Friday, 9 August 2013
Personal Devices May Pose Corporate Risk
There is a growing move towards what has become known as BYOD - or Bring Your Own Device to work.
It is claimed it makes it easier for people to work from home or otherwise remotely if they have to carry around only one device.
But working from home, or checking business emails on your smartphone could present a significant risk to a company’s confidentiality and security, warns lawyer Christopher Hallam, Senior Associate at Derby firm Robinsons Solicitors.
He has been charting the rise of the BYOD culture but says that laptops, tablets and smartphones have become a hybrid communications platform that can blur the owner’s personal data and the employer’s data.
“Such is the personal attraction and attachment to these devices that owners want to use them in the course of their employment, and some employers seem only too happy for them to do so,” explains Christopher.
“Yet employers should not be too hasty to allow BYODs. Under data protection law the data controller (usually the employer) must remain in control of personal data regardless of the electronic device it is on.
"An employer is liable for any breach by an employee, and this can include a phone left at a meeting bearing confidential information, or a laptop left on a train,” he adds.
“The data protection law provides for personal liability for offences, too.”
The threat is exacerbated, according to Christopher, because many employers see BYODs as saving expenditure on IT equipment. However, without carrying out a full risk assessment and putting in place the appropriate policies in the employment manual, there is little in place to prevent a data breach until it is too late.
As with most business activities, a policy is required; in this case to govern the use of BYODs. Such policies, however, are unlikely to be binding unless brought to each side’s attention before new working practices are introduced.
Essentially, a policy starts with one question – should BYODs be allowed in the company workplace, or should they be banned? In the event of the second answer, an employer must think practically about the implications.
“Are they prepared to invest in giving employees laptops or smartphones for exclusive work usage? Every company will have its own answer," said Christopher.
Working from home, too, is fraught with risk, he said. “Few people would consider a threat to company security in their own home; however, a curious or mischievous teenager could easily cause havoc with access to a parent’s work details. A careless tweet or Facebook post is all it takes.”
In such a case, employers should consider strict rules on access, such as only permitting home-working via password-protecting Local Area Networks.
“The technological changes of the past decade – and those of the next – represent a huge change in working culture, and employers must be alert to the implications. The issue is not going to go away."Back