First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Office of the Information and Privacy Commissioners bring your own device program guidelines

iphone-ipad-bring-your-own-device

Image: http://commscopeblogs.com

Using personal devices at work to conduct business (BYOD or “bring your own device”) has become commonplace in the last couple of years. Employers are implementing BYOD policies left, right and centre to try to control the privacy challenges this practice can bring about when employers access these devices to protect their data contained on them.

On August 13, 2015, the federal, British Columbia and Alberta privacy commissioners issued joint guidelines about the protection of personal information, to help organizations reduce the risks of privacy breaches when considering allowing employees to use their own mobile devices and computers for work. The guidelines also aim at mitigating risks of security incidents and privacy breaches. Federal Privacy Commissioner Daniel Therrien says:

Allowing employees to use their mobile phones, tablets and laptop computers for both personal and professional use carries significant privacy risks – particularly when one world collides with the other… Companies need to consider the risks in advance and prepare to manage them effectively. Only then could they conclude whether a BYOD program is right for them.”

The privacy risk explained

The term “employee-owned device” is very broad and includes smartphones, tablets, laptops and desktop computers at home. These devices allow professionals to access corporate data, email, communications, applications and other processes and information wherever they are.

While the convenience of personal devices enables employees to peruse email, communicate with clients and review documents without being tied to the office and with reduced initial cost to employers, the BYOD trend is creating tension between how much access an employer can have to the worker-owned device and how much privacy an employee can expect.

Organizations are understandably concerned about security:

  • Keeping confidential data from falling into competitors’ hands
  • Preventing financial and other trade secrets or private business information becoming public
  • Corporate information falling prey to hackers through a security breach
  • Employees misusing or losing corporate information
  • Devices being stolen or lost, among other issues

On the other hand, when using their personal devices for work, employees want to keep their personal information (e.g., photos, browsing history, text messages, emails, contacts, financial information, etc.) stored on their mobile devices private from their employers.

In the words of the commissioners:

With the line between work and home increasingly blurred, bring your own device programs are growing in popularity and raising significant concerns among privacy guardians about the protection of personal information.”

Companies also need to bear in mind that despite their best efforts, bad things can happen. Devices may be lost or stolen and personal information may be compromised.”

What is recommended by the federal, British Columbia and Alberta privacy commissioners?

The guidance is focused on 14 tips to consider when planning or implementing a BYOD program. They include:

  • Get executive buy-in for BYOD privacy protection
  • Assess privacy risks
  • Establish a BYOD policy
  • Pilot your program
  • Train staff
  • Demonstrate accountability
  • Mitigate risks through containerization
  • Put in place storage and retention policies
  • Encrypt devices and communications
  • Protect against software vulnerabilities
  • Manage apps effectively
  • Enable effective authentication and authorization practices
  • Address malware protection
  • Have a plan for when things go wrong

According to the guidelines, organizations should conduct a privacy and threat assessment prior to implementing a BYOD program to identify and address risks associated with the collection, use, disclosure, storage and retention of personal information.

A policy is not enough.

Companies need to understand the issues and risks specific to their organization, prior to establishing a BYOD program and policy:

  • The devices employees use
  • The apps and systems used by employees to access the company’s data and networks
  • The network security systems in place
  • How corporate data is stored, backed up and secured

Companies also need to train their employees and IT staff on what the policies say and employee right to privacy, and institute methods for ensuring the employees are complying with the rules.

It is important to remember that employees have privacy rights over their personal information. That will not change with a privacy policy. However, by knowing their rights and what could happen ahead of time if, for example an employee’s device is stolen or hacked, the employee will consider if they really want to use their own personal devices for business purposes, and if they do, the consequences and solutions they need to put into place if a problem arises. For example, have a back up of their personal data in the case of a remote wipe by the company if there is a breach or the device has been stolen or lost.

The privacy commissioners’ guidelines will help you understand how to draft your policy to implement rules governing the acceptable use of devices, corporate monitoring, the sharing of devices, app management, connecting to corporate servers and security features, software, updates, voice and data plans, etc.

In addition, the guidelines suggest risk mitigation measures including encryption of BYOD devices, authentication protocols and how to separate corporate data from personal ones, among other measures.

Conclusion

An employer that simply allows employees to use their own devices for work purposes, without considering the repercussions and implementing controls, places itself at substantial risk of data loss and misuse, unnecessary expenses and legal costs, reputational damage and even fraud.

Work today is increasingly mobile and remote, and employees are using their own devices for work, whether their employers like it or not. It is essential that employers understand the risks and challenges associated with BYOD—especially the risks specific to your organization—and develop a plan to meet those issues proactively.

For more information on BYOD management and sample BYOD related policies, check out Information Technology PolicyPro published by First Reference. Information Technology PolicyPro

Follow me

Yosie Saint-Cyr, LL.B., Managing Editor

Managing Editor at First Reference
Yosie Saint-Cyr, LL.B., is a trained lawyer called to the Quebec bar in 1988 and is still a member in good standing. She practised business, employment and labour law until 1999. For over 17 years, Yosie has been the Managing Editor of the following publications, Human Resources Advisor, Human Resources PolicyPro, HRinfodesk and Accessibility Standards PolicyPro from First Reference. Read more
Follow me
Send to Kindle

, , , , , , , ,

Comments are currently closed.