Companies should adopt a risk-based approach to BYOD security

September 26, 2016

The United States Federal Bureau of Investigation (FBI) has released almost 200 pages of notes from its recent probe into Hillary Clinton’s private email server. Given that a summary of the 200 pages had already been published in the overall FBI investigation report, there is little in the way of anything new in the documents. However, the timing of the release – just a few days before the first Presidential debate with rival Donald Trump in New York – has ensured that the issue of data security remains in the public consciousness.

This is also the case some 8,000 miles away in Hong Kong, where the trend towards ‘Bring Your Own Device’ (BYOD) has come to the attention of the territory’s Privacy Commissioner. On 31 August, the Commissioner published an information leaflet that highlighted the risks of data breaches in situations where employees use their own mobile phones or other personal devices to access work emails and systems.

Hong Kong-based DLA Piper partner Scott Thiel says: “Unlike previous industry-specific guidance, the information leaflet is generally applicable to all companies permitting BYOD in Hong Kong and [they] remain fully responsible for compliance with the Personal Data (Privacy) Ordinance (Cap. 486) and the Data Protection Principles.”

Previous industry-specific BYOD guidance includes that issued by the Hong Kong Association of Banks (HKAB). Among suggested best practices for organisations permitting BYOD, the HKAB recommends that companies take into account whether or not data is stored on personal devices or within isolated data platforms – known as a ‘sandboxes’.

The Privacy Commissioner’s information leaflet reflects this approach to BYOD security, says Thiel. “[It] suggests that organisations adopt a risk-based approach to BYOD security, implementing access controls and security measures proportionate to the types of personal data stored in or accessible by BYOD equipment and the harm and likelihood of loss or unauthorised disclosure.”

Prior to any BYOD implementation, companies are encouraged to conduct risk assessments and implement internal BYOD policies in order to ensure appropriate data privacy and data security compliance. Appropriate policies include those around employee training on the use of personal data stored in BYOD devices, and the presence of security measures such as sandboxing, password protection and independent encryption to ensure the secure transfer and storage of personal data on BYOD equipment.

The information leaflet asserts that respect for personal data should be mutual under the BYOD scheme, adds Thiel. “Any practices implemented to manage employees’ BYOD devices should respect the employees’ private information,” he says.

Previous Article
Yahoo, Verizon and data security, reputational and M&A risk
Yahoo, Verizon and data security, reputational and M&A risk

One of The Red Flag Group’s 23 identified risk areas is data security. That risk is becoming more ever-pres...

Next Article
Five things to expect from modern compliance training
Five things to expect from modern compliance training

Some things are just expected when you buy a new car. For example, if the car doesn’t come with a CD player...