BYODIt can be privacy protective

Timothy M Banks, CIPP/CPartnerT: 416-863-4424timothy.banks@dentons.comfollow: @TM_Banks

Originally presented at the Canadian Institute’s 19th Annual Regulatory Compliance for Financial Institutions, November 14, 2013

Dentons Canada LLP

BYOD

• What is it?

• Quantifying the risks

• Mobility vs Control matrix

• Compliance challenges

• Policies (or Agreements)

Defining BYOD

• Bring Your Own Device

• A corporate IT-supported program in which employees are• permitted; or• encouraged; or• required• to deploy their own electronic devices in the course of fulfilling their duties

• Can take a variety of forms:• employer subsidizes purchase of mobile or other devices• employee uses unsubsidized device• home office or mobile work• many devices: tablets, smartphones, laptops etc.

Traditional Risk Equation

Risk = Vulnerability x Threat x Expected Loss

• Vulnerability =• Endpoint protection weakness• Practical inability to control device• User behaviour

• Threat =• Phishing• Keystroke logging• Scraping• Hacking• Interception

• Expected Loss = • Hardware asset • Data• Regulatory fines & investigations• Goodwill• Cost of breach

Only one of these has decreased

So Why Do It?

• Executives demand it

• Employees like it

• People are already doing it

• Greater productivity• Possibly true, but, consider overtime risks

• Perceived cost-savings • Yes, hardware costs may be lower if you are not reimbursing • Data plans and hardware may be more expensive if you lose economies of

scale and bargaining power• Also, IT has to support more devices• May introduce other risks and costs into the system that may be greater than

cost advantages

Smartphone Penetration

6

• Smartphone are increasingly prevalent

• Market penetration is estimated at 56% of Canada’s population

• 79% don’t leave home without their device

• 66% estimated to access the Internet on their devices every day

• 81% use their devices while at work• Google Ipsos MediaCT Q1 2013 Survey

• Some studies estimate 75% of Canadian businesses support employee-purchased smartphones and tablets in the workplace

Mobility versus Control

File Server

PersonalComputer Laptop Tablet

Smart Phone

Memory

USB Thumb Drive

Greatest Mobility

Highest Control

Conflicting Expectations

Employee Expectations of

Privacy & Control

Employer Expectations of Security &

Control

BYOD Compliance Matrix

Security Regulatory & Industry

Privacy Proprietary

Compliance

9

Security

Device

Digital Certificates & Tokens

Mobile Device Management Software Encryption

User Authentication

Anti-Virus / Endpoint Defence

Assumes Network-Side is Secure

Device Security

• Controls on User ID and Passphrase characteristics• Authenticate the person (What You

Know)

• Use of Digital Certificates• Authenticate the device (What You

Have)

• Use of Tokens for Sensitive Databases• Double authentication (What You

Have)

• Mobile Device Management• Control configurations• Apply authentication policies• May permit viewing of App

installations• May permit logging of activities• May separate personal and

corporate data

• Encryption • Secure encrypted containers for

corporate data

• Anti-Virus Endpoint Defence• Protection at the device end

Standards & Legal RequirementsIn

dust

ry S

tand

ards PCI-DSS

ISO 27001, 27002 W

ireta

p US ECPACriminal Code

Gov

ernm

enta

l Privacy & Security DisclosureGLB –Safeguards Rule

Payment Card Industry – Data Security Standards

• Personal firewall must be installed on the device

• Must be configured by the company

• Must be tested

• Anti-Virus software on all systems

• Updated, active and generating audit logs

International Standards Organization

• ISO 27001• Information technology — Security techniques — Information security

management systems — Requirements

• ISO 27002• Information technology — Security techniques — Code of practice for

information security controls

Electronic Communications Privacy Act (ECPA) -USA

• Wiretap Act• Protects against interception by another person• Prohibits electronic eavesdropping• Only requires one party consent

• Stored Communications Act• Protects “at rest” communications• Prohibits intentional access• Subject to consent

Criminal Code

• Interception (s. 184)• Everyone who, by means of any electro-magnetic, acoustic, mechanical or

other device, wilfully intercepts a private communication is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years

• Exception – consent of one party

• Consider validity of consent (informed, freely given)• Mandatory BYOD programs• Communicated upfront

• Bill C-12 “valid consent” = “the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting”

• Consider the employee’s understanding of extent of monitoring (interception)

Other Statutory & Common Law Privacy Protections

• Personal Information Protection and Electronic Documents Act• Safeguards 4.7

• appropriate to the sensitivity of the information

• protect against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification

• applies in any format

• Transparency 4.8• Information about their policies and

practices

• Employee Privacy• Employees have privacy interests

• Communications, Energy & PaperworkersUnion of Canada, Local 30 v. Irving Pulp & Paper Ltd., 2013 SCC 34 (random alcohol & drug testing)

• R. v. Cole, 2012 SCC 53 (search and seizure of employee laptop)

• Federal Trade Act• Section 5 – unfair and deceptive

acts are prohibited• Violation of privacy notices may be a

deceptive practice (being challenged)• Note: Provincial Consumer Protection

legislation has similar language

Gramm-Leach-Bliley Act – Safeguard Rule - USA

• Financial institutions have a continuing obligation to protect security and confidentiality of non-public personal information

• Administrative, Technical and Physical Safeguards:• To insure the security and confidentiality of customer records and information• To protect against any anticipated threats or hazards to the security or integrity

of such records• To protect against unauthorized access to or use of such records or information

which could result in substantial harm or inconvenience to any customer

• In Canada:• Office for the Superintendent of Financial Institutions• Operational Risk includes data/information security, information technology

systems

Proprietary

Who owns the Mobile #?

Mobile: 647-391-

58XX

Email: timothy.banks@dentons.co

m

Office: 416-863-

4424

Who Owns What?

• “Your” Device• Right, title & interest is that of the employee’s• Need to have a contractual right to even touch it• Rights may terminate at the end of employment

• “Whose” Data?• Generally speaking, no property interest in “information”• May be confidential information that can be protected by

• contractual obligations (express or implied)• equity• Tort of misuse of confidential information

Fighting About the Followers & the Contacts & the IP

• Whitmar Publications Limited v. Gamage, [2013] EWHC 1881 (Ch)• Springboard use of company’s LinkedIn

groups• Injunction granted

• Eagle v Edcomm, 2013 WL 943350 (E.D.Pa., 2013)• Fired employee• Took over LinkedIn account• Misappropriated identity• No damages (didn’t prove any)

• What about IP created on employee owned device (inside/outside work hours)

Privacy: Levels of Intrusiveness

Control Gating prevention

Enforcement Exception Reporting

silent monitoring

Management Active Monitoring

overt collection

Employer’s Right to Monitor Employee Communications

• Yes, but more difficult on employee-owned device

• Arguably, need consent• Consider Criminal Code

• Worry about Intrusion Upon Seclusion• Consider: Lazette v. Kulmatycki, 2013 WL 2455937

• Employer-owned Blackberry device• Employee permitted to also use it for personal (had Gmail account)• Employee left; believed Gmail account deleted; thought phone would be wiped & recycled• Oops, former supervisor accessed Gmail account for 18 MONTHS!• Brought claim under Electronic Communications Protection Act

• Ripe for Tort of Intrusion upon Seclusion in Canada• Jones v. Tsige, 2012 ONCA 32

• Access of plaintiff’s bank accounts numerous times over four years• Tort of intrusion upon seclusion recognized• Jones awarded $10,000 in damages

Employer’s Right to Monitor Device Status

• “What part of Mine don’t you understand?”

• Doesn’t require interception of communications

• Monitoring the security of the end-point as condition of service

• Best to implement as part of a BYOD agreement

• Easier to explain to employees

• Easier to justify from a “privacy by design” perspective• Limiting collection• Limiting retention• Limiting use• Limiting disclosure

Investigations

• The device is locked with a PIN• You asked for it!• Employee doesn’t want to provide the PIN• Can you force it?• Probably Not! Will likely need judicial assistance.• All the more reason to ensure good Mobile Device Management and Container

Wiping

• Could you use Admin rights to get access and/or change passwords?

Control of Device / Wiping

• “You blocked my access to Drop Box and now you wiped the last [insert valuable IP] that I had”

• Consider Criminal Code• 430. (1) Every one commits mischief who wilfully• (a) destroys or damages property;• (b) renders property dangerous, useless, inoperative or ineffective;• (c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or• (d) obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of

property.• (1.1) Every one commits mischief who wilfully• (a) destroys or alters data;• (b) renders data meaningless, useless or ineffective;• (c) obstructs, interrupts or interferes with the lawful use of data; or• (d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to

data to any person who is entitled to access thereto.

27

Questions

Timothy M Bankst: 416-863-4424e: timothy.banks@dentons.comfollow: @TM_Banks

Dentons Canada LLP

The preceding presentation contains examples of the kinds of issues that corporations could face. If you are faced with one of these issues, please retain professional assistance as each situation is unique.

28