A remarkable 75% of Canadian businesses now support the use of employee-owned smartphones and tablets, according to a joint white paper by Ontario’s information and privacy commissioner, Ann Cavoukian, and Telus.
The paper, released last week, highlights many of the risks associated with allowing employees to use their own mobile devices for company purposes. And when personal financial data is in the mix, financial advisors are likely to be at the forefront of this rapidly evolving intersection between professional relationships, personal privacy and corporate security.
Rather than trying to discourage the BYOD trend, the white paper lays out a five-step process to guard against what it says is a potentially dangerous blurring of the line between private and business use of mobile devices.
The white paper, called Bring Your Own Device: Is Your Organization Ready?, notes that, “this blurring of the personal and business use of a mobile device raises many privacy concerns which, if not properly addressed, may result in privacy breaches, effectively turning the many benefits of BYOD into losses to the organization.”
The white paper lays out a set of five steps or recommendations designed to help companies avoid privacy violations caused by BYOD issues. The concept is to build privacy into the design of a company’s policies, as a more effective means of ensuring that violations do not occur as a result of everyday practices.
The steps deal with: identifying the needs of employees who use their mobile devices for work; making choices about which devices may be used by whom and the level of access they are given; developing a written policy dealing with security, monitoring, privacy, how company wi-fi may be used, and actions that will result in termination; additional measures to protect the security of the company’s IT system and how it stores personal information; and, support for employees, including responses to lost or misplaced devices.
Timothy Banks, a lawyer at Denton’s who specializes in data governance issues, has reviewed the white paper. He notes that there is one aspect of it where he differs. “In my view, a BYOD policy is insufficient to address the complexities of managing security and privacy expectations and the cooperation required by employees and information technology and security professionals,” he says.
Banks recommends that companies develop a written agreement that clearly sets out the rights and obligations of employers and employees who use their own mobile devices for work. With employees expecting privacy and employers expecting security of their data, such an agreement could help to greatly clarify what is fast becoming one of the most complex new trends in the workplace, he suggests.