Gone forever, are the days when businesses could afford to adopt a laissez-faire attitude and let employees set their own pace to adopt and deploy Commercial off the Shelf (COTS) technologies and tools without solid central oversight.  In addition to anti-harassment, customer and vendor relations, travel and expense accounts, and as otherwise advisable for regulatory compliance, policies became necessary for computer hardware, then computer software, mobile phones, and social media usage.  Now, a policy is also needed for the use of personal devices for business purposes – or Bring Your own Device (BYOD), where and when the employer so allows for same.

 

Whether a single policy will be written with separate and distinct sections for each of these sub-elements, or separate policies will be written for each one, is a matter of case-by-case decision for each employer.  However, many elements will be common to more than one of these policies, and ignoring or avoiding a BYOD policy can lead to “quite” a bust.[1] The essence of a BYOD policy – to be implemented with employee buy-in, input, and trust, can have (depending on the size, scope of operations, and headcount of the employer) up to 11 (“eleven”) core elements that must be addressed.  I will now introduce these below.

 

 

CORE ELEMENTS OF A BYOD POLICY:

 

  1. S-ystems and Products.

At the bare minimum, you must let all of your staff know which operating systems (Windows OS version(s), Mac OS, Linux kernel[2]), and which products (phones, tablets, laptops, desktops), will be supported as the designated personal work “device” under that BYOD policy.  It should not be a free-for-all with an anything goes and everything must be supported mentality.  That is a recipe for open revolt in the IT department due to the undue configuration and compatibility challenges that this would impose.

 

  1. P-rivacy.

This is tricky, but it must be addressed.  To the extent that work information is accessible through the device or held on the device, then passwords must be shared with the employer.  Any employee who has a problem with this should quietly back-out of the policy, or ensure that nothing “untoward” is found or left on the device; because that password access should include acceptance of random audits and monitoring to ensure: (i) security protocols are being followed; (ii) comingling of personal and business data is not the norm; and (iii) employees are not engaging in other activities, including illicit activities, that might subject the BYOD (work) device to legal impoundment, or the data thereon to compulsory disclosure.

 

  1. E-fficiency Enhancements.

Having likely configured the device to “play nice” with legacy systems and be interoperable across the employer’s IT space, there will be restrictions on what a device owner can and cannot load onto the device, post-configuration.  The BYOD policy should specify whether individuals can download updates on their own (some notifications can be malicious), or use an enterprise update and install function with regular logins and daily backups and syncs to a hard site.  This goes for both system upgrades as well as protective software (antivirus and antimalware).  Another question the policy might address, after taking an initial inventory of all programs and utilities on the device, is which ones can stay and which ones must go, as well as whether or not any favourite games or other utilities – sometimes hurriedly made with inadvertent vulnerabilities, and often needing far too much in the nature of system access and Admin. controls to “function properly” – can be added.

 

  1. C-are and Custody.

It should be heavily-stressed, that once a device has been proposed and accepted for inclusion under the policy, then the “owner” of the device is beholden to the data owner (being the employer, in the case of business proprietary information), and to the data subject (including the client or customer in the case of Personally Identifiable Information/PII, and Personal Health Information/PHI and the like), for the care and custody of both the device, and all data that is on the device or accessible by means of the device.  The device “must” remain in the “sole” care and custody of the employee, and can no longer be used by a child to play games during downtime on a long journey or as a reward for completing homework or household chores on time.

 

  1. I-nformation.

This section should remind employees that they will still need to adhere to any internal rules that required them to show a business need for any data before they could access it; as well as enforcing any Identity and Access Management (IAM) procedures, and continued segregation of duties for working data (create, access, update, store, share, send, shred); system data (upload, download, wipe); and logs (write, access, edit, collate, wipe).  Tie-ins with other policies on information (confidentiality including passwords and proper screensaver and automatic sleep mode usage, social media usage, and regarding audits and internal investigations) can also be made here, or in other sections of the BYOD policy.

 

  1. A-ccountability.

Appropriate logs should be maintained of all data accessed through and residing on the device, at all relevant times.  This will help track and assess the degree of loss, control the damage, tailor an appropriate response to the breach population, and otherwise comply with regulatory imperatives in the case of any data breach or corruption, or any device loss.  Of course, the “only” copy should never be held on just one portable device without it also being backed-up in several secure physical locations.

 

  1. L-egal.

While the employer will certainly lay-out those things for which the employee will be responsible, in terms of policy violation, it should also take the opportunity to list those things for which it will neither accept nor assume responsibility.  Whether or not ultimately successful should a claim or claims arise, these might include distracted driving or walking or flying or riding, repetitive stress syndrome, and unlawful or antisocial behaviour (bullying, cyberbullying, sexting, IP infringement, or online defamation).

Clear defense and indemnification provisions would not be out of order; along with: (i) some form of funding for the employer’s personal device use; (ii) stated and mutually understood to be consideration for accepting the policy as a binding agreement; and (iii) coupled with some employee contribution therefrom into a pool from which BYOD, privacy, and other advisable liability insurance coverages would be secured with the employer as beneficiary.

 

  1. I-mplementation.

Here, the employer would give additional rationales for the policy, its scope, its purpose, and its importance to the organization as a whole and its mission, in particular.  Along with a preamble at the start of the policy, this section would be key to achieving buy-in at all levels, and for demonstrating the entity’s commitment at the highest levels, to ensuring that the policy was both welcome and workable.  Any staggered implementation or other pertinent details on how the policy would be managed and modified from time to time or with changing laws – and with employee input, might also be disclosed.  A few words on enforcement, and the reporting and investigation of suspected policy violations should also be included here.

 

  1. Z-one of Control.

This section would further delineate a “zone of control” (ZOC) within which the employer reserves a right to act with or without notice to employees, and that the employees accept that as a bargained-fact.  This ZOC would include matters with regard to internal investigations (it is not always best to warn a target); for reasons of Law Enforcement & National Security (with or without stating specific provisions, but reminding all subscribers/adherents to a BYOD policy that laws of the employer’s originating jurisdiction – including export restrictions and generalized trade or directed sanctions – may also apply); and in the case of contingencies (for example, where employees in areas under actual, threatened, or suspected terror attack, or who’se devices show impending travel further afield than authorized, may find that sensitive data has been remotely wiped from those devices, or that they have been remotely locked, as a security precaution).  Less draconian but still useful in ZOC, of course, are wide and public sms alerts.

 

10. E-ncyption.

Encryption has recently been touted as the be all and end all of security solutions with regard to data in static situ, in mobile situ, and in transit – whether by email or as accessible through some Cloud platform.  While it is true that encryption has a part to play, what is the use of it when the device has a stored profile that contains one or several of the “current” encryption keys?  In addition, some jurisdictions may offer safe harbors that limit or even avoid breach disclosures when the lost or stolen data is sufficiently encrypted or anonymized to make it indecipherable; and moving the protection closer to or onto the data itself, may also serve to limit the ability of an intruder that penetrates the outer layer(s) of enterprise protection, to retrieve and retreat with, anything useful from within the firewall or data stream.  Some have called this a “Secure Breach” state.[3]

 

11. D-ecommissioning and Disposal.

Both disposal of the data, and the decommissioning or disposal of the device need to be better and closely managed.  Deletion does not always remove every trace of the data.  Indeed, sometimes it is very easy to recover in the right hands, and with the appropriate tools.  There must be an accepted understanding that devices will not be traded-in for upgrades or environmental credits without first being run through a wringer (in-house or outsourced) to ensure that they are truly clean.  As the BYOD phenomenon gains pace, stability, and defined structures, a burgeoning business in such “outsourced pre-cleans” will likely develop.  The results of lax cleans prior to disposal range from the embarrassing,[4] to the quite disastrous.[5]

 

 

SUMMARY:

BYOD adds significantly more attack surface to an entity’s vulnerability matrix, and offers myriad additional attack vectors.  The IT security space is constantly expanding ever further beyond the proverbial firewall, and evolving by running adaptation to meet multiple generations of threat at a time.

 

A BYOD policy that addresses and covers the above points in sufficient depth and detail can still be and remain relevant, and protect both the employer and the employer’s data while educating the workforce.  But, this schema is by no means presented or intended as the last word, because change is a pure constant.

 

 

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams. Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour and micro-organizational behaviour, and a Certificate in Field Security from the United Nations Department of Safety and Security (UNDSS), in New York, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law & Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

[1] See e.g. DoD IG Audit Report: DODIG-2013-060. Information Assurance, Security, and Privacy: Improvements Needed with Tracking and Configuring Army Commercial Mobile Devices. Published by United States Department of Defence, March 26, 2013, on dodig.mil. Online: >http://www.dodig.mil/pubs/report_summary.cfm?id=5082<; See also Ekundayo George.  What about hospital BYOD?  Published October 7, 2012, on ogalaws.wordpress.com.  Online:>https://ogalaws.wordpress.com/2012/10/07/med-tech-byod-is-really-catching-on/ <

[2] Open source elements and compilations should always be used with caution, as licensing protocols will differ.

[3] SafeNet. A New Security Reality: The Secure Breach. Published in 2013, on safenet-inc.com. Online: >http://www2.safenet-inc.com/securethebreach/downloads/secure_the_breach_manifesto.pdf<

[4] Shaun Waterman – The Washington Times. Selling state secrets to North Korea? Japan sold hi-tech ship without wiping data. Published April 29, 2013, on washingtontimes.com. Online: >http://www.washingtontimes.com/news/2013/apr/29/japans-coast-guard-sold-hi-tech-ship-north-koreans/<

[5] Amar Toor. NASA Accidentally Sells Off Computers With Sensitive Data. Published December 8, 2010 on switched.com. Online: >http://www.switched.com/2010/12/08/nasa-accidentally-sells-off-computers-with-sensitive-data/<

Advertisements

RATIONALE:

I was recently reading the PWC/Digital IQ Report, entitled “2013 Top 10 Technology Trends for Business”,[1] when I deduced that something was missing.  Rather than say that the venerable PWC were wrong in omitting something (who am I?), I thought it better to perhaps bring my views to light with a separate but related story; hence this blog post with a title that plays-on that of the PWC Report.

The PWC/Digital IQ Report identifies and presents those 2013, top 10 tech. trends for business, as: (1) Pervasive computing; (2) Cybersecurity; (3) Big Data mining and analysis; (4) Private Cloud; (5) Enterprise social networking; (6) Digital delivery of products and services; (7) Public Cloud infrastructure; (8) Data visualization; (9) Simulation and scenario modeling; and (10) Gamification.[2]

IDENTIFICATION:

One might say that these are, each and all, complete in and of themselves.  However, the additional trends for consumers that they inspire, should, I feel, be presented as either:

(a) additional trends (numbered 11 through 15) for businesses (considering the business-to-consumer/business-to-business implications and possibilities); or

(b) as separate & distinct (numbered one through five), consumer specific trends.

These 5, are: (v) Accelerated lived experience; (w) BYOD; (x) Crowdsourcing; (y) Distance education; and (z) End-User legal authority/license autonomy/leveraged ability (EULA3, or cubed).  Hence, choosing (b) – presented as separate and distinct, consumer-specific trends, I detail them below.

SPECIFICS:

Accelerated Lived Experience:

(v) The speed at which information now moves has led to an accelerated lived experience, for everyone.  Anything and everything posted in a social media setting can be shared instantaneously, with millions of people all over the world.  And, once something is released into the wild of the web, it can “never” be taken back.  Legally, there are archives of webpages, tweets, blogs, pictures, videos, and postings – even the deleted ones – kept by licensed players within the internet superstructure; technically, there are vast storehouses (server farms) sifting through everything that is uploaded to, sent across, and downloaded from the internet by many governments around the world, and their functionaries; and individually and collectively, people and groups – both criminal and law-abiding – can surf, send, and select for download or copy/paste at their pleasure.  We are almost at a stage of constant reaction to external initiators, and always on the lookout for the next trending thing with heightened anxiety, heart rates, and hyper-dilated pupils.  The jolt of electricity from AC/DC (alternate current/direct current) is now equated by the constant, (almost intravenous in some case for those who cannot turn-off or put-down the smartphone), stimulus experienced by the always connected/always online (AC/AO) generation.

BYOD:

(w) Bring Your Own Device, is the new policy in an increasing number of workplaces, that allows employees to bring their own devices to work, or use them remotely for work.  Despite the real dangers of allowing sometimes uncleared (inherently unsecure, or running old and unpatched operating systems), incompatible (incorrectly configured), or unnecessarily vulnerable (inadequate virus and spyware protections, or already loaded with exploits-in-waiting) tech. tools to connect and send to, and source valuable personal data, customer information, intellectual property and trade secrets from, a work network, this trend is likely to continue.[3]  BYOD has the potential to enable significant savings for the organization in not having to constantly acquire, distribute, and manage ever newer devices for its sometimes vast army of employees.  However, it can also import liabilities for anything from: failing to properly train employees in, monitor, and enforce a responsible BYOD usage policy – along with a social media usage policy; negative publicity in employee pushback against the employer’s attempts to overly-regulate their private use of private property, despite its incidental business application; and legal exposure in preventable data breach, or employee loss of personal data on an unsecured device that was misplaced or stolen.  Should the employer’s insurer or the employee’s insurer pay for the ensuing liabilities when a personal laptop, used for business, is lost or stolen when an employee is on vacation (or stress leave), but finishing-off some work?

Crowdsourcing:

(x) Having so many people, in so many different places, with myriad perspectives and experiences, enables a whole new world of crowdsourcing.  This can range from personal networking sites that allow one to rapidly get information on a specific subject from a variety of sources or thought and knowledge leaders; through groups, blogs, and list serves that are more targeted and which people join or subscribe to at their pleasure; to news media sites that invite people to post their images, videos, or opinions on a variety of current and historical issues, or disasters and other developing events of significance.  Of course, there is no guarantee that some or all such crowd sources are correct, accurate, or honest.  There have also been instances of late, involving “massaged” evidence; old footage from somewhere else presented as current footage from a hot location; and cases in which people with their own agendas have either directly impersonated, or hacked the accounts and credentials of others – not to mention those “crashing” glitzy events who could easily be mistaken for legitimate participants, if presented with the right caption to an unwitting audience (not aware of, or even so far gone as to not believe), the original footage.  Crowd-sourced “fodder” is best taken with a good dose of skepticism, and at least a little salt; lest one join the ranks of those who are so easily fooled, all of the time.  On the converse side, business use of crowdsourcing within the organization may defeat itself if not properly managed. The digital suggestion box, if too full, will see management applying that very same filtering-type software, already adept at sniffing through servers full of resumes, to sift through and sort the suggestions.  Good ones, as always, may still be filtered-out by the wrong or imprecise Big Data analytical tools.

Distance Education:

(y) This trend, thankfully, is not quite as controversial.  However, the accreditation and quality of an increasing collection of online courses, degree and certificate programs, and institutions, is a fast-developing concern.  Accredited Professionals who cannot always travel so easily to attend presentations they need for continuing education credits or that are otherwise of interest to them, can more conveniently sit and watch the webcast, or listen to the teleconference from the comfort of their own homes and offices; or even when on the road (to the extent, of course, that it does not lead them into distracted driving, boating, flying, riding, or otherwise).  As technology continues to develop and regulatory accreditation issues and concerns are resolved, this trend can only continue; including, of course, greater use of learning-on-demand, (like already pervasive delivery of video and audio content on-demand), as digitized in a Cloud for later, multi-taneous,[4] ever-replicable access.   Additionally, education need not be so formal, as someone can gain knowledge from virtually any video, blog post, or seminar – posted from anywhere and available everywhere (that does not have filtering or blocked sites) that they find online in their own identified field of pre-existing, related, or newly-created interest.

End-User Legal Authority/ License Autonomy/ Leveraged Ability (EULA3, or cubed):

(z) In the olden days (dating myself a little here), computer software was released and “sent” by snail-mail in shrink-wrapped packages.  Opening the package constituted acceptance of the manufacturer/ publisher End-User License Agreement (EULA).  Once you had broken the shrink-wrap packaging, it could prove difficult to impossible, to say that you had not accepted the EULA, or to try to return the software and get a refund if you had not otherwise fulfilled the warranty requirements, where they even existed.  Then, with the growth of online commerce/eCommerce, this turned into a click-wrap scenario, which still exists, somewhat.  By clicking on the appropriate “I accept” box or boxes, you accept the terms of use, EULA, and other conditions and prerequisites to download the software, access the site, utilize the online service, fully activate a device, or register its warranty, as appropriate.  Today, we have an increasing prevalence of shareware with licenses that are not quite free, but in the creative commons (too detailed for fuller presentation here); we have devices that are sold as locked but that can be unlocked – whether or not legally; contract hackers and programmers who work for a fee are available online, or through friends-of-friends; and stolen devices still under contract or EULA can be relatively easily wiped of data, re-programmed, and re-purposed with new Sim (Subscriber Identity Module) cards or software; whether right next door or on the other side of the world.

Users and developers of shareware, including “apps.” available for download and use on various trusted and not so trusted sites, now have added and significant legal authority to use and further develop or customize them (screensavers, fonts, skins, and avatars)  to their own liking.

Those using un-locked devices – howsoever obtained – have a significant degree of license autonomy, as they can be free from multi-year contracts; they can sometimes be free from geographic restrictions on where they can use their smartphones or play their DVDs; and they can also be free (whether through active choice or by default setting, depending on the jurisdiction) from having add-ons bundled with initial programs (EU), from having their location automatically tracked by the service provider (opt-out), and from the compulsory download of automatic updates that may conflict with programs and applications installed on the device since its initial purchase or acquisition.  Of course, an original purchaser would already have known of the manufacturer/developer caveat that the item might not work as originally envisaged if automatic updates were not accepted.  However, the later purchaser or recipient of dubious propriety, might have the device wiped and/or locked, and/or tagged on him or her when searching for an update online.  Life as lived in a certain way, will always have its risks, for those who dare there stay!

The increasing online prevalence of tools and technologies enabling groups to collaborate, individuals to innovate, and everyone to share almost anything from everywhere, with everyone at any time, provides us all with significant leveraged ability.  This has ranged from simple apps. (for almost anything thinkable and unthinkable); through online groups, archives, fora, encyclopedias, and societies (ditto); to the ever-expanding plethora of additionally leveraging SaaS, PaaS, IaaS, and NaaS[5] offerings.

END-STATE:

Control once held by the manufacturer and copyright holder over the consumer and what he or she could legitimately do with the former’s intellectual property has been reduced, in cases to zero; this massive Shift of power to the consumer from the variety of choices, service options, and delivery channels available to them and in constant competition for market share; has now served to virtually Delete the EULA as once known, with end-users experiencing significant legal authority, license autonomy, and leveraged ability.  “No contract”; “unlocked”; “number portability”; “free wifi”; “roaming included”; “unlimited data package”- these are the new and standard terms, now!!

Apparently, these terms are all here to stay (and get even better in favour of the now-empowered consumer), to the extent that data-flows and internet flexibility are not slowly or suddenly throttled by sometimes competing security and IPR (Intellectual Property Rights) interests, and so long as PWCs 2013 Top 10 Technology Trends for Business[6] continue to enable & expand these 2013 Top 5 Technology Trends for Consumers that I have identified above, in this post.

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] PricewaterhouseCoopers LLP.  Digital IQ – 2013 Top 10 Technology Trends for Business.  Results of the 5th Annual, PwC Digital IQ Survey.  Published on pwc.com, in 2013.  Online: >http://www.pwc.com/us/en/advisory/2013-digital-iq-survey/top-10-technology-trends-for-business.jhtml<

[2] Id.

[3] See e.g. Ekundayo George.  What about hospital BYOD?  Published on ogalaws.wordpress.com, October 7, 2012.  Online: >https://ogalaws.wordpress.com/2012/10/07/med-tech-byod-is-really-catching-on/<

[4] I have not seen the word used in this specific context before, and so I thought I might as well use it here.  It stands for “simultaneous access in multiple locations on multiple platforms or devices”; as possible through an intermediary Cloud Services Provider with a high and demonstrably reliable SLA, given industry outages to date, or a robust private/hybrid Cloud capable of running multiple and adequately buffered instances at once – providing the user (read thin- or rich- “client device”), can access adequate bandwidth and memory (as applicable), and a stable power supply.

[5] See e.g. Ekundayo George.  Data Protection and Retention in the Cloud: Getting it Right.  Published on ogalaws.wordpress.com, March 11, 2013.  I further define these 4 (“four”) SaaS service offerings here, at notes 1 through 5 and accompanying text.  Online: > https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/<

[6] Supra note 1.

What about hospital BYOD?

October 7, 2012

WOW!

I was just leafing-through the Ottawa Citizen of Saturday, October 6, 2012, and I came across an article on rising BYOD at the Children’s Hospital of Eastern Ontario (CHEO).[1]

WHAT?

BYOD, literally means “bring your own device”, and refers to the growing practice of employers allowing employees to bring their own mobile devices into the workplace (smart phones, tablets, laptops), in order that they may access proprietary and work-related information on those platforms with which they are already quite comfortable.

WHY?

Some of the advantages of BYOD identified in that article, include: (i) cashflow savings (not having to buy and replace devices for employees on an employer’s own tab, whether with operating funds or debt); (ii) currency (allowing employees to transport and deploy what is likely the most cutting-edge technology); (iii) speed and efficiency (permitting staffers to quickly access “more timely and accurate information” almost anywhere, as hosted on proprietary servers or those of cloud service providers/vendors);[2] and (iv) good environmental stewardship (cutting down on the use of paper, and copying costs, through the increasing use of EHR, or electronic health records).[3]

WHOA!

Doubtless, CHEO is already very-well advised on these and related matters.  However, in the race for similar BYOD gains by others,[4] let us try not to forget the clear potential for pains and strains; on which I have blogged at some length.[5]  There are 4 (“four”) main keys to creating and implementing a BYOD/Cybersecurity Policy to guard against these, and employers hoping to exploit the gains of BYOD are well advised to have legal counsel – preferably counsel who are also familiar with the laws outside Canada, due to the global nature of the internet and Cybercrime – assist them in devising an appropriate framework within which BYOD can thrive, responsibly.  These keys follow, in brief.

Systemic Security:

Stringent efforts must be made to secure access to the information accessible on or through these many mobile devices.  The employer’s I.T. staff also needs (or specialized contractors also need) to remain busy and vigilant in ensuring that no malicious code is present on these devices, or is input into the system by means of these devices.  This, of course, will require copious amounts of training and retraining on counter social engineering techniques, safe browsing outside the workplace, and other device security measures.  Although an added inconvenience for the user, internal rules may mandate that browsers not remember passwords, requiring a re-typing for each access or use.  In addition and at the very least, BYOD mobile devices must, themselves, be protected with passwords and where applicable, programmed to alert the owner as to their location or remotely “self-wipe” and restore themselves to factory defaults, if stolen or misplaced.

Active Management:

Spot checks, and random audits must be used to ensure and maintain compliance with any mobile security policy designed for the “anywhere, any device, anytimeBYOD-enabled workspace; or as more accurately put, the “BYOD-uw” (ubiquitous workplace).

Internal Controls:

Information access controls must also be strictly enforced, so that employees have access to only that information of which they have a business-specific need to know.  BYOD should not be a free license for fishing expeditions, or an invitation to forget medical ethics and use identifiable patient records in social media posts (medical blogs, “would you believe’s”, and juicy tidbits of malice post breakup/rejection); not to mention  the truly inadvertent disclosures or keying slip-ups.  Data may also be protected against cut/paste or dragging, download, and covered by strict write and edit permissions.  This level of openness for use and potential abuse also makes the initial background checks and vulnerable sector screens, that much more important.  Behavioural interviewing techniques and other means of heightened pre-employment due diligence have already become the norm, due to the increasing use (and abuse) of social media, and a generally heightened, global security awareness in both the public and private sectors.

Legal and Regulatory Compliance:

Compliance must always be at the forefront, as there will be a host of regulatory regimes that are business or industry-specific (protecting Intellectual property Rights /IPR in the technology sector), risk-specific (countering leaks and espionage in the government sector), and privacy-centred (PHIPPA[6] in the Ontario healthcare sector).[7]  Privacy insurance is becoming increasingly popular, advisable, and even mandatory in certain cases, and several jurisdictions now have stringent notice and remediation laws in the case of a privacy breach.

WHITHER?

Forward, yes – but with caution, commonsense, and advice from legal and I.T. professionals.

Happy Thanksgiving!

***********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare and privacy, Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See, for example: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, large budgets, and multidisciplinary teams.  See, for example: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Vito Pilieci.  CHEO prescribes BYOD: Just What the Doctor Ordered.  Ottawa Citizen.  Section F, Business & Technology, at F1, F2 (print version of Saturday, October 6, 2012).  Also available online: > http://www.ottawacitizen.com/business/CHEO+prescribes+BYOD/7353691/story.html<

[2] The use of cloud services should also be strongly considered and managed, as the storage of the personal information of Canadians on servers based within the United States, or its inadvertent passage through those servers, may lead to warrantless disclosures of said information to the arms and entities of a foreign nation without the consent or knowledge of the information subject, and in certain cases, the knowledge of a legally responsible information custodian.  See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on http://www.Ogalaws.wordpress.com, on December 28, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<

[3]Supra note 1.

[4]Id. The article also cites Citrix Systems, a CHEO vendor, as saying “more than 34 per cent of Canadian companies already have policies in place to allow employees to bring in personal devices.  Another 27 per cent of Canadian firms plan to roll out some form of BYOD initiative over the next 12 months”.

[5]See e.g. Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.  Published on http://www.Ogalaws.wordpress.com, December 9, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[6] PHIPPA (Personal Health Information Protection Act, S.O. 2004, CHAPTER 3.  Online: >http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm

[7]  Also consider the potential applicability, whether in Ontario alone, of MFIPPA and PIPEDA, or elsewhere in Canada and at the federal level, as well as outside Canada with regard to the latter, PIPEDA.  See MFIPPA (Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, CHAPTER M.56).  Online: > http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90m56_e.htmSee also PIPEDA (Personal Information and Protection of Electronic Documents Act, S.C. 2000, c.5).  Online: >http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html<

%d bloggers like this: