The Privacy Commissioner of Canada, together with Offices of the Information and Privacy Commissioners of British Columbia and Alberta, created a document, Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization?, in 2015 that is still relevant today. The document sets out various considerations and proposes strategies for organizations that have or want to have a Bring Your Own Device (BYOD) program in the workplace.
What is BYOD?
A BYOD program is an arrangement where private sector organizations allow employees to use their own personal mobile devices such as smart phones or tablets for both personal and business uses.
Why is this concerning?
There are many benefits such as cost savings, increased satisfaction of employees because they are using their preferred devices, and increased efficiency – however, there are some privacy and security risks that could lead to financial losses or damages to reputation. Further, critical documents and sensitive personal information of consumers or employees could be put at risk unless careful measures are taken.
The document lists several considerations for organizations contemplating having BYOD programs:
1. Obtaining senior management commitment to address privacy and security risks: Senior management is recommended to clearly demonstrate a commitment to identify and address privacy and security risks by conducting assessments to determine what is required to address the unique privacy risks in that organization
2. Conducting a privacy impact assessment and threat risk assessment: These assessments need to address the risks associated with collection, use, disclosure, storage, and retention of personal information, taking into account the sensitivity of the information and what is appropriate for that organization and for employees in specific positions
3. Developing, communicating, implementing and enforcing a BYOD-specific policy: Organizations need to develop, communicate, implement, and enforce the BYOD policy, so that expectations are clearly established and easy to understand; when setting out restrictions in the program, there needs to be a balance between the privacy expectations of employees using the devices and the organization’s information management requirements
4. Pilot testing a BYOD program prior to roll-out: It is recommended to pilot the program before rolling it out to the entire organization, and to also use a single platform before expanding to other platforms in order to examine any risks and benefits of the program
5. Develop training materials and programs: Training is vital – IT professionals and users need training to address the privacy and security issues, and provide opportunities to ask questions and receive resources; some issues include storage and retention, encryption, patch and software vulnerability management, malware protection, and incident management
6. Demonstrating accountability: The issue here is that, if an employee has full administrative rights for all the information on the device, an organization may not be able to appropriately demonstrate accountability for the information under its control or in its custody. Also, connecting a personal device to an organization’s network may create significant privacy and security risks, such as corporate network security integrity. The recommendation is to implement Mobile Device Management software to manage mobile devices that connect to the corporate network that includes over-the-air distribution of apps, data, and configuration settings (ensure that expectations of the parties are first documented in the policy)
7. Mitigating risks through containerization: Organizations are recommended to consider partitioning each device into two compartments/containers (one for business use, and one for personal use). In this way, organizations can effectively manage and protect the container that holds the personal information in their control and any corporate-approved apps (lost/stolen devices can be dealt with by organizations erasing the container holding corporate information), but policies need to also address the scenario where the device is “rooted” (where privacy and security controls are bypassed)
8. Identifying policies and procedures for storage and retention: It is necessary to have policies in place dealing with storage and retention of personal information in an organization’s control on the corporate network or approved devices; organizations can use a “thin client” to prevent information from being stored on a BYOD (for instance, a remote desktop service)
9. Implementing encryption for devices and communications: It is important to address device encryption, container encryption, and the encryption of communication channels between devices/mobile apps and the corporate network; secure connections like a virtual private network are recommended for remote connectivity, and preventative strategies are recommended to be created by the organization deal with lost encryption keys
10. Addressing patch and software vulnerabilities: The program must protect against software vulnerabilities and malicious activities by clearly establishing areas of responsibility for patch management and updates (keeping in mind that even if the corporate apps have security patches installed, security vulnerabilities from user-installed apps could compromise personal information)
11. Managing apps and app configuration: It is recommended to have a list of approved apps that can be installed and procedures for installing, updating, and removing them
12. Supporting effective authentication and authorization practices: Device authentication, container authentication, and user authentication need to be addressed (it is recommended to have a system requiring strong passwords and use multifactor authentication); organizations are recommended to consider balancing security and privacy with usability
13. Addressing malware protection: Organizations need to ensure that there is protection from common malware such as worms, viruses, ransomware, adware, and Trojan horses that are spread through messages, emails, and web links by having strong network security that is regularly monitored, tested and updated; users also need to be educated on mitigating risks by exercising judgment regarding online sites visited and suspicious links
14. Formalizing a BYOD incident management process: Even if organizations take steps to identify and address privacy and security risks, incidents can still occur – incident management processes ensure that security incidents or privacy breaches are detected, contained, reported, investigated, and corrected in a timely and consistent manner using clear processes so that security incidents and privacy breaches are reported as soon as they are discovered to the organization’s privacy officer
What does this mean for employers?
Employers who are considering using BYOD programs (or already have them) are recommended to review the above considerations and consider what policies and procedures they have in place for their BYOD programs. It may be worth weighing the costs and benefits of having such a program in the organization before making the decision to implement one. Employers who choose to proceed with a BYOD program are recommended to regularly review their policies and procedures so they remain current and relevant to the particular workplace.