personally owned devices at work
Post on 12-Jul-2015
392 Views
Preview:
TRANSCRIPT
What's on your E RADAR?
Using personally-owned devices at work
Will RoebuckFounder and CEO, E RADAR
4 Themes
● Data Access● What data, when, how and by whom?
● Device Risk● Abuse and misuse, malware, by-passing in house security
● Management Risk● Monitoring threats, responding to alerts● Evaluating new operating systems and devices
● Awareness● Staff policies and procedures
Important Points
● The 'bottom line'● Corporate and personal liability● Digital evidence● Misuse of personal devices● Monitoring networked communications● Workers and personal data● Stored networked communications● Implementing a policy
The 'Bottom Line'
● Enterprise, innovation and competition● Balancing supply and demand with risk management● Deploying resources carefully● Smarter business management
● Developing and using the right people skills● Improving business processes; supply and demand chains● Opening up new markets
● Investment in enabling technology● Enabling laws and regulations, standards
Corporate and personal liability
● Legal and regulatory requirements● Registering, filing and retaining records and information
– e.g. Company Annual Returns / VAT Returns– e.g. Notifying under Data Protection / WEEE record retention
● Vicarious liability● Duty of 'reasonable' care towards employee● Prevent improper or illegal activities over business systems
● Personal liability● Directors failing to undertake duties implied by law or as
additional duties in their contract
Evidence – basic concepts
● Evidence (in legal terms) is the way that a fact is proved or disproved in a court or tribunal.
● Law of evidence regulates what is admissible in a court of law or tribunal
● An organisation may need evidence for● Dealing with claims of unfair dismissal of employee● Proving IPR on invention● Proving existence of agreement in disagreement with a
customer
Types of evidence
● Oral testimony● Real evidence in material form (e.g. documents)
● Primary = signed original contract● Secondary = unsigned draft of that contract
● Electronic evidence (primary or secondary)● Hearsay
● Evidence given by a person as to what another person said● Less reliable than first person account but admissible● Rules much tighter in criminal cases
Burden and standard of proof
● Civil cases● Burden of proof is with claimant● Defendants may also need to prove something in case to
rebut accusations● Standard of proof is 'balance of probabilities'
● Criminal Cases● Burden of proof is with prosecution● 'Beyond reasonable doubt'
Digital evidence
● Evidence in electronic format is admissible● Electronic Communications Act 2000● Civil Evidence Act / Youth Justice and Criminal Evidence Act
● Documents can be copied onto own personal devices ● Technology neutral
Admissibility, weight and credibility
● Digital evidence may be legally acceptable but may not be admissible.
● Admissible document must be sufficiently relevant● Court must decide and may give different weight to primary
or secondary evidence ● In civil cases, evidence usually presumed admissible
without further proof● British Standards Code for Legal Admissibility and
Evidential Weight of Information Stored Electronically.
Misuse of Personal Devices
● Abuse and misuse (Illegal, illicit or wrong)● Defamatory remarks● Breach of confidentiality● Using and abusing copyright without permission● Negligence in sending viruses to other business● Sexual or racial harassment
● Criminal Offences● e.g. downloading child pornography● Other illegal images
Monitoring Communications
● Right to privacy – even at work● Regulation of Investigatory Powers Act 2000● Lawful Business Practice Regulations 2000
● Inform monitoring for lawful business purposes● Quality, training and security
● How do you 'monitor' remote workers?● Blanket monitoring of employees not acceptable● Must be justified● Other alternatives?
Data protection
● 8 data protection principles● Principle 7 – adequate security measures● Principle 8 – international transfers
● Cloud computing● Where is personal data● Information Commissioner's Guidance
● Sensitive personal data● Encryption
Retention, deletion and retrieval
● Organisations must have evidence to rely upon it!● Information management policy covering
● Retention, access and exchange (including security), deletion and retrieval
● Why a policy?● Business (cost, time and risk management) ● Legal (e.g. accounting records = 6 years, criminal penalties)● Regulatory (FSA Rules, Food Standards etc)
Key observations
● 3 important elements● Managing IPR including data, information and proprietary
software● Controlling worker behaviour● Security
● Appropriate policies ● Linked to employment contract to enable disciplinary● Otherwise just a management policy
● Don't panic – get on with your business!
About eradar.eu™
● Championing enterprise and the online economy● Promote enabling legal and regulatory environment
● Business networking and compliance hub● Membership Services (over 400 briefing papers/articles)● Referencing ● E-contracting Legal Group
● Premium tracking and scrutiny● Audits and training
top related