Bring-your-own-device (BYOD) and legal/regulatory compliance

Bring-your-own-device seems to be an irresistible tide, as employees connect endpoints to the network. So, what can you do to mitigate threats to compliance?

The tide of employee devices -- the bring-your-own-device (BYOD) phenomenon -- in the workplace is rising and possibly inevitable. But bring-your-own-device carries with it a whole host of compliance concerns. Just like any corporate data assets, employee smartphones and tablets, if used for business purposes, will contain company data and therefore need to be taken into account with regard to, for example, e-discovery searches.

In this interview, Bureau Chief Antony Adshead speaks with Mathieu Gorge, CEO of Vigitrust, about the threats to legal and regulatory compliance from employee devices used on the corporate network and how to mitigate those threats.

Read the transcript or listen to the podcast on bring-your-own-device (BYOD) and legal/regulatory compliance.

Play now:
Download for later:

Bring-your-own-device (BYOD) and legal/regulatory compliance podcast

  • Internet Explorer: Right Click > Save Target As
  • Firefox: Right Click > Save Link As What threats to compliance exist from data stored on employee devices?

Gorge: First of all, we need to understand the concept of bring-your-own-device. I think that in recession times, we’re seeing a lot of organisations letting employees bring their own devices, like iPads, tablets, memory keys and iPhones, and plugging them into the network. The company benefits from the fact it doesn’t need to invest in capex but it still benefits from employees being able to work in a more productive way by having access to email all the time and the corporate network and so on.

One of the issues with those devices is that they have huge storage capacity and they also provide instant access to the Internet, to social networks, to email, so the information that ends up being stored on those devices is somewhat outside of the control of the organisation.

So, [a “concierge service”] has been adopted by a number of organisations on both sides of the Atlantic, whereby the organisation will allow employees to bring certain types of devices and in exchange for that the employee allows the organisation to install some security software that allows them to monitor the data that’s being stored by the employees and monitor the access to the data.

Having said that, this could be a clear issue with regards to the “CIA” concept, where you look at confidentiality, integrity and access to the data.

It also brings up the issue of data classification, so, for instance, if you look at the Data Protection Act in the UK, if you look at PCI DSS, which both look at how data is collected and how it’s being stored, you can understand the complications when the data ends up on an employee-owned device. It gets even more interesting when you look at the FSA [Financial Services Authority] and when you look at full recording.

So, let’s say that an organisation is subject to regulation that needs me to record and store conversations relating to [perhaps] an insurance type of business. How do I do that for conversations that are being initiated on an employee device?

This leads on to the usual e-discovery aspects. Information needs to be available for such legal requests, but as an organisation, how am I going to explain that I can’t get it because I don’t have access to the device?

Finally, from an industry standards perspective, [ISO 27001] requires you to include all your assets in the scope that you want to certify, but in this case those assets are not corporate assets, so how do you go about incorporating them in your asset register and risk management strategy and in your risk treatment?

These are the high-level compliance issues with regards to storage of company data on employee devices. How can organisations mitigate threats to legal compliance from employee-owned devices?

Gorge: The first thing I would recommend would be to probably stay away from allowing employee devices on your network unless you’re fully prepared. So, first of all, you need to build a business case to weigh out the benefits and drawbacks with regards to compliance.

But, let’s say you decide the benefits outweigh the drawbacks. In that case, what you need to do is minimise the extent of additional work that this is going to create for you. So, you might want to standardise on device types that you allow employees to bring in. You may decide it will only be iPhones or BlackBerrys or iPads.

You then need to put in place the right policies and procedures and the training that goes with it. Remember that the Data Protection Act (1998) in the UK requires that you inform employees that you will be monitoring data to take appropriate security measures but also to protect the company’s and employees’ good name.

Then you need to build in an audit right within the right legal framework so that if something goes wrong you are able to exercise an oversight right and are allowed access to the device.

Where things will get more interesting from a technical storage and backup perspective, it is very important that your storage strategy includes employee devices if such devices are allowed.

I think that both from a legal and technical perspective, this is an area where international industry standards are lacking. So, you’re going to have to work with your legal folks as well as with your IT team so that you make sure that you have the right [BYOD] policy and update your contracts of employment, but also that you bring in the right discovery tools that will allow you to scan … [employee devices that might fall] beyond the usual scope of investigation and testing. 

So, the advice is to … gather intelligence, to start looking at concierge services … and to build all of this into your storage strategy and into your associated e-discovery programme.

Read more on Data protection regulations and compliance