BYOD - Legal Considerations
8 May 2013
Legal and risk considerations in
developing BYOD policies
Arvind Dixit Senior Associate
Corrs Chambers Westgarth
[email protected] 03 9672 3032
8636757/1
2
Outline
BYOD – Legal Considerations
• BYOD Policies and considerations
• Legal landscape
• Liability issues
• Liability for personal devices
• Licensing and intellectual property law issues
• Insurance considerations
• Data Security
• Confidential Information
• Discovery issues
• Compliance with legislation
• Privacy
• Workplace surveillance and Telecommunications laws
• Managing the legal risks - policy checklist
8 May 2013
3 9 May 2013
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 8 May 2013
4
BYOD Policies
• Purposes • Manage liability and risk
• Ensure data security
• Minimise data loss
• Ensure compliance with legal and third party contractual
obligations
• Clearly define cost responsibilities
BYOD – Legal Considerations 8 May 2013
5
BYOD Policies
• Considerations • What devices can employees bring in?
• What corporate applications will employees be granted
access to?
• What is acceptable use?
• How much support will the organisation provide?
• Security mechanisms?
• What communications will be monitored?
• What are the ramifications for violating the user policy?
• How will the organisation handle security breaches, malware
attacks, loss or theft of devices, data removal on
employment ceasing?
BYOD – Legal Considerations 8 May 2013
6 9 May 2013
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE I. LIABILITY ISSUES II. DATA SECURITY III. COMPLIANCE WITH LEGISLATION
MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 8 May 2013
7
Legal framework – Liability issues
• BYOD Policies need to consider how liability will
be apportioned between individual and the
company. • Responsibility for lost or stolen devices
• Responsibility for malware or virus attacks
• Generated from a BYOD device?
• Affecting the performance of a BYOD device but
generated from company servers or other devices?
• Specific liability issues • IPR and Licensing issues
• Insurance considerations
BYOD – Legal Considerations 8 May 2013
8
Legal Landscape – Liability issues
1. Licensing and IPR risks
• Review licensing agreements to ensure use of BYOD technologies will not
breach licensing agreements organisation has with third parties
• Per user per device / per user / per device?
• Allowing employees to use company applications on their own devices, for example, may
breach the company’s current licensing agreement.
• Consider licence agreement for the BYOD applications
• What are the licence rights - one device per user?
• Consider restricting use of apps/software for work purposes where the
company does not hold the licence rights.
• Mitigating against intellectual property claims from third party
BYOD – Legal Considerations 8 May 2013
9
Legal landscape – Liability issues cont …
2. Insurances
• What happens if a device is lost or stolen? Is it the
company’s responsibility or the individual?
• Will the company’s insurance cover an employee’s
personal device that is being used for BYOD
purposes? • Review insurances
• If the company will not be liable, clearly provide for this in
the BYOD Policy
BYOD – Legal Considerations 8 May 2013
10 9 May 2013
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE I. LIABILITY ISSUES II. DATA SECURITY III. COMPLIANCE WITH LEGISLATION
MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 8 May 2013
11
Legal landscape – Data Security
• Confidential Information
• Discovery and litigation obligations
BYOD – Legal Considerations 8 May 2013
12
Legal Landscape – Data Security
1. Confidential Information
- What confidential information do your employees have access to? - Confidential information of the organisation
- Confidential information of third parties
- Confidential Information is protected under common law if: - the information has the necessary quality of confidence about it; and
- the circumstances in which the information was communicated or obtained gives rise to a
relationship of confidence.
- Disclosure can result in loss of protection at law as “confidential information”.
- Possible security measures to manage data security risk: - Manage data security by limiting ability to access highly sensitive confidential information on a
“need to know basis”.
- Ability to remotely wipe company data from a device and include such rights in your BYOD
Policy.
- Minimum user password requirements included in BYOD Policies.
BYOD – Legal Considerations 8 May 2013
13
Legal Landscape – Data Security
2. Discovery Obligations
• In litigation proceedings, parties must generally discover relevant documents
that have been in the party’s possession, custody or control
• Documents produced by an employee in relation to their employment may need
to be discovered, even if stored on their own device
• Parties cannot object to producing these devices on the basis that they also
contain personal information
• To the extent possible, have procedures to separate ‘work’ and ‘personal’ data
• Ensure that data is adequately backed up
• Remind employees that personal emails may be ‘caught up’ in the discovery
process
• If litigation is imminent, take steps to ensure that relevant electronic files are not
erased
BYOD – Legal Considerations 8 May 2013
14 9 May 2013
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE I. LIABILITY ISSUES II. DATA SECURITY III. COMPLIANCE WITH LEGISLATION
MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 8 May 2013
15
Legal Landscape – Ensuring compliance with regulatory obligations
1. Privacy Act 1988 (Cth)
2. Workplace Surveillance
3. Telecommunications (Interception and Access)
Act 1979 (Cth)
BYOD – Legal Considerations 8 May 2013
16
Legal Landscape – Ensuring compliance with regulatory obligations - Privacy
BYOD – Legal Considerations
• Convergence of personal and corporate data on the one device
• Scenario 1: Organisation handling personal information of individual using a
BYOD device.
• Scenario 2: Disclosure/handling of personal information of others stored on
corporate system.
8 May 2013
17
Privacy – existing regime
BYOD – Legal Considerations
• Privacy Act 1988 (Cth)
• Australian privacy laws do not specifically address BYOD-related privacy issues, and accordingly,
it is a matter of applying existing privacy laws.
• Companies implementing BYOD policies may be subject to the National Privacy Principles.
• NPP 4: Data security
• Requires an organisation to take reasonable steps to protect the information it holds from misuse
and loss and from unauthorised access, modification or disclosure.
8 May 2013
18
Privacy – reforms
• Privacy Amendment (Enhancing Privacy Protection) Act 2012
• Key changes include:
• A single set of Australian Privacy Principles to replace and unify the current National Privacy
Principles and Information Privacy Principles
• Replace the existing NPP 4 with a new APP 11: Security of personal information
• New enhanced powers for the Privacy Commissioner
BYOD – Legal Considerations 8 May 2013
19
Legal Landscape – Ensuring compliance with regulatory obligations - Workplace surveillance
BYOD – Legal Considerations
• NSW and the ACT have specific legislation governing data surveillance (such
as the monitoring of emails and use of devices) by employers:
• Workplace Surveillance Act 2005 (NSW)
• Workplace Privacy Act 2011 (ACT)
• Notice of all workplace surveillance must be provided to employees.
• Employers should have in place, and make easily available, a data
surveillance policy
8 May 2013
20
Legal Landscape – Ensuring compliance with regulatory obligations – GPS tracking
• All Australian jurisdictions have Acts dealing with the use of surveillance
devices, for example: • Surveillance Devices Act 1998 (WA)
• Surveillance Devices Act 1999 (Vic)
• Surveillance Devices Act 2007 (NSW)
• In some states (such as WA, Vic and NSW) these acts make it unlawful for
any person to install a tracking device to monitor the location of a person or
an object (such as a BYOD device) without the express or implied consent
of that person or the person in lawful possession of the object.
• It is therefore necessary to ensure all employees consent to any GPS
tracking of their BYOD devices as mere notice of the tracking is insufficient.
BYOD – Legal Considerations 8 May 2013
21
Legal Landscape – Ensuring compliance with regulatory obligations – Telecommunications (Interception and Access) Act
• Similar to requirements under workplace surveillance laws, it is an offence
for an employer to “intercept” any communication (either voice, or text) that
travels over a telecommunications system (including an internal
telecommunications system).
• “Interception” consists of listening to or recording, by any means, a
communication in its passage over a telecommunications system without
the knowledge of the person making the communication.
• Employers should ensure that any ability to record communications from a
BYOD must be clearly disclosed to employees.
BYOD – Legal Considerations 8 May 2013
22 9 May 2013
BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE MANAGING LEGAL RISKS – POLICY CHECKLIST
BYOD – Legal Considerations 8 May 2013
23
Managing the legal risks - policy checklist
BYOD – Legal Considerations 30 May 2012
Issues
Included?
Other Policies Tie BYOD policy to existing Acceptable Use Policy
Confidential
Information
Security measures are implemented such as ability to remotely wipe data.
Are devices password protected?
Privacy
Protecting data integrity
Handling of security breaches, malware attacks, loss or theft of device
To which corporate applications will access be granted to? Decommissioning devices Implementing a data breach policy
Workplace
surveillance
Implementing a data surveillance policy
Notifying BYOD device holders of monitoring or recording of communications from device
Informing employees of what is acceptable use
Discovery Procedures for separating work and personal data, ensuring data is backed up and ensuring
relevant documents are not deleted
Informing employees of discovery obligations should litigation arise
Liability and
Insurance
Clearly identify in BYOD policy whether the user or company will be liable for loss or theft of
BYOD Devices considering whether company insurance policies cover an employee-owned
device being used under a BYOD policy.
Clearly identify in BYOD policy whether the user or company is responsible for support and
maintenance of BYOD devices including as arising from security threats.
Licensing
Are the licensing terms of the BYOD software reflected in the company’s BYOD policy?
Will use of software be restricted for work purposes where company does not hold licence ?
BYOD - Legal Considerations
8 May 2013
Legal and risk considerations in
developing BYOD policies
Arvind Dixit Senior Associate
Corrs Chambers Westgarth
[email protected] 03 9672 3032