How To Make Bring Your Own Device A Plus, Not A Risk

(1)

FINANCIAL INSTITUTIONS ENERGY

INFRASTRUCTURE, MINING AND COMMODITIES TRANSPORT

TECHNOLOGY AND INNOVATION PHARMACEUTICALS AND LIFE SCIENCES

BYOD: Bring your own device

How to make BYOD a PLUS, not a RISK

Claire Stilwell

Associate Associate Norton Rose

(2)

Bring your own device: defined

• Employees bringing their own devices to work

– Not the company issued Blackberry

– Own the devices themselves

• Using them to access company resources or perform

work-related tasks

related tasks

– Mail, calendars, communication

– Document access and processing

(3)

ARE YOU BYOD?

(4)

Because everyone else is

• 48% of US workers are allowed to use personal devices for work

− 89% of IT professionals report devices connecting to the corporate network

• 75% of businesses that have no personal devices at work expect

to see them by 2013

• 28% of Canadian workers already use non-company devices

− Expected to grow to 35% over 2 years

(5)

The PLUS of BYOD

• Employee satisfaction and retention

• Increases in business productivity

• Easier collaboration

(6)

The RISK of BYOD

• Security

− Data breaches − Data loss − Personal information − Malware − Lost devices

• Compliance

• Privacy

• Employee attitudes

(7)

Ask:

• Is BYOD already happening

in the workplace?

−(Can it be stopped?)

• Is your company able to

tolerate the risks of BYOD?

BYOD: bringing your own disaster?

(8)

(9)

BYOD Policy: an effective legal tool

• Only 34% of Canadian companies have a BYOD Policy

−Compared to 51% in the U.S. and 24% globally

• Why is a policy important?

−Set corporate priorities

−Educate employees

−Assist IT departments

• Allow for enforcement

−Employee discipline

(10)

Designing an effective BYOD policy

• Be reasonable

−Allow employee choice

−Restrict access when required

• Comply.

−Privacy laws

o Monitoring o Monitoring

• Ask:

−What data will be accessible, and how?

−Will the company provide IT support?

(11)

BYOD policy: who?

• Executives.

−Sensitive data? Subject to discoverability?

• Mobile Employees.

−Access to company data in countries with different security protocols

• Employees working with sensitive, confidential or proprietary

information

(12)

• All devices and platforms?

• Restricting choice may not be effective

−IT support for multiple platforms

o Personal support?

BYOD Policy: What? And Where?

• Security

• Will employees be able to access the cloud?

−Increases risk of data loss

−Raises issues of data ownership, confidentiality

(13)

BYOD policy: set expectations

• Company monitoring

−Set appropriate privacy expectations

o Policy can minimize, but not remove, reasonable expectations of privacyR.

v. Cole ₍₂₀₁₂₎

• What aspects of the device will be monitored?

−Employees most concerned with monitoring personal use of the device

(14)

BYOD policy: set expectations (cont’d)

• Security

−Encryption, Passwords, Remote Wiping −Anti-virus software

−Access to the cloud

• Remote Wiping - what?!

−Encourage personal back-ups

(15)

BYOD policy: set expectations (cont’d)

• BYOD is a privilege

−Access can be terminated

• All other policies still apply

−Harassment

−Data security

−Confidentiality

−Social media

(16)

BYOD policy: clear consequences

• Tampering with security settings

–"Jailbroken" devices will be wiped

–BYOD privileges revoked

• Lost, stolen or otherwise compromised device

will be wiped

• Breach of other corporate policies through a personal device will

be penalized

(17)

Policy 101: draft - educate - enforce

• DRAFT

−Unambiguous, reasonable, legally enforceable policy

• EDUCATE

−Employees

oExpectations and consequences

−IT departments

oLevel of support and reporting

• ENFORCE

(18)

BYOD technology: mobile device management

• Restricting access to authenticated devices

−Security certificates

• Remote desktops

−Limiting access to company data

• Wiping data remotely

(19)

• Where are you now? Where would you like to be?

• Draft a BYOD Policy and ensure it is legally compliant

• Consider technical solutions

BYOD: next steps

• Educate your employees

(20)

CASL: The strictest anti-spam law in the world

• Canada's Anti-Spam Law (CASL) is expected to come into force

early next year

−Regulates Commercial Electronic Messages (CEM's)

o Broad definition of commercial; no expectation of profit required o Also regulates other electronic forms of communication and certain

computer programs

−Requires 'opt-in' consent

o Unlike any other anti-spam law

• Serious Penalties

(21)

(22)

Contact information

Claire Stilwell

Associate

Calgary

T +1 403.267.8217

[email protected]

(23)

The purpose of this presentation is to provide information as to

developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of Norton Rose Canada on the points of law discussed.

No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any constituent part of Norton Rose Group

Disclaimer

or consultant of, in or to any constituent part of Norton Rose Group (whether or not such individual is described as a “partner”) accepts or assumes responsibility, or has any liability, to any person in respect of this presentation. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of, as the case may be, Norton Rose LLP or Norton Rose Australia or Norton

(24)