Allowing staff to provide their own smartphones and tablets can raise important data protection issues as well as have business implications for the organisation if, for example, employees leave or outsiders have access to the device and any confidential data stored on it, as Seth Berman explains.
The proliferation of smartphones and tablets in the workplace is breaking down the barrier between personal and work-related data. However, the growing number of organisations relaxing their previously staunch opposition to “bring your own device” (BYOD) policies raises concerns about security. A failure to manage this process, both from a technical and HR perspective, could leave critical systems and confidential information exposed to data loss, malware, hackers and espionage.
Smartphones have already landed a number of staff and employers in hot water, with employment tribunals hearing evidence relating to the use of social media (Preece v JD Wetherspoons ET/2104806/10 and Crisp v Apple Retail UK ET/1500258/2011). A key factor in many cases is the absence of effective internet, social media and communications policies, with clear parameters for acceptable use. With BYOD, employers are moving into uncharted territory that has yet to be fully explored by tribunals.
In dealing with information held on personal devices, it is important to ensure compliance with the Data Protection Act 1998. The Employment practices code, published by the Information Commissioner’s Office (ICO), offers clear guidance on the obligations of employers.
The dilemma of safeguarding the rights of a member of staff against the wider obligations of an employer presented a particular challenge for one organisation. As amajor sports club found to its cost, a lack of clarity on the separation of personal and corporate data and use can cause both data protection and access issues.
The club had issued a full set of IT devices to key staff, but also allowed individuals to use personal computers and devices for work. A senior member of the club’s management opted to work exclusively on his personal devices, which meant data was backed up to the corporate network only sporadically. However, when he left the club it quickly became clear that up-to-date copies of confidential and important files were missing.
With the individual objecting to his personal devices being reviewed by the ex-employer, it was left to external forensic specialists to unearth the data. This failed implementation of a BYOD policy could have caused serious data protection and reputational consequences for the club because the private devices contained significant caches of confidential data, including medical records of players.
BYOD smartphones are becoming a potential exfiltration point of data when employees leave. However, conducting an internal investigation or responding to court orders is not straightforward when the device is not owned by the company and contains both personal and corporate data. As a result, an employer may be unable to determine whether or not there has been unauthorised access to corporate data.
One employer took direct action when it became clear that its BYOD policy had failed to protect confidential information. After the resignation of a member of staff who had been working on a sensitive project, an initial attempt was made to delete the relevant data.
However, because the data resided on the individual’s personal device and the employee would not grant access to it, the employer decided that it would use its own servers, to which the phone was still communicating, to remotely wipe the device in its entirety. As a result, the former employee lost much of his personal data and subsequently made a claim against the company.
A more effective strategy is to issue each member of staff with a dedicated corporate device where use can be restricted to work-related tasks. The sheer diversity of devices that can come into play in a BYOD environment can also make it difficult to manage software updates and support effectively, which increases the risk of a data breach.
With employee-owned devices, individuals often add their own content, access whatever websites they want and even allow others – for example, their children – to use the device. In practice, a lack of clear boundaries could result in staff unwittingly infecting the device with malware that could expose confidential data stored on the device or even open a door to the corporate systems more broadly.
When implementing a BYOD environment, organisations must take active steps to isolate corporate use on such devices. Purpose-specific secure software, which allows access to corporate systems over an encrypted channel, can be preferable to approving generic apps for corporate use.
The strategy must also address the use of peripheral devices, such as USB storage, where clear boundaries are equally important. One organisation providing services to financial firms allowed staff to use their own thumb drives to store business information.
Months after a project with a major international bank had been completed, the client’s lawyers were mailed a drive, accompanied by a note stating that the device, which clearly contained confidential bank data, had been found on a train. After a forensic investigation, it was established beyond doubt which of the bank’s vendors had lost the thumb drive and what data had been compromised.
Ultimately, personally identifiable information for many bank employees was compromised. The vendor that had lost the drive had no idea that the data breach had occurred because it did not track the use of personal devices. This kind of data breach has become a familiar story, which inevitably attracts the attention of the ICO.
BYOD is tempting for corporations because it appears to save money while delivering the flexibility and ease of access increasingly expected by users, but employers must proceed with caution to ensure they fulfil their clear obligation to safeguard sensitive data.
Seth Berman is executive managing director and UK head of Stroz Friedberg, a digital risk management and investigations company.