• Anyone know what the D stands for? BYO Disaster, BYO Danger
Transcription
• Anyone know what the D stands for? BYO Disaster, BYO Danger
• • • Anyone know what the D stands for? BYO Disaster, BYO Danger, … ? Because they could bring a whole host of privacy and security concerns with them. BYOD really is an art, not a science. 1 Annotated slides and a handout with one potential BYOD agreement (there is no universal “template”) will be available 2 • • • Why launch BYOD programs? First, prohibition didn’t work the first time: Stats: iPass Mobile Workforce Report (BYOD mobile workers thumbing nose at IT security 8/2012: http://www.zdnet.com/byod‐mobile‐workers‐thumbing‐nose‐at‐it‐security‐7000003519/) states: • Nearly 25% of mobile workers say they employ some sort of workaround on their smartphones to bypass IT controls and get at corporate data, while 12% of tablet users say they use similar tactics. • Those that try to bypass security say they have their reasons: 16% said IT is slow in responding, 21% said they needed to do something immediately and could not wait for IT, 10% cited strict IT policies, and 9% said it was too much hassle to deal with IT. • • Second: THAT’S ME WITH THE FLOPPY, SUFFERING THROUGH THE 1980’S. • We know what suffering is. Conversely, InfoWorld report on a Vision Critical study (Young employees say BYOD a 'right' not 'privilege‘ , 6/2012: http://www.infoworld.com/d/consumerization‐of‐it/young‐employees‐say‐byod‐ right‐not‐privilege‐195901) states that: • Amongst young "20‐something" workers, slightly more than half view it as their "right" to use their own mobile devices at work, rather than it being a "privilege.“ • The survey also cites that 1 out of 3 BYOD respondents said they would gladly break any anti‐BYOD rules and "contravene a company's security policy that forbids them to use their personal devices at work or for work purposes.“ • It’s going to happen, it’s already happening, get on the bus! Other reasons to “like” BYOD: • Increases EE productivity • People are working on vaca, in bed (!), traveling, even in churches! • BYOD programs can indeed increase productivity. Lastly, we older employees are too tired to schlep multiple devices! • • • 3 • • • However, cost savings for voluntary programs remain unclear • Are people giving up employer devices or not? • May have increased productivity, but also increased costs: • Configuring and reconfiguring the choices • Technical support • Data loss or data breach (including PI & IP) • Managing the ops of the program – access, apps, etc. • WiFi bandwidth for consumer content you are now supporting • Malware/viruses brought in by personal mobile devices • Loss of bulk discounts on company‐provided devices • Our CIO estimates ~$150M/year in cost savings and increased productivity (57 minutes per day per BYOD ee). See March 5,2013 Computerworld article on Intel IT annual report. • However, we don’t offer much tech support, maintenance, etc. and many of us don’t have duplicate Intel‐owned devices. So, it depends on your deployment scheme. • Technologically and legally maintaining BYOD programs on a slew of devices can be difficult and expensive, so you’ll need to choose wisely. As for “risks” of BYOD – many of them were already there with employer‐owned devices. • Email forwarded to personal accts, info copied to files & other apps, lost/stolen devices and storage media, etc. But there are additional risks to BYOD where devices are owned and managed by ee’s themselves. 3 So let’s take a look behind the BYOD curtain. 4 ARE THE SECURITY CONCERNS REAL? OR ARE THEY JUST ZOMBIES, FUN TO TALK ABOUT BITING US IN THE . . . BUTT . . . BUT NOT SO REAL. Some stats from US FCC on smart phone security: • Less than 1 in 20 smartphones and tablets have third‐party security software installed on them • Less than 50% of smartphone owners use password protection on their devices • More than 40% of smartphone users have no antivirus software on their smartphones • Every 3.5 seconds, one American loses their phone, adding up to more than $30 billion in annual losses • A total of ~25K mobile malware threats were detected in 2011, a 367% rise over 2010 • Recent Ponemon study: 80% of IT Security Professionals surveyed say laptops and other mobile data‐ bearing devices pose a significant security risk to their organization’s networks or enterprise systems because they are not secure. Yet, only 13 percent say they use stricter security standards for employees’ personal devices rather than for corporate‐owned devices. Ponemon Institute, 2013 State of the Endpoint , 12/2012. http://www.lumension.com/Media_Files/Documents/Marketing‐‐‐Sales/Whitepapers/2013‐ State‐of‐Endpoint‐Security‐WP.aspx So, we have real security concerns. CAN WE “MCNEALY” OUR WAY OUT OF THIS DILEMMA? Can’t we just “Get over the legalities of employee privacy by going back to 1999 and creating an overarching policy quoting Scott McNealy and impose all the security requirements we want?” No. That tactic is likely not enforceable globally. Don’t assume you can easily limit ee’s rights of privacy with Victorian‐era self‐serving security policies. BYO devices track ee location 24/7 and contain all kinds of personal data and behaviors. Even in the U.S., the Court of Appeals for the District of Columbia, ruling about police use of tracking devices, noted that just GPS data, for example, can reveal whether a person “is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of 5 particular individuals or political groups — and not just one such fact about a person, but all such facts.” PHONES ARE MOBILE X‐RAY SPEX. Last Oct. the Canadian Supreme Court decided in a criminal case (R. v. Cole) that allowing personal use of work computers creates privacy expectations (at least regarding the state) that can’t be avoided via written policies, although they are a relevant piece of the overall picture. So what now? Practically speaking: KEY IS TO BE REASONABLE, TRANSPARENT AND PROPORTIONAL, AND SET ACCURATE EXPECTATIONS, to minimize liability in the event your program does accidentally fall on the wrong side of the law (which is in a state of global flux). 5 SEEK VOLUNTARY CONVERTS. ELIGIBILITY: have appropriate criteria for both who can join, and what can join – the types of employees, and the types of devices. (e.g. no factory workers due to super secrecy, no outdated technologies) On the security end of things: The Chubs (cat) is not the best security measure. • Have reasonable set of standards the devices must meet. Otherwise you not only risk security issues, but increasing costs in getting them all to work on your IT system. • And different devices have different capabilities and implications, e.g. partitioning off work data from personal data relatively easily on laptops, but not yet on tablets or phones (although it’s coming). • Can move apps & security to the server side & not downloaded. • Deploy mobile device management (MDM) tools to increase security. • Common features of MDM software: require users to register the device as a condition of network access; require strong passwords on the device; encrypt data sent outside the corporate firewall; block access to “blacklisted” sites or applications; enable remote wipes (where legal); and prevent users from disabling or altering certain security settings on their devices. • Mobile Device Management software can help, but not fix the entire issue • Limit access & storage of data on BYO devices. • Some experts recommend limiting data accessible and stored on handhelds – to email, calendar, and a limited number of apps. IBM banned Siri and Dropbox. Also, some companies are now offering services to modify popular apps for in‐company use vs. outside use. • Condition access to services/apps on context of use. • E.g. Intel is working on context aware security where your access to apps and data depends on who and where you are. • Engage end‐users and beta test – this is supposed to be a benefit to the employees, not a solution looking for a problem. But can’t offer everything. If you’re not sure how it’s going to actually work in your 6 business, try a pilot and test it out, then take surveys of the users so you know what they thought of the experience and any issues they had. On the privacy end of things • Sign on my daughter’s door. Need very clear, easy‐to‐understand policies and employee agreement. • But, the law is not clear globally. Neither is enforcement. Follow FIPPS/OECD privacy guidelines, particularly proportionality & transparency in policies and notice & consent regarding potential data processing. • You want the program particulars set up around legitimate business interests. • Create policies employee’s must follow for their own and the company’s good, e.g. don’t forward work email to personal web‐based mail accts; keep your device secure; don’t share your corporate log‐in credentials with family members. We don’t want to look at their personal data, we don’t want them losing their personal data, but they have to change bad habits. • On that note, don’t forget the human glue to keeping the program together: • Employee behavior can make or break your program, and often a program like this is launched and the support people behind it wish it would just run itself. Need education & training. • So, you can balance security and privacy concerns in a fair way, paying attention to the potential minefield that is the law. 6 The scope of laws and regs we need to worry about can be vast. • Not just data privacy laws, not just security laws: • Local labor laws and basic contract laws regarding contracting with employees and what makes a binding K, what happens if employees violate the policies or agreement, works council approvals, etc. Employee consent can be viewed as coercive, and even if not, may need to be translated and in hard copy. But German Federal Office for Information Security recently recommended employee agreements and other things in this presentation. And this just in today: UK ICO just issued guidance on “acceptable use policies” for BYOD. Also don’t forget non‐exempts – may work more overtime if using personal devices. • And don’t forget IP issues Maintaining trade secret protection is an obvious one . . . but Enterprise software licenses might not carry over to BYOD, and vice‐versa. And then you may face the new cash‐generating model of large s/w houses insisting on an audit to make sure your enterprise hasn’t exceeded the number of seats in the license – you’ll need to build s/w audit rights into the BYO program • And if that’s not enough, you’ll need to consider tax implications: if you subsidize the cost of the device but the employee owns it, or you pay for their service, you could invoke tax laws. • Export control: regulations restrict the export and sharing of controlled technologies outside of company‐ owned assets. • Finally, you have laws and regulations regarding data transfers, access to the employee data on the devices, etc. Requests for info in a gov’t process: subpoenas, warrants, US litigation discovery rules/LEHNs. SO, HOW DO YOU MANAGE ALL THIS POTENTIAL RISK? 7 Practical tips for navigating the treacherous waters of the law: ONE SIZE DOESN’T FIT ALL. Must fit the BYOD program to your biz, your funding, your devices, your culture, your security & privacy concerns, and your local laws. • • • • Again, follow FIPPs/OECD. This is not only very important to legal and regulatory compliance. As a practical matter, it will go a long way in avoiding an employee complaining in the first place, which is more than half the battle. • Happy employees are less likely to complain. • And don’t forget to incorporate other existing corporate policies by reference: not just those Victorian‐era electronic comms guidelines, but also security guidelines, software licensing, privacy policies, code‐of‐conduct, etc. Update those as necessary! But what about compliance differing laws in various jurisdictions? • There’s a balance to be had here based on the law, the enforcement schemes, the number of affected employees, and the risks that someone will complain. • But the laws are all changing! So the best thing to do is to get consent for now, note that enforcement will be in accordance with local laws, and then to train the IT folks who will be responsible for collecting potentially personal data from employee devices to check with their local legal counsel first. Absent emergency, check with the local attorney prior to snatching potentially personal data! So even if employee consent is not a guarantee of enforcement of your policies and agreement, you can show you’ve done what seemed reasonable and legit to balance privacy rights and security obligations. Now is not the time to push the envelope or cannibalize privacy or security at the expense of the other. Don’t run outside the pack for easy pickings by a regulator. Also, note there may be other issues with specialized industry compliance schemes, e.g. healthcare and HIPAA, or the finance industry, etc. that may need special privacy and security processes in place, 8 too. (Outside the scope of this presentation.) 8 • • • Drafting Ks: there is only one right answer! The lawyer! Again, one size doesn’t fit all. Don’t copy some other company’s agreement. Upshot: stay in the middle of the pack and be reasonable. That’s the practical answer. 9 • • • • • • • • DRAFT AGREEMENT IS POSTED – BUT THERE IS NO “TEMPLATE” THAT FITS ALL PROGRAMS. A few highlights: Voluntary. It’s a convenience, not an entitlement – you don’t like it? Don’t join it. Have reasonable rules about the types of info that can be stored and how to back that up (i.e. don’t mix up your personal and work back‐ups). Typical external cloud backups particularly have potential security issues and data access issues where K is with employee and not company. Prohibit some types of back‐ up. Data/device management: access to the device, remote wipes, s/w audits, don’t disable security settings, and disclaimer of liability if personal data is lost via program participation. “Break free of personal habits that could leak company data!” Theft/loss/damage/support: is employee entirely responsible for this? What does he do if he goes to a repair center? Report lost/stolen devices. No reimbursement. Disclaimer of malware of lost data. May have to, or want to, do more, depending on your biz model. Compliance: company’s and employee’s. Company has privacy/security compliance issues, e.g. law enforcement, so include reservation of rights to search/intercept/review company email, network use and content. • Have reasonable cause regarding a: (1) violation of law or company policy, or (2) data leak (e.g. network problem) • Acknowledge will abide by local laws, and then check in advance (absent emergency) • If employee is out of compliance, can terminate from program, but also may need disciplinary action. • What happens when an employee leaves the program for any reason? Forced scroll, click at least once at end (maybe more), and track the agreement version and the user. But special employee angle here: may need hard copy, translated. • May want to bold face sensitive clauses, those that invoke potential personal data access/monitoring 10 • Just some fun audience participation. 11 • • • But laws aren’t the only thing changing. Technology will change! True or false? This is our brave, new future folks, get used to constant change & evolution 12 Takeaways 13 • IAPP is posting this preso with notes, plus one example of an employee agreement. THERE IS NO UNIVERSAL “TEMPLATE” THAT FITS ALL SITUATIONS IN ALL COUNTRIES! • The latter is a pretty comprehensive resource from a law firm, of the many that I’ve read. 14 15