are often associated with “Jailbreak” sites. It is important to point out the possible legal sanctions associated with bypassing digital rights management restrictions intended to protect copyrighted works; other concerns to be recognized, on this side of the firewall, include direct access to locked file systems, user interfaces, and normally hidden or locked network capabilities. Additionally, Rooting or Jail Breaking a device to run a free Wi-Fi hotspot may well violate the contract service terms thereby providing affected carriers with cause to terminate subscribers contracts. Also, there is the potential risk of loss of manufacturer’s warranty and carrier throt- tling for BYOD. 5. Confidential Information Employees and others acting on Company’s behalf are responsible for protecting the Company’s confidential information, includ- ing trade secrets (whether the company’s own or those entrusted to it by third parties), from unauthorized disclosure whether inter- nal or external, deliberate or accidental. It is critical to secure a written, signed confidential disclosure agreement before taking any steps to disclose confidential information to a party outside of the organi- zation. While a general manager or technical director might well possess the necessary signing authority, it is suggested that a me- dium to high level member of management, such as a vice president, be the designated party responsible for signing confidential disclosure agreements. In addition to main- taining a fully signed copy of that document, a log recording the date, time and location of signing should likewise be maintained for future reference. For a comprehensive discussion around “confidential information” , please refer to this author’s article in the September 2012 issue of CIO Canada “For your organization’s eyes only - IT governance requires vendor relation- ships that treat confidentiality as job one. How to make sure your contract includes it.” 6. Licensing & Intellectual Property Rights It is important to recognize that the enter- prise’s various software applications may be licensed to the company under a variety of software proprietors’ individual or collective strategies - software and service services providers typically have fairly compre- hensive and detailed fees-based licensing structures and charges that range from a per user, or per device type of license, to a number of users concurrently accessing the software from a single location, through to an enterprise wide arrangement. Therefore, it is critically important to spend time care- fully reviewing the terms of use under such applicable licenses to ensure that corporate implementation of BYOD technologies will not breach the licensing terms in place with the software and providers. Allowing employees to use company applications on their own devices, for example, may breach the company’s current licensing agreement. Consider also the licensing terms for the BYOD applications and the accompanying licence rights - what are the limitations, to whom do they apply (largely dependent on whether it is the company or the em- ployee that signs up with the provider), and are they, or will they be in violation of any existing third-party contracts or corporate policies? It is incumbent upon the company, as well as the employee, to mitigate against potential intellectual property and contrac- tual claims from third parties. 7. Employee-Employer relationship Employees are obligated to respect the company’s confidential information, includ- ing business and trade secrets, lists of sales leads, and other proprietary data and to keep and maintain the confidentiality of such corporate assets after termination of an employment contract. Criminal prosecu- tion may result from any failure to maintain the confidentiality of such information, par- ticularly if intentionally misappropriated. In addition, companies often require employ- ees, consultants, contractors, and free- lancers to sign confidentiality agreements (NDA’s) to establish a legal framework for non-compliance. Organizations become challenged in gathering proof of a breach of confidentiality and enforcing policy when people store any such proprietary data on their own personal iPhones, Androids, and other smartphones or tablets. Therefore, an absolute requirement of a BYOD policy needs to require employees (and project consultants, etc.) to permit the company to check out their device when they leave the company to make certain that all confiden- tial information has been deleted. The actual timing of the checking procedure becomes a critical factor. 8. Electronic Communications, Document Preservation and Evidentiary Obligations While not really part of a BYOD policy or of this article, CIOs need to be mindful of gen- eral legal requirements governing electronic communications and e-commerce. Perhaps, more aligned with a BYOD strat- egy are document retention requirements arising under private contracts as well as under diverse statutory schemes that include provincial and federal and corporation acts, income tax as well as privacy-related legisla- tion. Legal retention requirements may also apply to documents comprising employment records, workplace safety, and pension bene- fits. In addition, in any civil or criminal matter, there’s a legal framework for introducing into evidence any electronically stored informa- tion (ESI). Hence the need to become aware of document retention (and destruction) laws and policies as well as those pertaining to digital evidence. 9. Insurance and Liability Considerations Review applicable insurance policies for coverage/non-coverage, as the BYOD policy will need to consider how liability will be apportioned between the individual and the organization. Pay particular attention to the protection and compliance with all Intellec- tual Property Rights (IPR – see 6. Licensing & Intellectual Property Rights above) and licensing issues. Is the employee or organiza- tion to be responsible for lost or stolen de- vices? What about responsibility for malware or virus attacks on BYOD device? Does the employer’s existing insurance provide cover- age for employee owned devices that are part of a BYOD policy? Who is to be specified as responsible for replacement upon theft or loss should employer’s insurance coverage not provide for employees device coverage – it is necessary to identify in a BYOD policy whether the user or company will be liable for loss or theft of BYOD devices (particularly important if the organization’s insurance policies cover an employee-owned device being used under a BYOD policy. 10. Training & education Implementation and adherence to a policy can only be effective if there has been proper training and education for employees and those others having access to corporate information. Companies are well advised to organize programs that will serve to familiar- ize employees with the strategy and with the thinking that preceded implementation of the BYOD policy. Lou Milrad is a well known Toronto-based business lawyer that assists public & private sector clients with legal services relating to technology licensing and associated legal strategies, IT procurement, commercialization, cloud computing, open data, and public-private alliances. In addition to being the creator and editor of “Computers and Information Technology”, a 4 volume series of IT legal precedent licenses, services, supply, and database contracts and published through the Carswell Division of Thompson Reuters and now into its 16th release. Lou also acts as external General Counsel to each of MISA (Municipal Information Systems Association) and URISA (Urban & Regional Information Systems Association), and for 13 years, acted as external General Counsel to ITAC (Information Technology Association of Canada). Lou can be reached at 647-982-7890 or through lou@milrad.ca or via http://www.milradlaw.ca. Copyright © 2013 from CanadianCIO by IT World Canada Inc., 55 Town Centre Court, Suite 302 Scarborough, ON M1P 4X4