Using personal devices at work to conduct business (BYOD or “bring your own device”) has become commonplace in the last couple of years. Employers are implementing BYOD policies left, right and centre to try to control the privacy challenges this practice can bring about when employers access these devices to protect their data contained on them.
On August 13, 2015, the federal, British Columbia and Alberta privacy commissioners issued joint guidelines about the protection of personal information, to help organizations reduce the risks of privacy breaches when considering allowing employees to use their own mobile devices and computers for work. The guidelines also aim at mitigating risks of security incidents and privacy breaches. Federal Privacy Commissioner Daniel Therrien says:
“Allowing employees to use their mobile phones, tablets and laptop computers for both personal and professional use carries significant privacy risks – particularly when one world collides with the other… Companies need to consider the risks in advance and prepare to manage them effectively. Only then could they conclude whether a BYOD program is right for them.”
The privacy risk explained
The term “employee-owned device” is very broad and includes smartphones, tablets, laptops and desktop computers at home. These devices allow professionals to access corporate data, email, communications, applications and other processes and information wherever they are.
While the convenience of personal devices enables employees to peruse email, communicate with clients and review documents without being tied to the office and with reduced initial cost to employers, the BYOD trend is creating tension between how much access an employer can have to the worker-owned device and how much privacy an employee can expect.
Organizations are understandably concerned about security:
- Keeping confidential data from falling into competitors’ hands
- Preventing financial and other trade secrets or private business information becoming public
- Corporate information falling prey to hackers through a security breach
- Employees misusing or losing corporate information
- Devices being stolen or lost, among other issues
On the other hand, when using their personal devices for work, employees want to keep their personal information (e.g., photos, browsing history, text messages, emails, contacts, financial information, etc.) stored on their mobile devices private from their employers.
In the words of the commissioners:
“With the line between work and home increasingly blurred, bring your own device programs are growing in popularity and raising significant concerns among privacy guardians about the protection of personal information.”
“Companies also need to bear in mind that despite their best efforts, bad things can happen. Devices may be lost or stolen and personal information may be compromised.”
What is recommended by the federal, British Columbia and Alberta privacy commissioners?
The guidance is focused on 14 tips to consider when planning or implementing a BYOD program. They include:
- Get executive buy-in for BYOD privacy protection
- Assess privacy risks
- Establish a BYOD policy
- Pilot your program
- Train staff
- Demonstrate accountability
- Mitigate risks through containerization
- Put in place storage and retention policies
- Encrypt devices and communications
- Protect against software vulnerabilities
- Manage apps effectively
- Enable effective authentication and authorization practices
- Address malware protection
- Have a plan for when things go wrong
According to the guidelines, organizations should conduct a privacy and threat assessment prior to implementing a BYOD program to identify and address risks associated with the collection, use, disclosure, storage and retention of personal information.
A policy is not enough.
Companies need to understand the issues and risks specific to their organization, prior to establishing a BYOD program and policy:
- The devices employees use
- The apps and systems used by employees to access the company’s data and networks
- The network security systems in place
- How corporate data is stored, backed up and secured
Companies also need to train their employees and IT staff on what the policies say and employee right to privacy, and institute methods for ensuring the employees are complying with the rules.
The privacy commissioners’ guidelines will help you understand how to draft your policy to implement rules governing the acceptable use of devices, corporate monitoring, the sharing of devices, app management, connecting to corporate servers and security features, software, updates, voice and data plans, etc.
In addition, the guidelines suggest risk mitigation measures including encryption of BYOD devices, authentication protocols and how to separate corporate data from personal ones, among other measures.
An employer that simply allows employees to use their own devices for work purposes, without considering the repercussions and implementing controls, places itself at substantial risk of data loss and misuse, unnecessary expenses and legal costs, reputational damage and even fraud.
Work today is increasingly mobile and remote, and employees are using their own devices for work, whether their employers like it or not. It is essential that employers understand the risks and challenges associated with BYOD—especially the risks specific to your organization—and develop a plan to meet those issues proactively.