What about hospital BYOD?

October 7, 2012


I was just leafing-through the Ottawa Citizen of Saturday, October 6, 2012, and I came across an article on rising BYOD at the Children’s Hospital of Eastern Ontario (CHEO).[1]


BYOD, literally means “bring your own device”, and refers to the growing practice of employers allowing employees to bring their own mobile devices into the workplace (smart phones, tablets, laptops), in order that they may access proprietary and work-related information on those platforms with which they are already quite comfortable.


Some of the advantages of BYOD identified in that article, include: (i) cashflow savings (not having to buy and replace devices for employees on an employer’s own tab, whether with operating funds or debt); (ii) currency (allowing employees to transport and deploy what is likely the most cutting-edge technology); (iii) speed and efficiency (permitting staffers to quickly access “more timely and accurate information” almost anywhere, as hosted on proprietary servers or those of cloud service providers/vendors);[2] and (iv) good environmental stewardship (cutting down on the use of paper, and copying costs, through the increasing use of EHR, or electronic health records).[3]


Doubtless, CHEO is already very-well advised on these and related matters.  However, in the race for similar BYOD gains by others,[4] let us try not to forget the clear potential for pains and strains; on which I have blogged at some length.[5]  There are 4 (“four”) main keys to creating and implementing a BYOD/Cybersecurity Policy to guard against these, and employers hoping to exploit the gains of BYOD are well advised to have legal counsel – preferably counsel who are also familiar with the laws outside Canada, due to the global nature of the internet and Cybercrime – assist them in devising an appropriate framework within which BYOD can thrive, responsibly.  These keys follow, in brief.

Systemic Security:

Stringent efforts must be made to secure access to the information accessible on or through these many mobile devices.  The employer’s I.T. staff also needs (or specialized contractors also need) to remain busy and vigilant in ensuring that no malicious code is present on these devices, or is input into the system by means of these devices.  This, of course, will require copious amounts of training and retraining on counter social engineering techniques, safe browsing outside the workplace, and other device security measures.  Although an added inconvenience for the user, internal rules may mandate that browsers not remember passwords, requiring a re-typing for each access or use.  In addition and at the very least, BYOD mobile devices must, themselves, be protected with passwords and where applicable, programmed to alert the owner as to their location or remotely “self-wipe” and restore themselves to factory defaults, if stolen or misplaced.

Active Management:

Spot checks, and random audits must be used to ensure and maintain compliance with any mobile security policy designed for the “anywhere, any device, anytimeBYOD-enabled workspace; or as more accurately put, the “BYOD-uw” (ubiquitous workplace).

Internal Controls:

Information access controls must also be strictly enforced, so that employees have access to only that information of which they have a business-specific need to know.  BYOD should not be a free license for fishing expeditions, or an invitation to forget medical ethics and use identifiable patient records in social media posts (medical blogs, “would you believe’s”, and juicy tidbits of malice post breakup/rejection); not to mention  the truly inadvertent disclosures or keying slip-ups.  Data may also be protected against cut/paste or dragging, download, and covered by strict write and edit permissions.  This level of openness for use and potential abuse also makes the initial background checks and vulnerable sector screens, that much more important.  Behavioural interviewing techniques and other means of heightened pre-employment due diligence have already become the norm, due to the increasing use (and abuse) of social media, and a generally heightened, global security awareness in both the public and private sectors.

Legal and Regulatory Compliance:

Compliance must always be at the forefront, as there will be a host of regulatory regimes that are business or industry-specific (protecting Intellectual property Rights /IPR in the technology sector), risk-specific (countering leaks and espionage in the government sector), and privacy-centred (PHIPPA[6] in the Ontario healthcare sector).[7]  Privacy insurance is becoming increasingly popular, advisable, and even mandatory in certain cases, and several jurisdictions now have stringent notice and remediation laws in the case of a privacy breach.


Forward, yes – but with caution, commonsense, and advice from legal and I.T. professionals.

Happy Thanksgiving!



Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare and privacy, Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See, for example: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, large budgets, and multidisciplinary teams.  See, for example: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

[1] Vito Pilieci.  CHEO prescribes BYOD: Just What the Doctor Ordered.  Ottawa Citizen.  Section F, Business & Technology, at F1, F2 (print version of Saturday, October 6, 2012).  Also available online: > http://www.ottawacitizen.com/business/CHEO+prescribes+BYOD/7353691/story.html<

[2] The use of cloud services should also be strongly considered and managed, as the storage of the personal information of Canadians on servers based within the United States, or its inadvertent passage through those servers, may lead to warrantless disclosures of said information to the arms and entities of a foreign nation without the consent or knowledge of the information subject, and in certain cases, the knowledge of a legally responsible information custodian.  See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on http://www.Ogalaws.wordpress.com, on December 28, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<

[3]Supra note 1.

[4]Id. The article also cites Citrix Systems, a CHEO vendor, as saying “more than 34 per cent of Canadian companies already have policies in place to allow employees to bring in personal devices.  Another 27 per cent of Canadian firms plan to roll out some form of BYOD initiative over the next 12 months”.

[5]See e.g. Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.  Published on http://www.Ogalaws.wordpress.com, December 9, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[6] PHIPPA (Personal Health Information Protection Act, S.O. 2004, CHAPTER 3.  Online: >http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm

[7]  Also consider the potential applicability, whether in Ontario alone, of MFIPPA and PIPEDA, or elsewhere in Canada and at the federal level, as well as outside Canada with regard to the latter, PIPEDA.  See MFIPPA (Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, CHAPTER M.56).  Online: > http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90m56_e.htmSee also PIPEDA (Personal Information and Protection of Electronic Documents Act, S.C. 2000, c.5).  Online: >http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html<

The advent of the cloud has, indeed, changed outsourcing and litigation, inter alia. For now, all who think they may one day be or become subject to discovery and e-discovery requests in relation to I.T. outsourcing, or cloud-sourcing, or both of these, (as well as those who think it can never happen to them, especially General Counsels), may wish to consider, at a minimum, the following, as gleaned from my knowledge and work in the field and review of assorted arrangements, agreements, laws and developments.

Vendors (“Cloudmasters”):

For Vendors, especially the Master Vendors, or “Cloudmasters”, 3 (“three”) critical and indispensable components of the ecosystem (short for “e-commerce system”) and cloud business model, are the “Air”; the “Water”; and the “Seeds.”

1. AIR: The air is, of course, the environment within which one does business.  Bad air can lead to acid rain.  I think this has been well-enough established in the field of environmental law.  In and comprising the air, there is law, there are regulations, and there is company policy.  It is not impossible for a Cloudmaster to be in compliance with law, and have lax internal controls and policies at the same time.  All the air must be good, or else something will suffer.  Certain jurisdictions have strong privacy laws, and others do not.  Certain jurisdictions and types of activity call for the application of heightened regulatory oversight, and this must be respected.  The Cloudmaster choosing the law of a one jurisdiction as the preferred location for any “rain” must also be and remain aware and relatively up to date regarding the laws of certain other jurisdictions through or by or from which some or all of the cloud Residents are governed, whether as individuals or as businesses, and whether as parties to the contract, or third-parties in interest.  Many laws may be national, but the air knows no borders!  National and sub-national governments may also go in many and conflicting directions at once in terms of cybersecurity,[1] for example, and until things settle, the Cloudmaster must follow the storm and sail in the direction of every conflicting wind at the same time.  Helping shape a uniformity in the direction of these winds is just one of the many ways in which lobbyists “can” be useful.

2. Water: Water, also, knows no borders.  Considering the vast array of chemicals that are toxic, carcinogenic, and persistent organic pollutants, and also water-soluble, and considering also, the richness of microscopic life that can be found in the waters of this glorious planet, I think an analogy of data as water, is quite apt.  You never really know what is in it, until it is in your system and has had a chance to … relax, look around, and spread its wings to feel right at home.  Water that gets into the wrong place of a critical system can cause rust, fry circuits, and give some nasty shocks to anyone in contact with or in the vicinity of, that system.  Bearing all of this in mind, it becomes rather important, in a one- to-many service offering such as with the offering of a Cloud Utility, for the Cloudmaster to “most stringently enforce” some shared responsibilities on the Residents for the good of all, and to credibly and demonstrably promote best practices in safeguarding the resilience of critical processes.  What this means is that “Your” water, as a Resident, gets nowhere near the bigger body, unless you can show that some that, at a bare minimum, some very basic things are in place, such as procedures for enforcing internal controls, employee integrity, and system security; and taken seriously.

Consider this: (i) many reputable antivirus programs will not even install, until after they have performed a basic scan; (ii) a number of educational institutions will not let a user onto their wireless network unless and until the presence of a “current end functioning” antiviral program on that potential user’s system, has been detected;  and (iii) it is always advisable to at least take a tour of a new neighborhood before you move-in, unless you are in the habit of buying “sight unseen”  and without any clue as to what you might be getting into.  Checking the credentials or credit of an applicant or prospective resident, or asking about the standard operating procedures and policies of a landlord, employer, or prospective host, are really not new or alien practices.

Some Cloudmasters will accept all comers in order to grow fast and bulk-up ahead of the competition.  When the indiscriminate taking-on of water catches up with them and becomes too much for the emergency pumps, the market will surely assign them their just rewards.  Know your water source before it gets to your water course, to the extent possible, and ensure that all Residents have, in advance or within a reasonable time after joining, information security, infrastructural security, best practices, acceptable and defined compliance and internal governance programs, and self-certification or third-party certification in the form of a warrant and representation, a covenant and undertaking, or both of these; and always with indemnification.

3. SEEDS: Bad seeds will either not grow, or they will grow into the wrong and unanticipated, and unexpected plant.  Remember, a weed, an insect eating plant, and a cactus, are all still plants – at least to my non-botanist self.  Your seeds are your Residents.  A bad seed may be a rotter on the water, or just not care for the air.  Cloudmasters can ill afford to follow suit, and must be prepared when called for, to give a bad seed the boot, before it really takes root and creates a bad breed that cannot be easily or cheaply removed from the system.  Prevention is always better than the cure; and it is also much cheaper, in most if not all cases.

But, what of those Residents?  Should they not look-upon and treat their Cloudmasters with equal, if not greater suspicion?  Of course, why not!

Customers (Cloud “Residents”):

For cloud Residents, the primary 4 (“four”) critical questions they should consider, begin with: “Who?”; “Where?”; “What?”, and “Why?”

a. WHO: Know your primary cloud vending entity (“Cloudmaster”), draft your agreements defensively, and protect against both changes in control (theirs and yours) and changes in liquidity as a going concern (again, both theirs and yours).

b. WHERE: Be sure to extract an iron-clad guarantee from the Cloudmaster that your data will be kept “solely and entirely” in the appropriate country (such as Canada or the United States), or another jurisdiction acceptable to you, such as the European Union (EU); or the European Economic Area (EEA) to further include Norway, Iceland, and Liechtenstein; or the European Free Trade Area (EFTA) to further include Switzerland, as appropriate.  If the Cloudmaster cannot definitively tell someone where their data will be hosted, or if they just do not know, then the end-result of any decision to continue doing business with such a Cloudmaster, will be solely and completely for the one so deciding to continue.

Everyone who has been paying attention to the news in this area will know that data breaches and the costs of these data breaches in reputation, fines, settlements, and regulatory enforcement actions and investigations and sanctions, have been mounting at a fierce pace.  In addition to your undoubtedly stringent precautions in the above and otherwise, it is not irrational to try to deal with as few privacy regulators as possible, should a breach occur that forces you to make the appropriate disclosures to clients and the proper authorities.  More jurisdictions of operation means more potential discovery and e-discovery obligations; most definitely a greater level of costs for ongoing compliance; and, more than likely, significantly greater costs of remediation in credit counseling and monitoring, changes to and replacement of compromised documents and credentials, and the various and assorted court and regulatory proceedings to monitor and report on the progress of same.  Some courts are becoming rather aggressive in striking-down arbitration clause provisions that specified arbitration (and imposing outright litigation in its stead), or that specified a particular forum (and imposing their own idea of what is or should be, the appropriate forum, which is, invariably, the court striking down that carefully-drafted contract clause).

Just as the cloud has expanded access to hitherto unheard of computing capacity and lowered its costs, it may also lead to either: (a) greater insularity and a lower level of “real” cross-border trades, because of the almost unlimited potential liabilities; or (b) new laws and/or regulations on a regional bloc-basis or on an international or near-international level, in order to control for some of these risks and to put both the market and the consumers more at ease.  Privacy Insurance has already taken a firm hold in a number of jurisdictions; albeit not yet too uniform as to underwriting standards, coverage options, and policy limits.

c. WHAT: In addition to the above, you would be well-advised to develop an in-depth understanding of the Cloudmaster’s security, data retention, and other policies, and also those in the links and structures of the cloud; as well as the who, where, and what of the other cloud participants, sub-vendors, and sub-contractors to the extent that they are disclosed and distinct or otherwise discoverable by due diligence, in order to prevent your being inadvertently caught in a “chain of rain” that brings far more pain than the originally anticipated gain.

d. WHY: Of course, you also need to know what and how often the Cloudmaster does purge or intends to purge, and what logs, if any, they keep and can provide to you without breaching their obligations to other cloud users and deemed cloud residents, whether permanent, or occasional as needed, or transient and otherwise fleeting (each and all deemed and defined herein as “Residents”).

Over-partitioning the data of different Residents, where and as available, adds costs, of course, but it may well also add serious peace of mind in enabling ease of recovery and e-Discovery, and decreasing the risk of inadvertent disclosures  and/or cross-contamination when discovery does come-a-calling.  That is a trade-off computation that must be done and presented to a company’s management for their own good Business Judgment, then the appropriate sign-off can be a waved as shield – once properly discovered – against that judicial Sword of Damocles.  Whether Sarbanes-Oxley requires legal counsel, accountants, or auditors to protest more loudly and publicly where and when a publicly-listed entity is unwilling or unable to pay that extra cost and then fails to disclose this in the MDA or otherwise in accordance with law, such as with the current and growing push by the United States Federal Trade Commission (FTC) for greater disclosure of cybersecurity risks by issuers, is significantly beyond the scope of this little missive.

Let the Cloudmaster know what, how, and how much of that “purgeable content” and other data content you want: (a) not purged and kept in place; (b) not purged and delivered to you in backup format on a periodic basis; (c) purged but similarly delivered to you on a periodic basis; or (d) otherwise dealt with.  A Cloudmaster is not responsible for meeting anyone’s preservation or discovery or e-discovery obligations but its own, except if contractually so bound to comply or assist in the same and appropriately motivated by consideration in cash and contract and consequences of complying-not.  In the case of a Platform-as-a-Service (Paas) or an Infrastructure-as-a-Service (Iaas) Cloudmaster providing a flow-through Utility, appropriate Digital Millennium Copyright Act (DMCA) safeguards and the like, may further so endeavor to hold that Cloudmaster them harmless, and potentially also adequately defended and indemnified against an assortment of potential claims.

SUMMARY:  To the exclusion of any particular industry of Resident focus or Cloudmaster competence, which would be additional, we should all be mindful that cloud computing touches over two dozen practice areas and is therefore extremely complex, by nature.  Anyone who cannot appreciate this fact from the outset, is not setting-out well, at the very least.  Some cloud-touching and cloud-touched practice areas that I have identified, so far, include those listed below, and in no particular order:


Criminal law;

Antitrust law;

Competition law;

Information Technology (I.T.);



Class Actions;

Labor and employment law;

Bankruptcy and insolvency policies;

Securities regulation;

Corporate governance;

International trade law;

Choice and conflicts of laws;

Interstate and interprovincial trade;



Banking and secured transactions;

Litigation (including forum selection);

Intellectual Property Rights (I.P.R.);

Libel and Defamation;

Alternative Dispute Resolution (A.D.R.);

Constitutional law and National Sovereignty;

Law Enforcement and National Security (LENS);

Media, privacy, new and social media, and moral rights.

The Cloud is still quite new, as was aviation before it, once upon a time.  The aviation industry built-upon the foundations of shipping, which has been in place for a very long time, and the cloud will build upon the lessons, disasters, and opportunities of both of these same – that are themselves, still evolving (in shipping, such as with the Laws of the Sea re: territorial limits, ocean dumping, and piracy; and in aviation such as with GHG emissions, Air Marshalls, Space law and space tourism, and passenger bills of rights when stuck on the ground between the terminal and the flight plan).  Alas, things move significantly faster over the Internet and through the Cloud – especially those things to which significant liability can and does attach, and so these older, tried and tested concepts may need to be speeded-up, re-mixed, re-constituted and re-configured, just to keep pace with the speed of this our human race.

We should also add Taxation to the above listing of practice areas, as the United States and other jurisdictions, are looking with increasing favour and fervor at a tax on internet-based or internet-enabled commerce as a way to boost falling (and flat) government revenues.[2]  Following the earlier lead of the E.U. in this effort,[3] the questions of who is taxable and why, and of what transactions from where and to where, are taxable at what rate or rates, will most certainly keep practitioners in conflicts of laws, constitutional law and national sovereignty, and the other above-listed practice areas, rather busy, then.

For now, watch the weather forecast, but always take your own precautions, scan the horizon, mind the air, the water and the seeds, and keep a reinforced umbrella handy.

Anyone telling you that the Cloud is a simple thing to seed or read, is, I think, mistaken.


Ekundayo George is a Lawyer and Strategic Consultant.  He is a published author in Environmental Law and Policy; licensed to practice law in multiple states of the United States of America, as well as Ontario, Canada; and has over a decade of solid legal experience in business law and counseling, diverse litigation, and regulatory practice.

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.

[1] Colin J. Zick, Esq.  More Consumer Data Security and Privacy Legislation Introduced. Posted on September 12, 2011, in a blog entitled “Security, Privacy and the Law”, published by Foley Hoag LLP; (visited on November 28, 2011).  Available at: http://www.securityprivacyandthelaw.com/2011/09/articles/data-breach-1/more-consumer-data-security-and-privacy-legislation-introduced/

[2] ecommercejunkie. Congress Eyes Federal Sales Tax Bill. Posted on August 1, 2011 in a blog entitled “E-Commerce News”, for e-commerce news from around the web; (visited on November 28, 2011).  Available at:

[3] Martin A. Weiss, Analyst in International Trade and Finance, Foreign Affairs, Defense, and Trade Division; Nonna A. Noto, Specialist in Public Finance, Government and Finance Division. CRS Report for Congress: EU Tax on Digitally Delivered E-Commerce. Updated on April 7, 2005, (visited on November 28, 2011).  Available at: http://ipmall.info/hosted_resources/crs/RS21596_050407.pdf

%d bloggers like this: