​Protecting your firm against BYOD risks

by NZ Lawyer19 Mar 2014
There’s little turning back the tide on organisations allowing their people to access the network and hold data on employee’s and contractor’s own devices such as mobiles, personal laptops, USB data sticks, and so on.

Surveys point to a number of advantages including staff efficiency. But without the rigour usually found in company IT systems, this throws up the risk of unencrypted data going public, with legal and reputational consequences.

BYOD can open up security gaps in best practice internal IT systems. BYOD is a big issue for IT people and IT security specialists, so they’re likely to understand the lawyers getting involved.

The challenge is usefully set out by Nigel Miller in his October 2013 article in Computers & Law, BYOD: Win-win or Zero-sum Game?, as follows:

“The big risk factor for organisations with BYOD schemes is the loss of control over the devices being used. This leaves organisations in the dark in terms of knowing what data are stored on the devices or in the cloud, what data security vulnerabilities there may be and how to secure access themselves. This potential loss of control opens the door to a host of privacy and data security issues.

"For the employee who has to share control of the device with an organisation looking to protect its data assets, he could be forced to allow the organisation access to his own equipment, often without compensation, and face the risk that the organisation could access his private information, lock him out of the device and wipe his data.”
Essentially, the organisation must ensure information is protected to a standard that is reasonable in the circumstances to prevent unauthorised use or disclosure of the information (including taking reasonable steps when third parties including staff and contractors get information). This is not necessarily about 100 per cent fail-safe security protection, it is about the organisation still being largely responsible for compliance over an employee’s and contractor’s BYOD device.

What is needed obviously depends on the level of sensitivity of the information. Therefore an organisation may, for example, stop highly sensitive information being used over BYOD, but take a more relaxed approach to other information.

What should the lawyer do?

To the extent BYOD access and data holding is permitted, the lawyer should get reassurance around two main categories, based on an adequate assessment of risk in the context of the organisation’s specific circumstances:

1. Are there adequate technical requirements in place? That could include restricting BYOD access to certain information in the network, and mobile device management solutions such as encryption, monitoring corporate policy implementation, configuring settings and remote wiping, and locking of lost or stolen devices.

2. Are there adequate policies in place accepted by staff and contractors? That would include:

(a) material educating staff and contractors on the risks and how to manage BYOD devices (this can overlap with policies and material on related risks such as cloud computing and WiFi);

(b) staff/contractor obligations and acceptable use;

(c) the extent of the organisation’ right to access and monitor the device and its use (clearly defined to meet, for example, employment law requirements);
(d) the consequences if there are breaches.

Some more detail

A useful source is the material produced by the United Kingdom equivalent of the Privacy Commissioner, such as its report, Bring your own device (BYOD) Guidance.
Summarising some of that office’s key points:
  • Be clear with staff about which types of personal data may be processed on personal devices and which may not
  • Use a strong password to secure your devices
  • Enable encryption to store data on the device securely
  • Ensure that access to the device is locked or data automatically deleted if an incorrect password is input too many times
  • Use public cloud-based sharing and public backup services, which you have not fully assessed, with extreme caution, if at all
  • Register devices with a remote locate and wipe facility to maintain confidentiality of the data in the event of a loss or theft.