E RADAR presentation on Bring Your Own Device Risks

1. What's on your E RADAR?
Using personally-owned devices at work
Will Roebuck
Founder and CEO, E RADAR

2. 4 Themes
● Data Access
● What data, when, how and by whom?
● Device Risk
● Abuse and misuse, malware, by-passing in house security
● Management Risk
● Monitoring threats, responding to alerts
● Evaluating new operating systems and devices
● Awareness
● Staff policies and procedures

3. Important Points
● The 'bottom line'
● Corporate and personal liability
● Digital evidence
● Misuse of personal devices
● Monitoring networked communications
● Workers and personal data
● Stored networked communications
● Implementing a policy

4. The 'Bottom Line'
● Enterprise, innovation and competition
● Balancing supply and demand with risk management
● Deploying resources carefully
● Smarter business management
● Developing and using the right people skills
● Improving business processes; supply and demand chains
● Opening up new markets
● Investment in enabling technology
● Enabling laws and regulations, standards

5. Corporate and personal liability
● Legal and regulatory requirements
● Registering, filing and retaining records and information
– e.g. Company Annual Returns / VAT Returns
– e.g. Notifying under Data Protection / WEEE record retention
● Vicarious liability
● Duty of 'reasonable' care towards employee
● Prevent improper or illegal activities over business systems
● Personal liability
● Directors failing to undertake duties implied by law or as
additional duties in their contract

6. Evidence – basic concepts
● Evidence (in legal terms) is the way that a fact is proved or
disproved in a court or tribunal.
● Law of evidence regulates what is admissible in a court of
law or tribunal
● An organisation may need evidence for
● Dealing with claims of unfair dismissal of employee
● Proving IPR on invention
● Proving existence of agreement in disagreement with a
customer

7. Types of evidence
● Oral testimony
● Real evidence in material form (e.g. documents)
● Primary = signed original contract
● Secondary = unsigned draft of that contract
● Electronic evidence (primary or secondary)
● Hearsay
● Evidence given by a person as to what another person said
● Less reliable than first person account but admissible
● Rules much tighter in criminal cases

8. Burden and standard of proof
● Civil cases
● Burden of proof is with claimant
● Defendants may also need to prove something in case to
rebut accusations
● Standard of proof is 'balance of probabilities'
● Criminal Cases
● Burden of proof is with prosecution
● 'Beyond reasonable doubt'

9. Digital evidence
● Evidence in electronic format is admissible
● Electronic Communications Act 2000
● Civil Evidence Act / Youth Justice and Criminal Evidence Act
● Documents can be copied onto own personal devices
● Technology neutral

10. Admissibility, weight and credibility
● Digital evidence may be legally acceptable but may not be
admissible.
● Admissible document must be sufficiently relevant
● Court must decide and may give different weight to primary
or secondary evidence
● In civil cases, evidence usually presumed admissible
without further proof
● British Standards Code for Legal Admissibility and
Evidential Weight of Information Stored Electronically.

11. Misuse of Personal Devices
● Abuse and misuse (Illegal, illicit or wrong)
● Defamatory remarks
● Breach of confidentiality
● Using and abusing copyright without permission
● Negligence in sending viruses to other business
● Sexual or racial harassment
● Criminal Offences
● e.g. downloading child pornography
● Other illegal images

12. Monitoring Communications
● Right to privacy – even at work
● Regulation of Investigatory Powers Act 2000
● Lawful Business Practice Regulations 2000
● Inform monitoring for lawful business purposes
● Quality, training and security
● How do you 'monitor' remote workers?
● Blanket monitoring of employees not acceptable
● Must be justified
● Other alternatives?

13. Data protection
● 8 data protection principles
● Principle 7 – adequate security measures
● Principle 8 – international transfers
● Cloud computing
● Where is personal data
● Information Commissioner's Guidance
● Sensitive personal data
● Encryption

14. Retention, deletion and retrieval
● Organisations must have evidence to rely upon it!
● Information management policy covering
● Retention, access and exchange (including security),
deletion and retrieval
● Why a policy?
● Business (cost, time and risk management)
● Legal (e.g. accounting records = 6 years, criminal penalties)
● Regulatory (FSA Rules, Food Standards etc)

15. Key observations
● 3 important elements
● Managing IPR including data, information and proprietary
software
● Controlling worker behaviour
● Security
● Appropriate policies
● Linked to employment contract to enable disciplinary
● Otherwise just a management policy
● Don't panic – get on with your business!

16. About eradar.eu™
● Championing enterprise and the online economy
● Promote enabling legal and regulatory environment
● Business networking and compliance hub
● Membership Services (over 400 briefing papers/articles)
● Referencing
● E-contracting Legal Group
● Premium tracking and scrutiny
● Audits and training

17. Thank you!
will@eradar.eu
http://www.eradar.eu