BYOD BRING YOUR OWN DISASTER?

Transcription

1

2 BYOD BRING YOUR OWN DISASTER?

3 Síobhra Rush, Session Chair Leman Solicitors, Ireland

4 BYOD - INTRODUCTION! Agenda! What is BYOD?! Why should businesses consider it?! Potential downsides to BYOD! An explanation of some technical terms used in the BYOD sphere MDM Mobile Device Management Enterprise Apps Malware/Virus breach Consumerisation of IT

5 BYOD - INTRODUCTION

6 BYOD EMPLOYMENT AND SECURITY ISSUES Stephanie Raets, Claeys & Engels, Belgium

7 BYOD PRIOR CONSIDERATIONS! No general Directive/Regulation/law on BYOD! BYOD Policy/Programme at company level! Businesses need to be aware of the BYOD issues and take steps to mitigate to risks

8 BYOD BYOD ISSUES! Security Trade secrets and confidential information need protection Mobile devices and cloud computing services are a threat! Working Time Overtime? Breach of the Working Time Directive? Increase in stress claims! Employees rights to privacy Privacy ó employer s right to control è Bring your OWN device higher privacy expectations? Article 8 ECHR CJEU decisions on interference with privacy Principle of Legality Principle of Proportionality Principle of Finality

9 BYOD KEY ELEMENTS! Step I - Risk analysis and management Look at types of data Looks at possible threats to the IT assets What types of damage/loss could result if this threat materialises? Analyse tax and social security issues Analyse IT support: back-up, wireless issues, existing software Assess potential cost impact

10 BYOD KEY ELEMENTS! Step II - Create a BYOD policy Employer s prerogative Mandatory ó voluntary programme Who will pay for it? Security Who can participate? Which workers/classes of workers? What if a worker is promoted or demoted, changes job assignments or leaves the business? What about others, such as family members? What kinds of devices/apps/data are allowed? How much accessibility is granted? To what extent is private use allowed? What technology should be used to secure the devices? Working time When can the devices be used (for professional purposes)? Privacy and data protection Can/Will the use of the devices and the communications be monitored? What about remote wiping? Always consider impact local legislation

11 BYOD KEY ELEMENTS! Step III - Procure technology and technical controls to support mobile devices! Step IV - Implement the BYOD policy A policy is just a piece of paper if the employees are not aware of it

12 BYOD DATA PROTECTION Ken Macdonald, Assistant Commissioner (Scotland and NI), Information Commissioner s Office, Scotland

13 BYOD DATA PROTECTION IN CONTEXT! 47 % of UK adults use personal devices for work! Of these: 55% access s 35% access work files 37% edit work files and less than 3 in 10 are provided with guidance

14 BYOD DATA PROTECTION Whose device? Whose data? VHF What data? Where is the data? Is it secure? What can go wrong? BYOD

15 BYOD DATA PROTECTION! WHOSE DEVICE? Chooses Owns Supports Purchases Maintains

16 BYOD DATA PROTECTION! WHOSE DATA? Family & Friends Clients & Customers Colleagues

17 BYOD DATA PROTECTION! WHAT DATA? Domestic Commercial Commercial

18 BYOD DATA PROTECTION! WHERE IS THE DATA? DEVICE LOCAL PC SERVER CLOUD

19 BYOD DATA PROTECTION! IS IT SECURE?

20 BYOD DATA PROTECTION WHAT CAN GO WRONG? A Scottish advocate and QC was away from home on holiday but had left tradesmen with the keys to her home and her alarm code in order to undertake some work and stressed the importance of keeping her front door locked and the alarm activated. On her return, she found her laptop was missing. This laptop held information about individuals involved in eight court cases (two of them involving physical or mental health) yet was unencrypted. ICO Undertaking The incident occurred before the UK Information Commissioner had the power to impose a civil monetary penalty. Instead, the advocate signed an undertaking to encrypt all portable devices and keep them under lock and key.

21 BYOD DATA PROTECTION WHAT CAN GO WRONG?! An unencrypted laptop containing details of 24,000 people who had sought legal services was stolen from a homeworker. The homeworker had downloaded personal info on to the laptop and left it on the kitchen table. 60k Civil Monetary Penalty! The data controller had failed to take appropriate technical and organisational measures against the accidental loss of personal data held on the laptop computer such as encrypting the laptop computer and providing the employee with security devices for the laptop computer for example, a Kensington lock or a cable.

22 BYOD DATA PROTECTION WHAT CAN GO WRONG?! A council employee inadvertently uploaded four documents containing sensitive personal information about children and families on to the internet whilst home-working using an infected second-hand PC. 100k Civil Monetary Penalty! A home working and data protection policy was in place at the time of the breach but the technical measures to assist staff to adhere to it were not provided.

23 BYOD DATA PROTECTION ICO GUIDANCE Issued March 2014 Guidance for Data Controllers Iden9fies key risks

24 BYOD DATA PROTECTION Subscribe to our e-newsletter at or find us on

25 THANK YOU

26