Byod - It can be privacy protective
description
Transcript of Byod - It can be privacy protective
BYODIt can be privacy protective
Timothy M Banks, CIPP/CPartnerT: [email protected]: @TM_Banks
Originally presented at the Canadian Institute’s 19th Annual Regulatory Compliance for Financial Institutions, November 14, 2013
Dentons Canada LLP
BYOD
• What is it?
• Quantifying the risks
• Mobility vs Control matrix
• Compliance challenges
• Policies (or Agreements)
Defining BYOD
• Bring Your Own Device
• A corporate IT-supported program in which employees are• permitted; or• encouraged; or• required• to deploy their own electronic devices in the course of fulfilling their duties
• Can take a variety of forms:• employer subsidizes purchase of mobile or other devices• employee uses unsubsidized device• home office or mobile work• many devices: tablets, smartphones, laptops etc.
Traditional Risk Equation
Risk = Vulnerability x Threat x Expected Loss
• Vulnerability =• Endpoint protection weakness• Practical inability to control device• User behaviour
• Threat =• Phishing• Keystroke logging• Scraping• Hacking• Interception
• Expected Loss = • Hardware asset • Data• Regulatory fines & investigations• Goodwill• Cost of breach
Only one of these has decreased
So Why Do It?
• Executives demand it
• Employees like it
• People are already doing it
• Greater productivity• Possibly true, but, consider overtime risks
• Perceived cost-savings • Yes, hardware costs may be lower if you are not reimbursing • Data plans and hardware may be more expensive if you lose economies of
scale and bargaining power• Also, IT has to support more devices• May introduce other risks and costs into the system that may be greater than
cost advantages
Smartphone Penetration
6
• Smartphone are increasingly prevalent
• Market penetration is estimated at 56% of Canada’s population
• 79% don’t leave home without their device
• 66% estimated to access the Internet on their devices every day
• 81% use their devices while at work• Google Ipsos MediaCT Q1 2013 Survey
• Some studies estimate 75% of Canadian businesses support employee-purchased smartphones and tablets in the workplace
Mobility versus Control
File Server
PersonalComputer Laptop Tablet
Smart Phone
Memory
USB Thumb Drive
Greatest Mobility
Highest Control
Conflicting Expectations
Employee Expectations of
Privacy & Control
Employer Expectations of Security &
Control
BYOD Compliance Matrix
Security Regulatory & Industry
Privacy Proprietary
Compliance
9
Security
Device
Digital Certificates & Tokens
Mobile Device Management Software Encryption
User Authentication
Anti-Virus / Endpoint Defence
Assumes Network-Side is Secure
Device Security
• Controls on User ID and Passphrase characteristics• Authenticate the person (What You
Know)
• Use of Digital Certificates• Authenticate the device (What You
Have)
• Use of Tokens for Sensitive Databases• Double authentication (What You
Have)
• Mobile Device Management• Control configurations• Apply authentication policies• May permit viewing of App
installations• May permit logging of activities• May separate personal and
corporate data
• Encryption • Secure encrypted containers for
corporate data
• Anti-Virus Endpoint Defence• Protection at the device end
Standards & Legal RequirementsIn
dust
ry S
tand
ards PCI-DSS
ISO 27001, 27002 W
ireta
p US ECPACriminal Code
Gov
ernm
enta
l Privacy & Security DisclosureGLB –Safeguards Rule
Payment Card Industry – Data Security Standards
• Personal firewall must be installed on the device
• Must be configured by the company
• Must be tested
• Anti-Virus software on all systems
• Updated, active and generating audit logs
International Standards Organization
• ISO 27001• Information technology — Security techniques — Information security
management systems — Requirements
• ISO 27002• Information technology — Security techniques — Code of practice for
information security controls
Electronic Communications Privacy Act (ECPA) -USA
• Wiretap Act• Protects against interception by another person• Prohibits electronic eavesdropping• Only requires one party consent
• Stored Communications Act• Protects “at rest” communications• Prohibits intentional access• Subject to consent
Criminal Code
• Interception (s. 184)• Everyone who, by means of any electro-magnetic, acoustic, mechanical or
other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years
• Exception – consent of one party
• Consider validity of consent (informed, freely given)• Mandatory BYOD programs• Communicated upfront
• Bill C-12 “valid consent” = “the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting”
• Consider the employee’s understanding of extent of monitoring (interception)
Other Statutory & Common Law Privacy Protections
• Personal Information Protection and Electronic Documents Act• Safeguards 4.7
• appropriate to the sensitivity of the information
• protect against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification
• applies in any format
• Transparency 4.8• Information about their policies and
practices
• Employee Privacy• Employees have privacy interests
• Communications, Energy & PaperworkersUnion of Canada, Local 30 v. Irving Pulp & Paper Ltd., 2013 SCC 34 (random alcohol & drug testing)
• R. v. Cole, 2012 SCC 53 (search and seizure of employee laptop)
• Federal Trade Act• Section 5 – unfair and deceptive
acts are prohibited• Violation of privacy notices may be a
deceptive practice (being challenged)• Note: Provincial Consumer Protection
legislation has similar language
Gramm-Leach-Bliley Act – Safeguard Rule - USA
• Financial institutions have a continuing obligation to protect security and confidentiality of non-public personal information
• Administrative, Technical and Physical Safeguards:• To insure the security and confidentiality of customer records and information• To protect against any anticipated threats or hazards to the security or integrity
of such records• To protect against unauthorized access to or use of such records or information
which could result in substantial harm or inconvenience to any customer
• In Canada:• Office for the Superintendent of Financial Institutions• Operational Risk includes data/information security, information technology
systems
Proprietary
Who owns the Mobile #?
Mobile: 647-391-
58XX
Email: [email protected]
m
Office: 416-863-
4424
Who Owns What?
• “Your” Device• Right, title & interest is that of the employee’s• Need to have a contractual right to even touch it• Rights may terminate at the end of employment
• “Whose” Data?• Generally speaking, no property interest in “information”• May be confidential information that can be protected by
• contractual obligations (express or implied)• equity• Tort of misuse of confidential information
Fighting About the Followers & the Contacts & the IP
• Whitmar Publications Limited v. Gamage, [2013] EWHC 1881 (Ch)• Springboard use of company’s LinkedIn
groups• Injunction granted
• Eagle v Edcomm, 2013 WL 943350 (E.D.Pa., 2013)• Fired employee• Took over LinkedIn account• Misappropriated identity• No damages (didn’t prove any)
• What about IP created on employee owned device (inside/outside work hours)
Privacy: Levels of Intrusiveness
Control Gating prevention
Enforcement Exception Reporting
silent monitoring
Management Active Monitoring
overt collection
Employer’s Right to Monitor Employee Communications
• Yes, but more difficult on employee-owned device
• Arguably, need consent• Consider Criminal Code
• Worry about Intrusion Upon Seclusion• Consider: Lazette v. Kulmatycki, 2013 WL 2455937
• Employer-owned Blackberry device• Employee permitted to also use it for personal (had Gmail account)• Employee left; believed Gmail account deleted; thought phone would be wiped & recycled• Oops, former supervisor accessed Gmail account for 18 MONTHS!• Brought claim under Electronic Communications Protection Act
• Ripe for Tort of Intrusion upon Seclusion in Canada• Jones v. Tsige, 2012 ONCA 32
• Access of plaintiff’s bank accounts numerous times over four years• Tort of intrusion upon seclusion recognized• Jones awarded $10,000 in damages
Employer’s Right to Monitor Device Status
• “What part of Mine don’t you understand?”
• Doesn’t require interception of communications
• Monitoring the security of the end-point as condition of service
• Best to implement as part of a BYOD agreement
• Easier to explain to employees
• Easier to justify from a “privacy by design” perspective• Limiting collection• Limiting retention• Limiting use• Limiting disclosure
Investigations
• The device is locked with a PIN• You asked for it!• Employee doesn’t want to provide the PIN• Can you force it?• Probably Not! Will likely need judicial assistance.• All the more reason to ensure good Mobile Device Management and Container
Wiping
• Could you use Admin rights to get access and/or change passwords?
Control of Device / Wiping
• “You blocked my access to Drop Box and now you wiped the last [insert valuable IP] that I had”
• Consider Criminal Code• 430. (1) Every one commits mischief who wilfully• (a) destroys or damages property;• (b) renders property dangerous, useless, inoperative or ineffective;• (c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or• (d) obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of
property.• (1.1) Every one commits mischief who wilfully• (a) destroys or alters data;• (b) renders data meaningless, useless or ineffective;• (c) obstructs, interrupts or interferes with the lawful use of data; or• (d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to
data to any person who is entitled to access thereto.
The preceding presentation contains examples of the kinds of issues that corporations could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.
28