Gone forever, are the days when businesses could afford to adopt a laissez-faire attitude and let employees set their own pace to adopt and deploy Commercial off the Shelf (COTS) technologies and tools without solid central oversight.  In addition to anti-harassment, customer and vendor relations, travel and expense accounts, and as otherwise advisable for regulatory compliance, policies became necessary for computer hardware, then computer software, mobile phones, and social media usage.  Now, a policy is also needed for the use of personal devices for business purposes – or Bring Your own Device (BYOD), where and when the employer so allows for same.

 

Whether a single policy will be written with separate and distinct sections for each of these sub-elements, or separate policies will be written for each one, is a matter of case-by-case decision for each employer.  However, many elements will be common to more than one of these policies, and ignoring or avoiding a BYOD policy can lead to “quite” a bust.[1] The essence of a BYOD policy – to be implemented with employee buy-in, input, and trust, can have (depending on the size, scope of operations, and headcount of the employer) up to 11 (“eleven”) core elements that must be addressed.  I will now introduce these below.

 

 

CORE ELEMENTS OF A BYOD POLICY:

 

  1. S-ystems and Products.

At the bare minimum, you must let all of your staff know which operating systems (Windows OS version(s), Mac OS, Linux kernel[2]), and which products (phones, tablets, laptops, desktops), will be supported as the designated personal work “device” under that BYOD policy.  It should not be a free-for-all with an anything goes and everything must be supported mentality.  That is a recipe for open revolt in the IT department due to the undue configuration and compatibility challenges that this would impose.

 

  1. P-rivacy.

This is tricky, but it must be addressed.  To the extent that work information is accessible through the device or held on the device, then passwords must be shared with the employer.  Any employee who has a problem with this should quietly back-out of the policy, or ensure that nothing “untoward” is found or left on the device; because that password access should include acceptance of random audits and monitoring to ensure: (i) security protocols are being followed; (ii) comingling of personal and business data is not the norm; and (iii) employees are not engaging in other activities, including illicit activities, that might subject the BYOD (work) device to legal impoundment, or the data thereon to compulsory disclosure.

 

  1. E-fficiency Enhancements.

Having likely configured the device to “play nice” with legacy systems and be interoperable across the employer’s IT space, there will be restrictions on what a device owner can and cannot load onto the device, post-configuration.  The BYOD policy should specify whether individuals can download updates on their own (some notifications can be malicious), or use an enterprise update and install function with regular logins and daily backups and syncs to a hard site.  This goes for both system upgrades as well as protective software (antivirus and antimalware).  Another question the policy might address, after taking an initial inventory of all programs and utilities on the device, is which ones can stay and which ones must go, as well as whether or not any favourite games or other utilities – sometimes hurriedly made with inadvertent vulnerabilities, and often needing far too much in the nature of system access and Admin. controls to “function properly” – can be added.

 

  1. C-are and Custody.

It should be heavily-stressed, that once a device has been proposed and accepted for inclusion under the policy, then the “owner” of the device is beholden to the data owner (being the employer, in the case of business proprietary information), and to the data subject (including the client or customer in the case of Personally Identifiable Information/PII, and Personal Health Information/PHI and the like), for the care and custody of both the device, and all data that is on the device or accessible by means of the device.  The device “must” remain in the “sole” care and custody of the employee, and can no longer be used by a child to play games during downtime on a long journey or as a reward for completing homework or household chores on time.

 

  1. I-nformation.

This section should remind employees that they will still need to adhere to any internal rules that required them to show a business need for any data before they could access it; as well as enforcing any Identity and Access Management (IAM) procedures, and continued segregation of duties for working data (create, access, update, store, share, send, shred); system data (upload, download, wipe); and logs (write, access, edit, collate, wipe).  Tie-ins with other policies on information (confidentiality including passwords and proper screensaver and automatic sleep mode usage, social media usage, and regarding audits and internal investigations) can also be made here, or in other sections of the BYOD policy.

 

  1. A-ccountability.

Appropriate logs should be maintained of all data accessed through and residing on the device, at all relevant times.  This will help track and assess the degree of loss, control the damage, tailor an appropriate response to the breach population, and otherwise comply with regulatory imperatives in the case of any data breach or corruption, or any device loss.  Of course, the “only” copy should never be held on just one portable device without it also being backed-up in several secure physical locations.

 

  1. L-egal.

While the employer will certainly lay-out those things for which the employee will be responsible, in terms of policy violation, it should also take the opportunity to list those things for which it will neither accept nor assume responsibility.  Whether or not ultimately successful should a claim or claims arise, these might include distracted driving or walking or flying or riding, repetitive stress syndrome, and unlawful or antisocial behaviour (bullying, cyberbullying, sexting, IP infringement, or online defamation).

Clear defense and indemnification provisions would not be out of order; along with: (i) some form of funding for the employer’s personal device use; (ii) stated and mutually understood to be consideration for accepting the policy as a binding agreement; and (iii) coupled with some employee contribution therefrom into a pool from which BYOD, privacy, and other advisable liability insurance coverages would be secured with the employer as beneficiary.

 

  1. I-mplementation.

Here, the employer would give additional rationales for the policy, its scope, its purpose, and its importance to the organization as a whole and its mission, in particular.  Along with a preamble at the start of the policy, this section would be key to achieving buy-in at all levels, and for demonstrating the entity’s commitment at the highest levels, to ensuring that the policy was both welcome and workable.  Any staggered implementation or other pertinent details on how the policy would be managed and modified from time to time or with changing laws – and with employee input, might also be disclosed.  A few words on enforcement, and the reporting and investigation of suspected policy violations should also be included here.

 

  1. Z-one of Control.

This section would further delineate a “zone of control” (ZOC) within which the employer reserves a right to act with or without notice to employees, and that the employees accept that as a bargained-fact.  This ZOC would include matters with regard to internal investigations (it is not always best to warn a target); for reasons of Law Enforcement & National Security (with or without stating specific provisions, but reminding all subscribers/adherents to a BYOD policy that laws of the employer’s originating jurisdiction – including export restrictions and generalized trade or directed sanctions – may also apply); and in the case of contingencies (for example, where employees in areas under actual, threatened, or suspected terror attack, or who’se devices show impending travel further afield than authorized, may find that sensitive data has been remotely wiped from those devices, or that they have been remotely locked, as a security precaution).  Less draconian but still useful in ZOC, of course, are wide and public sms alerts.

 

10. E-ncyption.

Encryption has recently been touted as the be all and end all of security solutions with regard to data in static situ, in mobile situ, and in transit – whether by email or as accessible through some Cloud platform.  While it is true that encryption has a part to play, what is the use of it when the device has a stored profile that contains one or several of the “current” encryption keys?  In addition, some jurisdictions may offer safe harbors that limit or even avoid breach disclosures when the lost or stolen data is sufficiently encrypted or anonymized to make it indecipherable; and moving the protection closer to or onto the data itself, may also serve to limit the ability of an intruder that penetrates the outer layer(s) of enterprise protection, to retrieve and retreat with, anything useful from within the firewall or data stream.  Some have called this a “Secure Breach” state.[3]

 

11. D-ecommissioning and Disposal.

Both disposal of the data, and the decommissioning or disposal of the device need to be better and closely managed.  Deletion does not always remove every trace of the data.  Indeed, sometimes it is very easy to recover in the right hands, and with the appropriate tools.  There must be an accepted understanding that devices will not be traded-in for upgrades or environmental credits without first being run through a wringer (in-house or outsourced) to ensure that they are truly clean.  As the BYOD phenomenon gains pace, stability, and defined structures, a burgeoning business in such “outsourced pre-cleans” will likely develop.  The results of lax cleans prior to disposal range from the embarrassing,[4] to the quite disastrous.[5]

 

 

SUMMARY:

BYOD adds significantly more attack surface to an entity’s vulnerability matrix, and offers myriad additional attack vectors.  The IT security space is constantly expanding ever further beyond the proverbial firewall, and evolving by running adaptation to meet multiple generations of threat at a time.

 

A BYOD policy that addresses and covers the above points in sufficient depth and detail can still be and remain relevant, and protect both the employer and the employer’s data while educating the workforce.  But, this schema is by no means presented or intended as the last word, because change is a pure constant.

 

 

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

[1] See e.g. DoD IG Audit Report: DODIG-2013-060. Information Assurance, Security, and Privacy: Improvements Needed with Tracking and Configuring Army Commercial Mobile Devices. Published by United States Department of Defence, March 26, 2013, on dodig.mil. Online: >http://www.dodig.mil/pubs/report_summary.cfm?id=5082<; See also Ekundayo George.  What about hospital BYOD?  Published October 7, 2012, on ogalaws.wordpress.com.  Online:>https://ogalaws.wordpress.com/2012/10/07/med-tech-byod-is-really-catching-on/ <

[2] Open source elements and compilations should always be used with caution, as licensing protocols will differ.

[3] SafeNet. A New Security Reality: The Secure Breach. Published in 2013, on safenet-inc.com. Online: >http://www2.safenet-inc.com/securethebreach/downloads/secure_the_breach_manifesto.pdf<

[4] Shaun Waterman – The Washington Times. Selling state secrets to North Korea? Japan sold hi-tech ship without wiping data. Published April 29, 2013, on washingtontimes.com. Online: >http://www.washingtontimes.com/news/2013/apr/29/japans-coast-guard-sold-hi-tech-ship-north-koreans/<

[5] Amar Toor. NASA Accidentally Sells Off Computers With Sensitive Data. Published December 8, 2010 on switched.com. Online: >http://www.switched.com/2010/12/08/nasa-accidentally-sells-off-computers-with-sensitive-data/<

Advertisements

What about hospital BYOD?

October 7, 2012

WOW!

I was just leafing-through the Ottawa Citizen of Saturday, October 6, 2012, and I came across an article on rising BYOD at the Children’s Hospital of Eastern Ontario (CHEO).[1]

WHAT?

BYOD, literally means “bring your own device”, and refers to the growing practice of employers allowing employees to bring their own mobile devices into the workplace (smart phones, tablets, laptops), in order that they may access proprietary and work-related information on those platforms with which they are already quite comfortable.

WHY?

Some of the advantages of BYOD identified in that article, include: (i) cashflow savings (not having to buy and replace devices for employees on an employer’s own tab, whether with operating funds or debt); (ii) currency (allowing employees to transport and deploy what is likely the most cutting-edge technology); (iii) speed and efficiency (permitting staffers to quickly access “more timely and accurate information” almost anywhere, as hosted on proprietary servers or those of cloud service providers/vendors);[2] and (iv) good environmental stewardship (cutting down on the use of paper, and copying costs, through the increasing use of EHR, or electronic health records).[3]

WHOA!

Doubtless, CHEO is already very-well advised on these and related matters.  However, in the race for similar BYOD gains by others,[4] let us try not to forget the clear potential for pains and strains; on which I have blogged at some length.[5]  There are 4 (“four”) main keys to creating and implementing a BYOD/Cybersecurity Policy to guard against these, and employers hoping to exploit the gains of BYOD are well advised to have legal counsel – preferably counsel who are also familiar with the laws outside Canada, due to the global nature of the internet and Cybercrime – assist them in devising an appropriate framework within which BYOD can thrive, responsibly.  These keys follow, in brief.

Systemic Security:

Stringent efforts must be made to secure access to the information accessible on or through these many mobile devices.  The employer’s I.T. staff also needs (or specialized contractors also need) to remain busy and vigilant in ensuring that no malicious code is present on these devices, or is input into the system by means of these devices.  This, of course, will require copious amounts of training and retraining on counter social engineering techniques, safe browsing outside the workplace, and other device security measures.  Although an added inconvenience for the user, internal rules may mandate that browsers not remember passwords, requiring a re-typing for each access or use.  In addition and at the very least, BYOD mobile devices must, themselves, be protected with passwords and where applicable, programmed to alert the owner as to their location or remotely “self-wipe” and restore themselves to factory defaults, if stolen or misplaced.

Active Management:

Spot checks, and random audits must be used to ensure and maintain compliance with any mobile security policy designed for the “anywhere, any device, anytimeBYOD-enabled workspace; or as more accurately put, the “BYOD-uw” (ubiquitous workplace).

Internal Controls:

Information access controls must also be strictly enforced, so that employees have access to only that information of which they have a business-specific need to know.  BYOD should not be a free license for fishing expeditions, or an invitation to forget medical ethics and use identifiable patient records in social media posts (medical blogs, “would you believe’s”, and juicy tidbits of malice post breakup/rejection); not to mention  the truly inadvertent disclosures or keying slip-ups.  Data may also be protected against cut/paste or dragging, download, and covered by strict write and edit permissions.  This level of openness for use and potential abuse also makes the initial background checks and vulnerable sector screens, that much more important.  Behavioural interviewing techniques and other means of heightened pre-employment due diligence have already become the norm, due to the increasing use (and abuse) of social media, and a generally heightened, global security awareness in both the public and private sectors.

Legal and Regulatory Compliance:

Compliance must always be at the forefront, as there will be a host of regulatory regimes that are business or industry-specific (protecting Intellectual property Rights /IPR in the technology sector), risk-specific (countering leaks and espionage in the government sector), and privacy-centred (PHIPPA[6] in the Ontario healthcare sector).[7]  Privacy insurance is becoming increasingly popular, advisable, and even mandatory in certain cases, and several jurisdictions now have stringent notice and remediation laws in the case of a privacy breach.

WHITHER?

Forward, yes – but with caution, commonsense, and advice from legal and I.T. professionals.

Happy Thanksgiving!

***********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare and privacy, Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See, for example: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, large budgets, and multidisciplinary teams.  See, for example: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Vito Pilieci.  CHEO prescribes BYOD: Just What the Doctor Ordered.  Ottawa Citizen.  Section F, Business & Technology, at F1, F2 (print version of Saturday, October 6, 2012).  Also available online: > http://www.ottawacitizen.com/business/CHEO+prescribes+BYOD/7353691/story.html<

[2] The use of cloud services should also be strongly considered and managed, as the storage of the personal information of Canadians on servers based within the United States, or its inadvertent passage through those servers, may lead to warrantless disclosures of said information to the arms and entities of a foreign nation without the consent or knowledge of the information subject, and in certain cases, the knowledge of a legally responsible information custodian.  See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on http://www.Ogalaws.wordpress.com, on December 28, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<

[3]Supra note 1.

[4]Id. The article also cites Citrix Systems, a CHEO vendor, as saying “more than 34 per cent of Canadian companies already have policies in place to allow employees to bring in personal devices.  Another 27 per cent of Canadian firms plan to roll out some form of BYOD initiative over the next 12 months”.

[5]See e.g. Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.  Published on http://www.Ogalaws.wordpress.com, December 9, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[6] PHIPPA (Personal Health Information Protection Act, S.O. 2004, CHAPTER 3.  Online: >http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm

[7]  Also consider the potential applicability, whether in Ontario alone, of MFIPPA and PIPEDA, or elsewhere in Canada and at the federal level, as well as outside Canada with regard to the latter, PIPEDA.  See MFIPPA (Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, CHAPTER M.56).  Online: > http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90m56_e.htmSee also PIPEDA (Personal Information and Protection of Electronic Documents Act, S.C. 2000, c.5).  Online: >http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html<

%d bloggers like this: