This post was written prior to our January 2017 merger, under our previous firm name, MacPherson Leslie & Tyerman LLP.
Many organizations permit (or would like to permit) their employees to use their personal mobile and computing devices for business as well as personal purposes. Although such “Bring Your Own Device” or “BYOD” programs have a number of important benefits (including reducing costs and increasing employee satisfaction and productivity), it is also important that organizations consider the various risks associated with a BYOD program and develop appropriate risk-mitigation strategies. These risks are significant and can include financial loss, reputational harm, loss of sensitive business information, and privacy breaches – to name only a few. As such, it is important to ensure that these risks are appropriately addressed in your BYOD program.
Until recently, there was relatively limited guidance for organizations considering BYOD programs from a privacy and security perspective. However, over the last few months, a number of Information and Privacy Commissioners from across Canada have established guidelines for organizations considering BYOD programs. In particular, we now have guidance from the Saskatchewan, Alberta, British Columbia, Federal, and Ontario Information and Privacy Commissioners in this respect. These guidelines are useful because they outline the general principles that an organization should consider prior to implementing its BYOD program. Further, because case law on the topic remains relatively limited, organizations are well advised to review and implement these guidelines as “best practices” for BYOD programs. The following is a brief summary of some of the key considerations for organizations in implementing (or reviewing) a BYOD program:
1. Have you considered the available guidance in planning your BYOD program? As noted above, the organization should review and carefully consider the guidance that is available from the Information and Privacy Commissioners. Some important items to consider in planning a BYOD program include:
- Get executive buy-in when planning and implementing your BYOD program – this will ensure that you have the resources to plan and successfully implement a BYOD program that appropriately addresses privacy and security concerns.
Assess privacy and security principles and risks – given the nature of BYOD programs and the blurring of lines between business and personal, organizations must consider that they may inadvertently collect personal information from employee-owned devices in a BYOD program. As such, it is important to consider the rules that apply to your organization’s collection, use, and disclosure of personal information when considering implementing a BYOD program. Further, given their nature, there are a range of privacy and security risks associated with BYOD programs. As such, completing a Privacy Impact Assessment and Threat Risk Assessment before implementing your BYOD program can help to identify, prioritize, and mitigate privacy and security risks. Various Information and Privacy Commissioners have published useful guidance and forms for organizations to use during this process.
Pilot the program – testing your BYOD program on specific platforms or with specific staff members can help you to identify and address privacy and security gaps prior to full implementation.
2. Do you have appropriate safeguards in place to protect your business network and information? Appropriate safeguards (including administrative, technical, and physical safeguards) should be developed or updated to appropriately reflect the realities of a BYOD program. Some of the key safeguards to consider are:
Develop a customized BYOD policy. A BYOD policy that addresses the risks inherent in BYOD programs can go a long way to mitigating these risks. Although your BYOD policy should be customized to your organization, some key items that should be considered include: user responsibilities, monitoring, privacy expectations and consents, acceptable uses, sharing of devices, applications (apps), cloud-based services, device settings, security features, BYOD program restrictions (for example: limitations on permitted devices), access to information on devices, access requests, processes for when an employee leaves the organization, and employee discipline.
Develop or update related policies. Your customized BYOD policy should be accompanied by related policies relating to privacy, confidentiality, acceptable use, social media, and storage and retention of information. These other policies should address your BYOD program and appropriately reflect the separation between business and personal use and information on employee-owned devices.
Consider and implement technical solutions that satisfy the goals of and address the risks associated with your BYOD program. Adopting appropriate technical software solutions (including, for example, encryption, anti-virus, and “Mobile Device Management” solutions) can be very helpful to mitigate risks associated with BYOD programs. These solutions have a number of functions that can assist with device management and administration, as well as with minimizing privacy and security risks (including, for example, “containerizing” the device to separate personal and business use). The appropriate software solution for your organization will need to be determined on a case-by-case basis. However, it is important to ensure that you have appropriate documentation in place with employees prior to installing software on their devices. It is also important to ensure that you have considered the requirements and implications of Canada’s Anti-Spam Legislation (CASL) before this type of software is installed.
Implement the program well. Just as developing a good BYOD framework is important to mitigating risk, it is important to ensure that the framework is appropriately implemented and supported. This includes developing appropriate training materials and programs, including regular training for employees (and documentation of such training) as well as technical support for BYOD programs.
3. Have you considered all employment related issues? The fact that employee-owned devices are used for both personal and business purposes raises a number of employment related issues. Some of the key issues include: responsibilities for costs associated with employee-owned devices, including the cost of the devices or data and voice plans; ownership of devices; acceptable uses of devices; monitoring protocols for devices; obligations with respect to work performed outside of office hours using devices; discipline for misconduct using devices – both during and outside of office hours; and processes for employees leaving the organization temporarily or permanently – for example, what happens to the device or the information on the device when an employee is away on a temporary leave, is terminated, or resigns?
4. Does your BYOD program appropriately reflect your employees’ reasonable expectations of privacy in their devices? The Supreme Court of Canada recognized in R v Cole, 2012 SCC 53, that employees can have a reasonable expectation of privacy in work devices, and that the extent of such expectation depends on the particular circumstances. Generally, where personal use of a device is permitted or can reasonably be expected (as is the case with BYOD programs), employees have a reasonable expectation of privacy in the device. Further, the Court held that an employer’s policies can diminish – but not entirely remove – this expectation. As such, any proposed monitoring of employee-owned devices should be carefully planned and restricted to ensure that such monitoring is appropriate.
5. Do you have a plan for when things go wrong? It is important to consider and outline a clear incident management process that outlines responsibilities with respect to detection, containment, reporting, investigation, and correction of security incidents and privacy breaches in a consistent and timely manner. Such a process – including a current inventory of devices in the BYOD program – will assist your organization in managing and mitigating damages if things go wrong.
While a BYOD program can be attractive, there are a number of risks that should be considered and addressed prior to implementing such a program. Further, there is no “one size fits all” for BYOD programs, and the framework that is right for your BYOD program will depend on your organization. As a result, organizations may wish to consult legal counsel with respect to implementing BYOD programs to ensure that they are mitigating, to the extent possible, the risks associated with such programs.