1. You must revisit policies regularly.
2. Consumerisation could create risk.
Having a bring-your-own-device policy means data no longer resides solely behind corporate barriers, so it's "a test for how well CIOs know their company culture and where it draws the line between risk and convenience," Cline said. Sotto emphasised the importance of knowing which company documents may be under a legal hold — in other words, an employee must not destroy them. "It's hard to control that when it's the employee's own device," she said.
3. Employee education is critical.
Cline said training is the best way to mitigate risk, but it "doesn't move the needle of employee comprehensive behavior until it becomes meaningful to specific roles in the company." Agreeing, Sotto said: "It's important to tailor your training to your organisation. Educating consumers is a difficult task, and one I would say is daunting."
4. Regulations are evolving in the U.S.
President Obama has backed the Digital Advertising Alliance process, which would allow consumers the freedom to create their own privacy preferences. The FTC has also suggested privacy principles for companies to adopt that address consumer choice, policy promotion and transparency. Sotto suggested consulting a lawyer on how to deal with new or updated government policies like Do Not Track. "Implement best practices now so you don't have retrofit your systems later," she said.
5. ... and in Europe.
Sotto said CIOs need to keep in mind that in Europe, privacy is a fundamental right, whereas in the U.S., it's a consumer right. In the EU, "you're not allowed to transfer data to a non-adequate jurisdiction," which Sotto said forces you to ask, "When you store data in the cloud, where is that cloud?" Cline suggested taking webinars to stay updated.
While the situation may be different for the Asian region, there is no doubt that CIOs working for regional organisations should know of the evolving laws governing the various countries.
Sign up for CIO Asia eNewsletters.