One of the biggest inhibitors to organisations implementing BYOD programs is the perceived lack of data security. Two topics generally colour the legal framework in the context of data security; these are confidential information and litigation obligations, both of which are concerns for any mobility based system.
The loss of a device that holds sensitive corporate information presents the greatest confidentiality risk. It is important to keep in mind that particular information might be considered to be confidential even if it is not marked as such. Information may be protected at common law if it has the necessary quality of confidence about it, and it is communicated in circumstances of confidence.
A lost device may not only expose the organisation's sensitive information, but may also potentially breach confidentiality obligations that the organisation owes to third parties.
A technical solution which significantly reduces the level of risk is to implement a 'sandbox' approach in which any organisational information is isolated and stored in a particular segment of the device that can be remotely wiped in the event that the device is lost or stolen, or the employee leaves the organisation.
Of course, any remote wipe functionality which is not carefully administered may also inadvertently wipe personal data of an employee -- it is important to highlight this risk in the BYOD policy to avoid claims for lost holiday photos arising down the track!
Certain information should potentially never be sent to or accessed by a BYO device. This is no different from any mobile device but frankly, in certain circumstances -- for example, access to particularly sensitive types of documentation or travelling to certain countries -- it may be that BYO devices and mobile devices generally should simply not be used.
Organisations should also be aware of the possibility of their sensitive information being stored offshore in the event that employees utilise services such as iCloud or Dropbox to backup elements of their device. Information could end up being stored in a country that is less secure than Australia or which is subject to broad governmental access rights (like the [ital]US Patriot Act[ital]). Whether this is a real concern for an organisation will obviously depend on the nature of the sensitivity of the relevant information.
When developing and implementing a BYOD strategy, organisations need to remember that the information stored on BYO devices may have to be discovered (ie provided to the court and the other side) if the business becomes involved in litigation. An organisation cannot object to producing particular information on the basis that it also contains personal information of an employee.
If data becomes mixed, the cost associated with sorting through that data (and removing personal information) may be prohibitive. This highlights the importance of adopting procedures to separate work and personal data at the outset, and ensuring that only work data is backed up.
Sign up for CIO Asia eNewsletters.