Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

0

Share

10 Legal Challenges in Creating a BYOD Policy - Lou Milrad

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

10 Legal Challenges in Creating a BYOD Policy - Lou Milrad

  1. 1. By: Lou MilradOverheard recently at a BYOD sympo-sium: “We’ve now gone from main-frame computers to desktops and onto the coffee shop.”This says it all.While today’s workplace environmentreflects IT consumerization through wide-spread proliferation of consumer mobile de-vices that include an array of smartphones,tablets, and netbooks, a host of enterprisesstill lack strategies regarding mobile devicemanagement (MDM) and in particular,strategies that are coupled with a formal-ized and well-articulated set of mobile usepolicies. This combining, in the workplace,of personal and business technology on asingle device is of mounting concern to cor-porate IT departments – it reflects a chang-ing dynamic that challenges those that areresponsible for the particular technologybeing used by employees to do their jobs.This challenge applies to both institutionallyprovided and employee-owned devices. It iscritical for IT departments to comprehendthe nature and power of the smartphoneand tablet devices that are connecting totheir networks so that access to their net-works is not only convenient and secure, butalso authorized.While workplace access through previ-ously furnished corporate devices may wellbe covered under the organization’s earlierarticulated Acceptable Use Policy (AUP),the array of mobile devices that are beingindependently adopted by employees thatenjoy access privilege or capability (whetherauthorized or not) that is augmenting a hostof IT-related governance and liability con-cerns, particularly, those relating to privacyand security breaches. Understandably,these threats remain top of mind, recognizingthat there is organizational responsibility formaintaining (i) the non-disclosure of “per-sonal information” as mandated under theapplicable federal and provincial privacy leg-islation (that covers all of the organization’semployees, customers, suppliers), in additionto (ii) strict protection of the soft assets ofthe organization, namely its commerciallysensitive and valuable business informationand associated intellectual property.A further complication is the potential useby employees, on both sides of the firewall,of cloud-based personal e-mail services suchas Gmail or Yahoo, as well as their personalpostings through a variety of social mediasites such as Facebook and LinkedIn.We’re now witnessing personal emails com-ing into corporate servers through servicesthat include AOL, Gmail or Yahoo. Information,in the nature of organizational assets, is nowtransforming from the workplace to the Cloud.Corporate emails are leaving the enterprisethrough BYOD users forwarding them ontotheir own personal accounts.In an effort to reduce security risks, orga-nizations are beginning to focus on creatingBYOD policies that will both support andprotect mobile devices. Hence, the necessityto create a BYOD program that introduces aphased rollout for “empowered” workers. Asprerequisites to any such program and as afirst consideration, there is an absolute needto define the necessary MDM and the re-quired mobile security tools, together with awell-considered and articulated BYOD policy.Given the number of considerations, theBYOD policy should be developed prior tocommitting to any technology and shouldstart off by reviewing any previously existingAcceptable Use Policy (AUP) with a view toupdating, enhancing, or replacing that policyor integrating that policy with the BYOD one.While not necessarily applicable in all in-stances, there are a variety of legal issues re-quiring attention as part of the overall policy,and for this reason, organizations need toinclude their in-house lawyer or legal depart-ment, or external counsel, in the preparationand/or revitalization of a previously enforcedpolicy.Start the process by requesting copiesof what BYOD policies or structures mightalready be in place with colleague organiza-tions and don’t be surprised if portions areredacted by those that are willing to share– also recognize that there may be somehesitancy in sharing given that the policyitself might be designated as “internallyconfidential”.In starting, it is important to bear in mindthat the BYOD policy will need to be wellbalanced and be void of any unauthorizedmonitoring techniques, or sanctions that areconsidered invasive, or disproportional pro-hibitions. Otherwise, there’s a real possibilitythat any evidence gathered in support of thepolicy, might well be excluded in court.The following (not in any particular orderof priority) are the key legal risk issues thatneed to be considered as part of your organi-zation’s strategy in developing and imple-menting the policy:1. General Duty of Care under our LegalSystemIn drafting the BYOD policy, we must remainmindful of the fact that our legal systemrecognizes that every person and every en-tity, whether public or private, has a generalduty of care. Early implementation of a bestpractices approach, that embraces appropri-ate employee education and training maywell preclude your organization from thirdparty liability, financial or otherwise, arisingthrough employees’ or consultants’ personalfailure to comply with all applicable regula-tory, privacy, IPR and confidentiality obliga-tions. In addition, carefully drafted liabilitydisclaimers can to a certain extent reducegeneral liability. The BYOD strategy andresulting policy should always reflect a keenobservance of this general duty of care.2. Privacy (Personal Information)We have the makings of a perfect stormwith the convergence on one device of bothpersonal and corporate data and which pres-ents a complication - the trusteeship by theorganization of personal information of theperson using the BYOD device coupled withpossible access, handling and disclosure ofpersonal information of others stored on thecorporate servers. A workplace surveillancestrategy may also be envisioned and in whichevent, employers will need to have in place,and made easily available and accessible, adata surveillance policy. Will the companybe permitted access to an employee’s ownemails and text messages (SMS) on a per-sonal smartphone or tablet used by that em-ployee for work? And what about browsinghistory, installed software and other data?3. Data Security and Protecting DataIntegrityEmployees will need to be educated as towhat constitutes acceptable use. There is afundamental duty upon the organization totake reasonable steps to protect the infor-mation it holds from misuse and loss andfrom unauthorized access, modification ordisclosure. It’s about the data - not the deviceand the ability to separate “personal” from“business” while also ensuring data is backedup, and that relevant documents are notdeleted. Consider the procedures that arerequired for separating personal from work-related data, so as to ensure that appropriatenon-delete, backup and redundancy featuresare implemented.Restrict access to highly sensitive Confi-10 legal challenges tocreating a BYOD policyThe company’s acceptable use policy isn’t enough to coveremployee-owned devices, lawyer Lou Milrad writesCopyright © 2013 from CanadianCIO by IT World Canada Inc., 55 Town Centre Court, Suite 302 Scarborough, ON M1P 4X4
  2. 2. dential Information (refer to item 5. below).4. Prohibition against “Jail Breaking” or“Rooting”While it is important to include strict prohibi-tion against “Jail Breaking” or “Rooting”employees’ devices, it is critically importantto communicate to employees the underly-ing rationale supporting this prohibitionand the associated security risks. Trojans,mobile malware, and pirated software areoften associated with “Jailbreak” sites. Itis important to point out the possible legalsanctions associated with bypassing digitalrights management restrictions intended toprotect copyrighted works; other concernsto be recognized, on this side of the firewall,include direct access to locked file systems,user interfaces, and normally hidden orlocked network capabilities. Additionally,Rooting or Jail Breaking a device to run a freeWi-Fi hotspot may well violate the contractservice terms thereby providing affectedcarriers with cause to terminate subscriberscontracts.Also, there is the potential risk of loss ofmanufacturer’s warranty and carrier throt-tling for BYOD.5. Confidential InformationEmployees and others acting on Company’sbehalf are responsible for protecting theCompany’s confidential information, includ-ing trade secrets (whether the company’sown or those entrusted to it by third parties),from unauthorized disclosure whether inter-nal or external, deliberate or accidental.It is critical to secure a written, signedconfidential disclosure agreement beforetaking any steps to disclose confidentialinformation to a party outside of the organi-zation. While a general manager or technicaldirector might well possess the necessarysigning authority, it is suggested that a me-dium to high level member of management,such as a vice president, be the designatedparty responsible for signing confidentialdisclosure agreements. In addition to main-taining a fully signed copy of that document,a log recording the date, time and locationof signing should likewise be maintained forfuture reference.For a comprehensive discussion around“confidential information”, please refer to thisauthor’s article in the September 2012 issueof CIO Canada “For your organization’s eyesonly - IT governance requires vendor relation-ships that treat confidentiality as job one.How to make sure your contract includes it.”6. Licensing & Intellectual Property RightsIt is important to recognize that the enter-prise’s various software applications may belicensed to the company under a variety ofsoftware proprietors’ individual or collectivestrategies - software and service servicesproviders typically have fairly compre-hensive and detailed fees-based licensingstructures and charges that range from aper user, or per device type of license, to anumber of users concurrently accessing thesoftware from a single location, through toan enterprise wide arrangement. Therefore,it is critically important to spend time care-fully reviewing the terms of use under suchapplicable licenses to ensure that corporateimplementation of BYOD technologies willnot breach the licensing terms in placewith the software and providers. Allowingemployees to use company applications ontheir own devices, for example, may breachthe company’s current licensing agreement.Consider also the licensing terms for theBYOD applications and the accompanyinglicence rights - what are the limitations, towhom do they apply (largely dependenton whether it is the company or the em-ployee that signs up with the provider), andare they, or will they be in violation of anyexisting third-party contracts or corporatepolicies? It is incumbent upon the company,as well as the employee, to mitigate againstpotential intellectual property and contrac-tual claims from third parties.7. Employee-Employer relationshipEmployees are obligated to respect thecompany’s confidential information, includ-ing business and trade secrets, lists of salesleads, and other proprietary data and tokeep and maintain the confidentiality ofsuch corporate assets after termination ofan employment contract. Criminal prosecu-tion may result from any failure to maintainthe confidentiality of such information, par-ticularly if intentionally misappropriated. Inaddition, companies often require employ-ees, consultants, contractors, and free-lancers to sign confidentiality agreements(NDA’s) to establish a legal framework fornon-compliance. Organizations becomechallenged in gathering proof of a breach ofconfidentiality and enforcing policy whenpeople store any such proprietary data ontheir own personal iPhones, Androids, andother smartphones or tablets. Therefore,an absolute requirement of a BYOD policyneeds to require employees (and projectconsultants, etc.) to permit the company tocheck out their device when they leave thecompany to make certain that all confiden-tial information has been deleted. The actualtiming of the checking procedure becomes acritical factor.8. Electronic Communications, DocumentPreservation and Evidentiary ObligationsWhile not really part of a BYOD policy or ofthis article, CIOs need to be mindful of gen-eral legal requirements governing electroniccommunications and e-commerce.Perhaps, more aligned with a BYOD strat-egy are document retention requirementsarising under private contracts as well asunder diverse statutory schemes that includeprovincial and federal and corporation acts,income tax as well as privacy-related legisla-tion. Legal retention requirements may alsoapply to documents comprising employmentrecords, workplace safety, and pension bene-fits. In addition, in any civil or criminal matter,there’s a legal framework for introducing intoevidence any electronically stored informa-tion (ESI). Hence the need to become awareof document retention (and destruction)laws and policies as well as those pertainingto digital evidence.9. Insurance and Liability ConsiderationsReview applicable insurance policies forcoverage/non-coverage, as the BYOD policywill need to consider how liability will beapportioned between the individual and theorganization. Pay particular attention to theprotection and compliance with all Intellec-tual Property Rights (IPR – see 6. Licensing& Intellectual Property Rights above) andlicensing issues. Is the employee or organiza-tion to be responsible for lost or stolen de-vices? What about responsibility for malwareor virus attacks on BYOD device? Does theemployer’s existing insurance provide cover-age for employee owned devices that are partof a BYOD policy? Who is to be specified asresponsible for replacement upon theft orloss should employer’s insurance coveragenot provide for employees device coverage– it is necessary to identify in a BYOD policywhether the user or company will be liablefor loss or theft of BYOD devices (particularlyimportant if the organization’s insurancepolicies cover an employee-owned devicebeing used under a BYOD policy.10. Training & educationImplementation and adherence to a policycan only be effective if there has been propertraining and education for employees andthose others having access to corporateinformation. Companies are well advised toorganize programs that will serve to familiar-ize employees with the strategy and with thethinking that preceded implementation ofthe BYOD policy.Lou Milrad is a well knownToronto-based business lawyerthat assists public & privatesector clients with legalservices relating to technologylicensing and associatedlegal strategies,IT procurement,commercialization, cloudcomputing, open data, and public-private alliances.In addition to being the creator and editor of“Computers and Information Technology”, a4 volume series of IT legal precedent licenses,services, supply, and database contracts andpublished through the Carswell Division ofThompson Reuters and now into its 16th release.Lou also acts as external General Counsel toeach of MISA (Municipal Information SystemsAssociation) and URISA (Urban & RegionalInformation Systems Association), and for 13years, acted as external General Counsel to ITAC(Information Technology Association of Canada).Lou can be reached at 647-982-7890 or throughlou@milrad.ca or via http://www.milradlaw.ca.Copyright © 2013 from CanadianCIO by IT World Canada Inc., 55 Town Centre Court, Suite 302 Scarborough, ON M1P 4X4

Views

Total views

301

On Slideshare

0

From embeds

0

Number of embeds

7

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×