Legal Implications of BYOD Pose Threats to Canadian Corporate Data, Personal Privacy

By: Lee Rickwood

September 18, 2013

As the use and seeming popularity of current BYOD (Bring Your Own Device) practices continues to grow, more users and corporate policy makers are warning of legal and operational pitfalls connected with the mash-up of personal and enterprise data on mobile devices.

"Bring-Your-Own-Device" adopters face certain legal hurdles as they balance technology risks, business benefits and a desire for greater profits. Photograph by: HLundgaard , Creative Commons

“Bring-Your-Own-Device” adopters face certain legal hurdles as they balance technology risks, business benefits and a desire for greater profits.
Photograph by: HLundgaard , Creative Commons

While new hardware and software-based tech solutions are coming forward, the current standard of BYOD security is ineffective and many current iterations of a BYOD policy inflict extensive hard and soft costs on the corporation.

Human resources specialists note that, when developing BYOD policies that take into account so-called “dual-use devices” (personal and business), it must be determined whether a company will monitor the use of the devices, and if so, to what degree.

BYOD policies can also open the door to compensation and wage claims for “off-the-clock” work.

There can be tax considerations if a device is provided, or if the supported use of a digital device is seen as an employment benefit.

And despite the apparent convenience, workers should know that BYOD analysis shows that companies can shift operational costs directly to their employees, and the employee’s monthly phone bill.

In fact, half of those surveyed about their BYOD policies said employees cover all costs, including device and data plans.

In remarks prepared for Canada’s Privacy Commissioner Jennifer Stoddart for an international conference on cybercrime, she noted that “access to corporate networks means access to the personal data of clients or employees. The risks associated with BYOD are also privacy risks.

“And what about the individual’s personal information—including the device’s unique identifier—that can be found on the corporate network?” she continued. “Clearly, BYOD entails certain risks which employers must recognize and address.”

Those risks can easily turn into legal action from government agencies if inadequate security measures they employ are seen to fail to protect and preserve client data. Likewise, disgruntled employees who feel their company’s BYOD policy has failed to protect their own personal data are more and more moving towards legal action to right the perceived injustice.

That’s according to a new industry white paper  called Avoiding BYOD Legal Issues; it’s just been released by Toronto-based Route1 Inc., a digital security and identity management company whose customers include many Canadian and U.S. government agencies and private sector enterprises.

“Along with security concerns, BYOD has brought the potential of major legal issues for the enterprise to the forefront of senior management discussions,” described Tony Busseri, CEO of Route1 of the white paper findings. “Many current BYOD corporate policies leave enterprise data unprotected in the event of a security breach and during an employee’s exit from the company. The policy of tracking and wiping an employee’s personal device opens the Enterprise up to the potential for mass litigation.”

The legality of the common practice of remotely wiping or tracking an employee’s mobile device while asking workers to sign waivers giving their consent for such a policy remains highly ambiguous, as there is little to no case law in this area. Employee resentment over these invasions of personal privacy is growing with concerns about losing personal data when using their own devices for work, and the potential violation if their employer viewed their personal information.

Employees of the federal government are facing the same threat to their privacy with respect to GPS tracking, under Freedom of Information or Personal Information Protection legislation. Companies again risk litigation when remote monitoring of employee devices leads to the viewing of confidential personal information.

Provincially, for example, the Personal Health Information Act in Manitoba affects nearly every person or corporation, and imposes on them a duty to protect the privacy of individuals in the collection, use, disclosure, security and storage of identifying data.

Federally, the Personal Information Protection and Electronic Documents Act (Canada) lays out general rules about the protection of personal data by organizations and other entities.

Technologically, solutions are coming forward which may mitigate but not eliminate legal jeopardy.

Mobile Device Management (MDM) software can be used, although a company like Route 1, with its own offering, warns against weak or ineffective solutions on the market. Route 1 says its MobiKEY technology allows employees to work on their personal devices while keeping the enterprise data behind the company firewall, thus eliminating the need to wipe or track employee devices. MobiKEY is currently used by some of the U.S. Government, Route 1 notes helping keep data secure and enterprises protected from the threat of litigation.

One major organization, the Canadian Diabetes Association, put a Canadian spin on its solution to BYOD challenges.

The Canadian Diabetes Association actually reversed its long-standing policy, one that let staff bring their own devices, and it turned to an all-BlackBerry deployment, and the new BlackBerry Balance technology, which keeps a user’s personal information separate from on-board work data.

Officials there still note a long and detailed evaluation process was needed, and that employee buy-in was crucial right from the start of the implementation.


# # #

submitted by Lee Rickwood













Leave a Reply

Your email address will not be published. Required fields are marked *