FINANCIAL INSTITUTIONS ENERGY INFRASTRUCTURE, MINING AND COMMODITIES TRANSPORT TECHNOLOGY AND INNOVATION PHARMACEUTICALS AND LIFE SCIENCES BYOD: Bring your own device How to make BYOD a PLUS, not a RISK Claire Stilwell Associate Norton Rose November 14, 2012
Bring your own device: defined Employees bringing their own devices to work Not the company issued Blackberry Own the devices themselves Using them to access company resources or perform work- related tasks Mail, calendars, communication Document access and processing "Consumerization of IT" 2
3 ARE YOU BYOD?
Because everyone else is 48% of US workers are allowed to use personal devices for work 89% of IT professionals report devices connecting to the corporate network 75% of businesses that have no personal devices at work expect to see them by 2013 28% of Canadian workers already use non-company devices Expected to grow to 35% over 2 years Gartner predicts 80% of businesses will deploy tablets by 2013 4
The PLUS of BYOD Employee satisfaction and retention Increases in business productivity Easier collaboration Increased access to resources Less responsibility for life cycle support and reduced spending on devices 5
The RISK of BYOD Security Data breaches Data loss Personal information Malware Lost devices Compliance Privacy Employee attitudes 6
BYOD: bringing your own disaster? Ask: Is BYOD already happening in the workplace? (Can it be stopped?) Is your company able to tolerate the risks of BYOD? 7
Law & Technology 8
BYOD Policy: an effective legal tool Only 34% of Canadian companies have a BYOD Policy Compared to 51% in the U.S. and 24% globally Why is a policy important? Set corporate priorities Educate employees Assist IT departments Allow for enforcement Employee discipline Legal tool 9
Designing an effective BYOD policy Be reasonable Allow employee choice Restrict access when required Comply. Privacy laws o Monitoring Ask: What data will be accessible, and how? Will the company provide IT support? What happens when an employee is terminated? 10
BYOD policy: who? Executives. Sensitive data? Subject to discoverability? Mobile Employees. Access to company data in countries with different security protocols Employees working with sensitive, confidential or proprietary information Is it appropriate to allow BYOD? 11
BYOD Policy: What? And Where? All devices and platforms? Restricting choice may not be effective IT support for multiple platforms o Personal support? Security Will employees be able to access the cloud? Increases risk of data loss Raises issues of data ownership, confidentiality Harder to control 12
BYOD policy: set expectations Company monitoring Set appropriate privacy expectations o Policy can minimize, but not remove, reasonable expectations of privacyr. v. Cole (2012) What aspects of the device will be monitored? Employees most concerned with monitoring personal use of the device Consider global privacy and data standards European vs. U.S. privacy requirements 13
BYOD policy: set expectations (cont d) Security Encryption, Passwords, Remote Wiping Anti-virus software Access to the cloud Remote Wiping - what?! Encourage personal back-ups o Where appropriate 14
BYOD policy: set expectations (cont d) BYOD is a privilege Access can be terminated All other policies still apply Harassment Data security Confidentiality Social media o What can an employee tweet/post/text? 15
BYOD policy: clear consequences Tampering with security settings "Jailbroken" devices will be wiped BYOD privileges revoked Lost, stolen or otherwise compromised device will be wiped Breach of other corporate policies through a personal device will be penalized Inappropriate use may result in employee discipline 16
Policy 101: draft - educate - enforce DRAFT Unambiguous, reasonable, legally enforceable policy EDUCATE Employees o Expectations and consequences IT departments o Level of support and reporting ENFORCE Discipline employees for breach Continue to educate employees on the policy 17
BYOD technology: mobile device management Restricting access to authenticated devices Security certificates Remote desktops Limiting access to company data Wiping data remotely If device lost or if employee terminated Company App store Provide users with pre-approved choices 18
BYOD: next steps Where are you now? Where would you like to be? Draft a BYOD Policy and ensure it is legally compliant Consider technical solutions Educate your employees Enforce your policy Continue to review and adapt 19
CASL: The strictest anti-spam law in the world Canada's Anti-Spam Law (CASL) is expected to come into force early next year Regulates Commercial Electronic Messages (CEM's) o Broad definition of commercial; no expectation of profit required o Also regulates other electronic forms of communication and certain computer programs Requires 'opt-in' consent o Unlike any other anti-spam law Serious Penalties $10 million dollar penalty for corporations Private right of action 20
Questions? 21
Contact information Claire Stilwell Associate Calgary T +1 403.267.8217 claire.stilwell@nortonrose.com 22
Disclaimer The purpose of this presentation is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of Norton Rose Canada on the points of law discussed. No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any constituent part of Norton Rose Group (whether or not such individual is described as a partner ) accepts or assumes responsibility, or has any liability, to any person in respect of this presentation. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of, as the case may be, Norton Rose LLP or Norton Rose Australia or Norton Rose Canada LLP or Norton Rose South Africa (incorporated as Deneys Reitz Inc) or of one of their respective affiliates.