Successfully reported this slideshow.
By: Lou MilradOverheard recently at a BYOD sympo-sium: “We’ve now gone from main-frame computers to desktops and onto the coffee shop.”This says it all.While today’s workplace environmentreflects IT consumerization through wide-spread proliferation of consumer mobile de-vices that include an array of smartphones,tablets, and netbooks, a host of enterprisesstill lack strategies regarding mobile devicemanagement (MDM) and in particular,strategies that are coupled with a formal-ized and well-articulated set of mobile usepolicies. This combining, in the workplace,of personal and business technology on asingle device is of mounting concern to cor-porate IT departments – it reflects a chang-ing dynamic that challenges those that areresponsible for the particular technologybeing used by employees to do their jobs.This challenge applies to both institutionallyprovided and employee-owned devices. It iscritical for IT departments to comprehendthe nature and power of the smartphoneand tablet devices that are connecting totheir networks so that access to their net-works is not only convenient and secure, butalso authorized.While workplace access through previ-ously furnished corporate devices may wellbe covered under the organization’s earlierarticulated Acceptable Use Policy (AUP),the array of mobile devices that are beingindependently adopted by employees thatenjoy access privilege or capability (whetherauthorized or not) that is augmenting a hostof IT-related governance and liability con-cerns, particularly, those relating to privacyand security breaches. Understandably,these threats remain top of mind, recognizingthat there is organizational responsibility formaintaining (i) the non-disclosure of “per-sonal information” as mandated under theapplicable federal and provincial privacy leg-islation (that covers all of the organization’semployees, customers, suppliers), in additionto (ii) strict protection of the soft assets ofthe organization, namely its commerciallysensitive and valuable business informationand associated intellectual property.A further complication is the potential useby employees, on both sides of the firewall,of cloud-based personal e-mail services suchas Gmail or Yahoo, as well as their personalpostings through a variety of social mediasites such as Facebook and LinkedIn.We’re now witnessing personal emails com-ing into corporate servers through servicesthat include AOL, Gmail or Yahoo. Information,in the nature of organizational assets, is nowtransforming from the workplace to the Cloud.Corporate emails are leaving the enterprisethrough BYOD users forwarding them ontotheir own personal accounts.In an effort to reduce security risks, orga-nizations are beginning to focus on creatingBYOD policies that will both support andprotect mobile devices. Hence, the necessityto create a BYOD program that introduces aphased rollout for “empowered” workers. Asprerequisites to any such program and as afirst consideration, there is an absolute needto define the necessary MDM and the re-quired mobile security tools, together with awell-considered and articulated BYOD policy.Given the number of considerations, theBYOD policy should be developed prior tocommitting to any technology and shouldstart off by reviewing any previously existingAcceptable Use Policy (AUP) with a view toupdating, enhancing, or replacing that policyor integrating that policy with the BYOD one.While not necessarily applicable in all in-stances, there are a variety of legal issues re-quiring attention as part of the overall policy,and for this reason, organizations need toinclude their in-house lawyer or legal depart-ment, or external counsel, in the preparationand/or revitalization of a previously enforcedpolicy.Start the process by requesting copiesof what BYOD policies or structures mightalready be in place with colleague organiza-tions and don’t be surprised if portions areredacted by those that are willing to share– also recognize that there may be somehesitancy in sharing given that the policyitself might be designated as “internallyconfidential”.In starting, it is important to bear in mindthat the BYOD policy will need to be wellbalanced and be void of any unauthorizedmonitoring techniques, or sanctions that areconsidered invasive, or disproportional pro-hibitions. Otherwise, there’s a real possibilitythat any evidence gathered in support of thepolicy, might well be excluded in court.The following (not in any particular orderof priority) are the key legal risk issues thatneed to be considered as part of your organi-zation’s strategy in developing and imple-menting the policy:1. General Duty of Care under our LegalSystemIn drafting the BYOD policy, we must remainmindful of the fact that our legal systemrecognizes that every person and every en-tity, whether public or private, has a generalduty of care. Early implementation of a bestpractices approach, that embraces appropri-ate employee education and training maywell preclude your organization from thirdparty liability, financial or otherwise, arisingthrough employees’ or consultants’ personalfailure to comply with all applicable regula-tory, privacy, IPR and confidentiality obliga-tions. In addition, carefully drafted liabilitydisclaimers can to a certain extent reducegeneral liability. The BYOD strategy andresulting policy should always reflect a keenobservance of this general duty of care.2. Privacy (Personal Information)We have the makings of a perfect stormwith the convergence on one device of bothpersonal and corporate data and which pres-ents a complication - the trusteeship by theorganization of personal information of theperson using the BYOD device coupled withpossible access, handling and disclosure ofpersonal information of others stored on thecorporate servers. A workplace surveillancestrategy may also be envisioned and in whichevent, employers will need to have in place,and made easily available and accessible, adata surveillance policy. Will the companybe permitted access to an employee’s ownemails and text messages (SMS) on a per-sonal smartphone or tablet used by that em-ployee for work? And what about browsinghistory, installed software and other data?3. Data Security and Protecting DataIntegrityEmployees will need to be educated as towhat constitutes acceptable use. There is afundamental duty upon the organization totake reasonable steps to protect the infor-mation it holds from misuse and loss andfrom unauthorized access, modification ordisclosure. It’s about the data - not the deviceand the ability to separate “personal” from“business” while also ensuring data is backedup, and that relevant documents are notdeleted. Consider the procedures that arerequired for separating personal from work-related data, so as to ensure that appropriatenon-delete, backup and redundancy featuresare implemented.Restrict access to highly sensitive Confi-10 legal challenges tocreating a BYOD policyThe company’s acceptable use policy isn’t enough to coveremployee-owned devices, lawyer Lou Milrad writesCopyright © 2013 from CanadianCIO by IT World Canada Inc., 55 Town Centre Court, Suite 302 Scarborough, ON M1P 4X4