BYOD poses data privacy challenge for businesses

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itbusiness.ca/blog/byod-poses-data-privacy-challenge-for-businesses/51858

North Americans are inextricably tied to their mobile phones. The Pew
Research Center’s Internet & American Life Project has shown that in 2013,
more than 90 per cent of North American adults own and operate mobile
phones.

Interestingly, 56 per cent of that total consists of smartphone owners –
that means that there are now more smartphone users than regular cell phone
users and non-users combined.

It’s pretty easy to see how this came about. Mobile phones are practical,
easy to use, and essential to our lifestyle. Of course, that means that
there’s something important for us to realize: Our phones store and carry
information about nearly every aspect of our lives.

So, what happens with such information if the phone it’s on is seized by
law enforcement? This is a highly complex issue, and one that has recently
been the subject of a U.S. Supreme Court Ruling.

Deciding on an appeal in the case of David Leon Riley, the court recognized
that large amounts of sensitive data are now stored on cell phones and that
this information requires a heightened level of protection. It ruled that
law enforcement officers must acquire a search warrant before looking at
the contents of cell phones seized from people they’ve arrested.

The public response to the ruling

This Supreme Court ruling was well-received by digital privacy supporters.
Many see it as a major victory for data protection. Though this may be
true, there are additional implications to consider. The heightened value
placed on personal privacy will impact both governments and businesses. For
example:

- Governments will have to change the ways in which they conduct electronic
and cyber reconnaissance activities; and
- Companies will have to revisit their approach to the management of
proprietary electronic information.

How the ruling impacts businesses using BYOD

The Bring Your Own Device (BYOD) trend is still gaining momentum in the
workplace. Many employees engage in this practice because of device
familiarity and (perceived) efficiency. The trend, paired with the Supreme
Court ruling, means that employers lose a degree of control over conduct on
employee-owned devices. It is going to be more difficult for employers to
secure proprietary information because the court has positioned digital
privacy more in favour of employees.

With this change in digital privacy protection, businesses need to be
concerned about how they, their customers, and their partners deal with
employees’ personal information in the context of a BYOD device.

In practical terms, this ruling means that someone accused of committing a
crime has the right to shield their phone’s digital content from
warrantless searches. The barriers to getting warrants aren’t necessarily
very high, but they do represent at least one more painstaking step in
securing important proprietary information from abuse.

The question is whether the privacy protection rights of employees are
going to cause major issues for employers who justifiably want to protect
confidential information from being abused or misused.

What’s next for businesses using BYOD

Given the potential for BYOD to leak sensitive information, managers need
to design and implement policies that will minimize this risk. Part of this
means having to address employees’ love of BYOD.

In the case of protecting one’s business, a policy of furnishing employees
with corporate-owned devices that they can personalize (i.e.,
corporate-owned, personally-enabled, or “COPE”) offers organizations much
more control. This in turn enables better security and could mitigate the
impact of privacy protection laws.

Naturally, personal information must and should be secured against
inappropriate prying, but this right must be balanced against business
owners’ needs to protect themselves as well.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!