Bringing Sense to BYOD

Bring Your Own Device, or BYOD, is a business technology solution that clearly offers some benefits, but can also create risks if not implemented effectively.

By allowing employees to perform professional tasks on personally owned devices, these arrangements are attractive to Canadian businesses because they can result in significant savings on technology costs, as well as enhance employee satisfaction and efficiency.

Despite these benefits, organizations should carefully explore and consider all potential implications before implementing a BYOD program.

A program that allows employees to use their own devices for both personal and professional purposes has the potential to create conflicts between an organization’s need to enforce important organizational policies and an employee’s privacy interests.

To avoid this potential conflict, organizations should develop a BYOD policy that strikes an appropriate balance between organizational concerns and related privacy obligations. Recently released joint guidelines from federal, Alberta and British Columbia privacy commissioners detail some of the important issues that need to be considered.

UNDERSTANDING THE PROBLEM

Organizations have a legitimate interest in regulating and monitoring an employee’s professional use of a BYOD device. Although a BYOD program permits employees to perform professional tasks on personal devices, employers still have an interest in prohibiting employee conduct that may negatively impact the organization, as well as monitoring compliance with workplace policies.

The intermingling of professional and personal use inherent in a BYOD program blurs the line between what is professional and what is personal. As a result, an employee may continue to represent his or her organization even when using a device in a personal capacity. An employee who uses a device for inappropriate or unlawful purposes may further expose his or her organization to liability or reputational harm.

While a BYOD program provides an employee the flexibility to perform work tasks from virtually anywhere, an organization must, nonetheless, take steps to ensure the security of both privileged and confidential organizational data, as well as individuals’ personal information. Unauthorized release of confidential business data may result in significant legal or business harm to an organization and breaches of personal privacy can result in lawsuits and damage to reputation.

For instance, organizations in possession of information subject to confidentiality obligations may be found liable if such information is inadvertently released. Even if an organization is not legally subject to confidentiality requirements, release of internal documents may cause significant business harm. For instance, the inadvertent disclosure may reveal otherwise not publicly known business plans or initiatives.

Using a personal device to perform professional tasks may compromise security in a variety of ways, including allowing access to documents or emails over an unsecured WiFi network, performing organization tasks in public, or losing information upon termination of the employment relationship if company data remains on an employee-owned device.

The risk of a data breach increases substantially if employees are able to access confidential information from devices that are outside an organization’s security system. While organizations invest significantly in the security of their networks, documents that are removed from the network are subject to the security controls on an employee’s device.

As such, an organization may require access to a BYOD device to install security software necessary to protect its network. Organizations may also have an interest in monitoring BYOD devices to ensure employee compliance with workplace programs or policies.

While permissible, an organization’s decision to regulate a BYOD device raises issues regarding employee privacy.

An organization may have a legitimate reason to access professional information on an employee’s personal device, but it must be mindful of applicable privacy obligations. These obligations, where applicable, include a requirement to obtain consent before collecting personal information.

A single device used for personal and professional purposes is more likely to have work product information and personal information intermingled. As such, an employer runs the risk of collecting personal information while accessing the device to collect work product information. It is important that participants in BYOD programs understand employer access to the professional data on a device may result in the inadvertent collection of their personal information.

RECONCILING ORGANIZATIONAL CONCERNS, PRIVACY OBLIGATIONS

This August, the information and privacy commissioners of Canada, Alberta and B.C. issued joint guidelines to help organizations reconcile security concerns with obligations pursuant to applicable privacy law. The guidelines serve as a useful tool for organizations considering implementing a BYOD program.

An important recommendation is for an organization to conduct a privacy impact assessment (PIA) and a threat risk assessment (TRA) prior to implementing a BYOD program to see if such a program makes sense for the organization. A PIA identifies potential privacy risks inherent in a new program or policy; a TRA identifies potential threats that a new program or policy may have on an organization’s IT system.

Conducting a PIA and a TRA prior to implementing a program allows an organization to determine if an appropriate balance between security concerns and privacy obligations is possible. As well, by identifying potential risks to both an organization’s security system and employee privacy, organizations will be better-positioned to construct a specialized BYOD policy.

The commissioners recommend a BYOD policy clearly establish obligations and expectations of BYOD users and the organization, including those below:

• user responsibilities;

• how personal information in an organization’s control may be subject to reasonable and acceptable corporate monitoring on a BYOD device, and how BYOD users are informed of these monitoring practices;

• whether or not geo-tracking information generated by the mobile device will be tracked by an organization;

• the privacy practices an organization has adopted in respect of the employee’s personal use of a BYOD device;

• training for BYOD users;

• acceptable and unacceptable uses of BYOD devices;

• sharing of devices with family members or friends;

• application (app) management;

• data/voice plan responsibility;

• device and information security requirements; and

• access requests.

Beyond generating a robust policy, it is important that an organization develop training materials and programs to educate employees on the organization’s expectations outlined in the policy. Organizations should ensure employees agree and consent to the terms of the BYOD policy.

MITIGATING ORGANIZATIONAL RISK

The commissioners further recommend that organizations undertake certain technological procedures to mitigate the security and privacy risks identified in a particular BYOD program, including those relating to “containerization” and “encryption”.

Containerization is a risk management strategy where a device is divided into separate virtual containers: one for personal data; one for organizational data. Organizations are encouraged to use mobile device management software to facilitate internal management of the container holding professional data and organization-approved applications.

Organizations should also train employees about any specialized software installed for these purposes. Staff co-operation is key to the success of containerization as a mitigation strategy, since the process may be undermined if employees perform professional functions in the personal container or vice versa.

Encryption refers to the process of encoding messages or information in such a way that it can be read only by authorized parties. Implementing a system of encryption for communicating confidential information between a BYOD device and the organization’s network mitigates the risk that the content could be meaningfully intercepted.

The commissioners recommend encryption of the organizational container of a BYOD device be centrally managed by an organization’s IT department.

BYOD programs offer some benefits to both participating organizations and employees, but must be implemented thoughtfully. While organizations may regulate the use of BYOD devices, they must consider employee privacy obligations when doing so. It is also important to consider the joint recommendations of the three privacy commissioners.