byod - legal considerations · 2 outline byod – legal considerations • byod policies and...
TRANSCRIPT
BYOD - Legal Considerations
23 October 2012
Legal and risk considerations in
developing BYOD policies
Arvind Dixit Senior Associate
Corrs Chambers Westgarth
[email protected] 03 9672 3032
7702923/1
2
Outline
BYOD – Legal Considerations
• BYOD Policies and considerations
• Legal landscape
• Liability issues
• Liability for personal devices
• Licensing and intellectual property law issues
• Insurance considerations
• Data Security
• Confidential Information
• Discovery issues
• Compliance with legislation
• Privacy
• Workplace surveillance and Telecommunications laws
• Managing the legal risks - policy checklist
23 October 2012
3 24 October 2012
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 23 October 2012
4
BYOD Policies
• Purposes • Manage liability and risk
• Ensure data security
• Minimise data loss
• Ensure compliance with legal and third party contractual
obligations
• Clearly define cost responsibilities
BYOD – Legal Considerations 23 October 2012
5
BYOD Policies
• Considerations • What devices can employees bring in?
• What corporate applications will employees be granted
access to?
• What is acceptable use?
• How much support will the organisation provide?
• Security mechanisms?
• What communications will be monitored?
• What are the ramifications for violating the user policy?
• How will the organisation handle security breaches, malware
attacks, loss or theft of devices, data removal on
employment ceasing?
BYOD – Legal Considerations 23 October 2012
6 24 October 2012
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE I. LIABILITY ISSUES II. DATA SECURITY III. COMPLIANCE WITH LEGISLATION
MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 23 October 2012
7
Legal framework – Liability issues
• BYOD Policies need to consider how liability will
be apportioned between individual and the
company. • Responsibility for lost or stolen devices
• Responsibility for malware or virus attacks
• Generated from a BYOD device?
• Affecting the performance of a BYOD device but
generated from company servers or other devices?
• Specific liability issues • IPR and Licensing issues
• Insurance considerations
BYOD – Legal Considerations 23 October 2012
8
Legal Landscape – Liability issues
1. Licensing and IPR risks
• Review licensing agreements to ensure use of BYOD technologies will not
breach licensing agreements organisation has with third parties
• Per user per device / per user / per device?
• Allowing employees to use company applications on their own devices, for example, may
breach the company’s current licensing agreement.
• Consider licence agreement for the BYOD applications
• What are the licence rights - one device per user?
• Consider restricting use of apps/software for work purposes where the
company does not hold the licence rights.
• Mitigating against intellectual property claims from third party
BYOD – Legal Considerations 23 October 2012
9
Legal landscape – Liability issues cont …
2. Insurances
• What happens if a device is lost or stolen? Is it the
company’s responsibility or the individual?
• Will the company’s insurance cover an employee’s
personal device that is being used for BYOD
purposes? • Review insurances
• If the company will not be liable, clearly provide for this in
the BYOD Policy
BYOD – Legal Considerations 23 October 2012
10 24 October 2012
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE I. LIABILITY ISSUES II. DATA SECURITY III. COMPLIANCE WITH LEGISLATION
MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 23 October 2012
11
Legal landscape – Data Security
• Confidential Information
• Discovery and litigation obligations
BYOD – Legal Considerations 23 October 2012
12
Legal Landscape – Data Security
1. Confidential Information
- What confidential information do your employees have access to? - Confidential information of the organisation
- Confidential information of third parties
- Confidential Information is protected under common law if: - the information has the necessary quality of confidence about it; and
- the circumstances in which the information was communicated or obtained gives rise to a
relationship of confidence.
- Disclosure can result in loss of protection at law as “confidential information”.
- Possible security measures to manage data security risk: - Manage data security by limiting ability to access highly sensitive confidential information on a
“need to know basis”.
- Ability to remotely wipe company data from a device and include such rights in your BYOD
Policy.
- Minimum user password requirements included in BYOD Policies.
BYOD – Legal Considerations 23 October 2012
13
Legal Landscape – Data Security
2. Discovery Obligations
• In litigation proceedings, parties must generally discover relevant documents
that have been in the party’s possession, custody or control.
• Documents produced by an employee in relation to their employment may need
to be discovered, even if stored on their own device.
• Parties cannot object to producing these devices on the basis that they also
contain personal information.
• To the extent possible, have procedures to separate ‘work’ and ‘personal’ data
• Ensure that data is adequately backed up
• Remind employees that personal emails may be ‘caught up’ in the discovery
process
• If litigation is imminent, take steps to ensure that relevant electronic files are not
erased
BYOD – Legal Considerations 23 October 2012
14 24 October 2012
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE I. LIABILITY ISSUES II. DATA SECURITY III. COMPLIANCE WITH LEGISLATION
MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 23 October 2012
15
Legal Landscape – Ensuring compliance with regulatory obligations
1. Privacy Act 1988 (Cth)
2. Workplace Surveillance
3. Telecommunications (Interception and Access)
Act 1979 (Cth)
BYOD – Legal Considerations 23 October 2012
16
Legal Landscape – Ensuring compliance with regulatory obligations - Privacy
BYOD – Legal Considerations
• Convergence of personal and corporate data on the one device
• Scenario 1: Organisation handling personal information of individual using a
BYOD device.
• Scenario 2: Disclosure/handling of personal information of others stored on
corporate system.
23 October 2012
17
Privacy – existing regime
BYOD – Legal Considerations
• Privacy Act 1988 (Cth)
• Australian privacy laws do not specifically address BYOD-related privacy issues, and accordingly,
it is a matter of applying existing privacy laws.
• Companies implementing BYOD policies may be subject to the National Privacy Principles.
• NPP 4: Data security
• Requires an organisation to take reasonable steps to protect the information it holds from misuse
and loss and from unauthorised access, modification or disclosure.
• Employee records exemption
23 October 2012
18
Privacy – reforms
• Privacy Amendment (Enhancing Privacy Protection) Bill 2012
• Key proposed changes include:
• A single set of Australian Privacy Principles to replace and unify the current National Privacy
Principles and Information Privacy Principles
• Replace the existing NPP 4 with a new APP 11: Security of personal information
• New enhanced powers for the Privacy Commissioner
• Notification requirements • The Office of the Australian Information Commissioner (OAIC) launched its updated Data
Breach Notification Guidelines in April 2012.
• The Guidelines recommend that if a data breach creates a real risk of serious harm to an
individual, the organisation should:
• directly notify the affected individual as soon as reasonably possible; and
• notify the OAIC of a data breach if it is appropriate to do so.
BYOD – Legal Considerations 23 October 2012
19
Legal Landscape – Ensuring compliance with regulatory obligations - Workplace surveillance
BYOD – Legal Considerations
• NSW and the ACT have specific legislation governing data surveillance (such
as the monitoring of emails and use of devices) by employers:
• Workplace Surveillance Act 2005 (NSW)
• Workplace Privacy Act 2011 (ACT)
• Notice of all workplace surveillance must be provided to employees.
• Employers should have in place, and make easily available, a data
surveillance policy
23 October 2012
20
Legal Landscape – Ensuring compliance with regulatory obligations – GPS tracking
• All Australian jurisdictions have Acts dealing with the use of surveillance
devices, for example: • Surveillance Devices Act 1999 (Vic)
• Surveillance Devices Act 2007 (NSW)
• In some states (such as Vic and NSW) these acts make it unlawful for any
person to install a tracking device to monitor the location of a person or an
object (such as a BYOD device) without the express or implied consent of
that person or the person in lawful possession of the object.
• It is therefore necessary to ensure all employees consent to any GPS
tracking of their BYOD devices as mere notice of the tracking is insufficient.
BYOD – Legal Considerations 23 October 2012
21
Legal Landscape – Ensuring compliance with regulatory obligations – Telecommunications (Interception and Access) Act
• Similar to requirements under workplace surveillance laws, it is an offence
for an employer to “intercept” any communication (either voice, or text) that
travels over a telecommunications system (including an internal
telecommunications system).
• “Interception” consists of listening to or recording, by any means, a
communication in its passage over a telecommunications system without
the knowledge of the person making the communication.
• Employers should ensure that any ability to record communications from a
BYOD must be clearly disclosed to employees.
BYOD – Legal Considerations 23 October 2012
22 24 October 2012
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 23 October 2012
23
Managing the legal risks - policy checklist
BYOD – Legal Considerations 30 May 2012
Issues
Included?
Other Policies Tie BYOD policy to existing Acceptable Use Policy
Confidential
Information
Security measures are implemented such as ability to remotely wipe data.
Are devices password protected?
Privacy
Protecting data integrity
Handling of security breaches, malware attacks, loss or theft of device
To which corporate applications will access be granted to? Decommissioning devices Implementing a data breach policy
Workplace
surveillance
Implementing a data surveillance policy
Notifying BYOD device holders of monitoring or recording of communications from device
Informing employees of what is acceptable use
Discovery Procedures for separating work and personal data, ensuring data is backed up and ensuring
relevant documents are not deleted
Informing employees of discovery obligations should litigation arise
Liability and
Insurance
Clearly identify in BYOD policy whether the user or company will be liable for loss or theft of
BYOD Devices considering whether company insurance policies cover an employee-owned
device being used under a BYOD policy.
Clearly identify in BYOD policy whether the user or company is responsible for support and
maintenance of BYOD devices including as arising from security threats.
Licensing
Are the licensing terms of the BYOD software reflected in the company’s BYOD policy?
Will use of software be restricted for work purposes where company does not hold licence ?
BYOD - Legal Considerations
23 October 2012
Legal and risk considerations in
developing BYOD policies
Arvind Dixit Senior Associate
Corrs Chambers Westgarth
[email protected] 03 9672 3032
6667887/1