Byod - It can be privacy protective


Published on

In this presentation, Dentons’ Timothy Banks discusses BYOD (Bring Your Own Device) and how it can be a privacy protective, key topics include:
- What is it?
- Quantifying the risks
- Mobility vs Control matrix
- Compliance challenges
- Policies (or Agreements)

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Byod - It can be privacy protective

  1. 1. Dentons Canada LLP BYOD It can be privacy protective Timothy M Banks, CIPP/C Partner T: 416-863-4424 follow: @TM_Banks Originally presented at the Canadian Institute’s 19th Annual Regulatory Compliance for Financial Institutions, November 14, 2013
  2. 2. BYOD • What is it? • Quantifying the risks • Mobility vs Control matrix • Compliance challenges • Policies (or Agreements)
  3. 3. Defining BYOD • Bring Your Own Device • A corporate IT-supported program in which employees are • permitted; or • encouraged; or • required • to deploy their own electronic devices in the course of fulfilling their duties • Can take a variety of forms: • employer subsidizes purchase of mobile or other devices • employee uses unsubsidized device • home office or mobile work • many devices: tablets, smartphones, laptops etc.
  4. 4. Traditional Risk Equation Risk = Vulnerability x Threat x Expected Loss • Vulnerability = • Expected Loss = • Endpoint protection weakness • Hardware asset • Practical inability to control device • Data • User behaviour • Regulatory fines & investigations • Threat = • Phishing • Goodwill • Cost of breach • Keystroke logging • Scraping • Hacking • Interception Only one of these has decreased
  5. 5. So Why Do It? • Executives demand it • Employees like it • People are already doing it • Greater productivity • Possibly true, but, consider overtime risks • Perceived cost-savings • Yes, hardware costs may be lower if you are not reimbursing • Data plans and hardware may be more expensive if you lose economies of scale and bargaining power • Also, IT has to support more devices • May introduce other risks and costs into the system that may be greater than cost advantages
  6. 6. Smartphone Penetration • Smartphone are increasingly prevalent • Market penetration is estimated at 56% of Canada’s population • 79% don’t leave home without their device • 66% estimated to access the Internet on their devices every day • 81% use their devices while at work • Google Ipsos MediaCT Q1 2013 Survey • Some studies estimate 75% of Canadian businesses support employeepurchased smartphones and tablets in the workplace 6
  7. 7. Mobility versus Control Greatest Mobility File Server Personal Computer Highest Control Laptop Tablet Smart Phone Memory USB Thumb Drive
  8. 8. Conflicting Expectations Employee Expectations of Privacy & Control Employer Expectations of Security & Control
  9. 9. BYOD Compliance Matrix Security Regulatory & Industry Compliance Privacy Proprietary 9
  10. 10. Security Assumes Network-Side is Secure Device User Authentication Digital Certificates & Tokens Anti-Virus / Endpoint Defence Mobile Device Management Software Encryption
  11. 11. Device Security • Controls on User ID and Passphrase characteristics • Authenticate the person (What You Know) • Use of Digital Certificates • Authenticate the device (What You Have) • Use of Tokens for Sensitive Databases • Double authentication (What You Have) • Mobile Device Management • Control configurations • Apply authentication policies • May permit viewing of App installations • May permit logging of activities • May separate personal and corporate data • Encryption • Secure encrypted containers for corporate data • Anti-Virus Endpoint Defence • Protection at the device end
  12. 12. US ECPA Criminal Code Governmental PCI-DSS ISO 27001, 27002 Wiretap Industry Standards Standards & Legal Requirements Privacy & Security Disclosure GLB – Safeguards Rule
  13. 13. Payment Card Industry – Data Security Standards • Personal firewall must be installed on the device • Must be configured by the company • Must be tested • Anti-Virus software on all systems • Updated, active and generating audit logs
  14. 14. International Standards Organization • ISO 27001 • Information technology — Security techniques — Information security management systems — Requirements • ISO 27002 • Information technology — Security techniques — Code of practice for information security controls
  15. 15. Electronic Communications Privacy Act (ECPA) USA • Wiretap Act • Protects against interception by another person • Prohibits electronic eavesdropping • Only requires one party consent • Stored Communications Act • Protects “at rest” communications • Prohibits intentional access • Subject to consent
  16. 16. Criminal Code • Interception (s. 184) • Everyone who, by means of any electro-magnetic, acoustic, mechanical or other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years • Exception – consent of one party • Consider validity of consent (informed, freely given) • Mandatory BYOD programs • Communicated upfront • Bill C-12 “valid consent” = “the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting” • Consider the employee’s understanding of extent of monitoring (interception)
  17. 17. Other Statutory & Common Law Privacy Protections • Personal Information Protection and Electronic Documents Act • Safeguards 4.7 • appropriate to the sensitivity of the information • protect against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification • applies in any format • Transparency 4.8 • Information about their policies and practices • Employee Privacy • Employees have privacy interests • Communications, Energy & Paperworkers Union of Canada, Local 30 v. Irving Pulp & Paper Ltd., 2013 SCC 34 (random alcohol & drug testing) • R. v. Cole, 2012 SCC 53 (search and seizure of employee laptop) • Federal Trade Act • Section 5 – unfair and deceptive acts are prohibited • Violation of privacy notices may be a deceptive practice (being challenged) • Note: Provincial Consumer Protection legislation has similar language
  18. 18. Gramm-Leach-Bliley Act – Safeguard Rule - USA • Financial institutions have a continuing obligation to protect security and confidentiality of non-public personal information • Administrative, Technical and Physical Safeguards: • To insure the security and confidentiality of customer records and information • To protect against any anticipated threats or hazards to the security or integrity of such records • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer • In Canada: • Office for the Superintendent of Financial Institutions • Operational Risk includes data/information security, information technology systems
  19. 19. Proprietary Email: timothy.banks m Office: 416-8634424 Mobile: 647-39158XX Who owns the Mobile #?
  20. 20. Who Owns What? • “Your” Device • Right, title & interest is that of the employee’s • Need to have a contractual right to even touch it • Rights may terminate at the end of employment • “Whose” Data? • Generally speaking, no property interest in “information” • May be confidential information that can be protected by • contractual obligations (express or implied) • equity • Tort of misuse of confidential information
  21. 21. Fighting About the Followers & the Contacts & the IP • Whitmar Publications Limited v. Gamage, [2013] EWHC 1881 (Ch) • Springboard use of company’s LinkedIn groups • Injunction granted • Eagle v Edcomm, 2013 WL 943350 (E.D.Pa., 2013) • Fired employee • Took over LinkedIn account • Misappropriated identity • No damages (didn’t prove any) • What about IP created on employee owned device (inside/outside work hours)
  22. 22. Privacy: Levels of Intrusiveness Control Gating prevention Enforcement Exception Reporting silent monitoring Management Active Monitoring overt collection
  23. 23. Employer’s Right to Monitor Employee Communications • Yes, but more difficult on employee-owned device • Arguably, need consent • Consider Criminal Code • Worry about Intrusion Upon Seclusion • Consider: Lazette v. Kulmatycki, 2013 WL 2455937 • • • • • Employer-owned Blackberry device Employee permitted to also use it for personal (had Gmail account) Employee left; believed Gmail account deleted; thought phone would be wiped & recycled Oops, former supervisor accessed Gmail account for 18 MONTHS! Brought claim under Electronic Communications Protection Act • Ripe for Tort of Intrusion upon Seclusion in Canada • Jones v. Tsige, 2012 ONCA 32 • Access of plaintiff’s bank accounts numerous times over four years • Tort of intrusion upon seclusion recognized • Jones awarded $10,000 in damages
  24. 24. Employer’s Right to Monitor Device Status • “What part of Mine don’t you understand?” • Doesn’t require interception of communications • Monitoring the security of the end-point as condition of service • Best to implement as part of a BYOD agreement • Easier to explain to employees • Easier to justify from a “privacy by design” perspective • Limiting collection • Limiting retention • Limiting use • Limiting disclosure
  25. 25. Investigations • The device is locked with a PIN • You asked for it! • Employee doesn’t want to provide the PIN • Can you force it? • Probably Not! Will likely need judicial assistance. • All the more reason to ensure good Mobile Device Management and Container Wiping • Could you use Admin rights to get access and/or change passwords?
  26. 26. Control of Device / Wiping • “You blocked my access to Drop Box and now you wiped the last [insert valuable IP] that I had” • Consider Criminal Code • • • • • • • • • • 430. (1) Every one commits mischief who wilfully (a) destroys or damages property; (b) renders property dangerous, useless, inoperative or ineffective; (c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or (d) obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of property. (1.1) Every one commits mischief who wilfully (a) destroys or alters data; (b) renders data meaningless, useless or ineffective; (c) obstructs, interrupts or interferes with the lawful use of data; or (d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.
  27. 27. Questions Timothy M Banks t: 416-863-4424 e: follow: @TM_Banks Dentons Canada LLP 27
  28. 28. The preceding presentation contains examples of the kinds of issues that corporations could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique. 28