BYOD – A practical solution or risk too far – PARIMA Zoom Conference
This PARIMA Zoom Conference was reported on by our website consultant contractor. The conference occurred at 3 AM Eastern Time.
PARIMA is an international risk management organization. They invited us to sit it and report on the webinar. PARIMA has been very accomodating to us over the last four years. Check out their website here.
The PARIMA Zoom conference from last month can be found here.
BYOD speakers:
Gerallt Owen Managing Director of Kroll
Jenny Zhuang Of Counsel Dentos Hong Kong
Bryan Tan – Partner – Pinsent Masons
Steve Tunstall – Director, Group Head of Compliance and Risk – Wadzpay.com
PARIMA Zoom Conference -What is BYOD?
Bring your own devices (“BYOD”) is an organizational policy that allows employees to use their own electronic devices to access the organization’s information, including personal data collected by the organization.
BYOD – Guidance from the PCPD – Speaker: Gerallt Owen Speaker
Saying ” When Pandemic hits, people get READY”.
In August 2016 the Privacy Commissioner for Personal Data, Hong Kong issued BYOD guidance:
“It is important to realize that even though the personal data is stored on a device owned by the employee, the organization remains fully responsible for compliance with the Personal Data (Privacy) Ordinance (the “Ordinance”) in respect of this personal data.
Organizations should therefore establish administrative, physical, and technical measures to ensure that such personal data is protected and reinforce these measures through written policies, notifications, and training.”
PARIMA Zoom Conference – Understanding the Key BYOD risks
Understand your organization is.
MALWARE
- Open-source application with low-security strands
- Potential Malware on a USB drive
LEGAL/REGULATORY
- Data breach
- Contractual Breaches
- Regulatory investigations
- Litigation
DATA THEFT
- Weak security configuration
- Theft of Intellectual Property
- IT security data
DATA LOSS
- User-initiated data loss
- Higher Potential for accidental data loss
- The leak of Sensitive information
SHADOW IT
- unsanctioned BYOD Devices
- Lack of Security
- Unapproved software
EMPLOYEE TRAINING
- Training needs to be relevant to the BYOD
- Training on BYOD policy
LOSS OF CONTROL
- Lack of monitoring
- Lack of control and visibility on other software added to the device
- User sharing devices or passwords with others
LOST/STOLEN DEVICES
- Part exchanged devices
- Ability to wipe devices remotely
- Personal and Business data loss
BYOD and the Employment Relationship – Speaker: Jenny Zhuang
- Why is it important to have a BYOD policy?
- How do you police or enforce such a policy?
- Can an employer fire an employee for his/her failure to comply with the BYOD policy?
- What happens when an employee leaves the organization?
What should a BYOD policy contain?
- A clear statement as to whether it will be incorporated into the employment contract
- Employer’s written consent requires for using personal devices to work
- Activities allowed vs activities not allowed
- Minimum hardware and software requirements
- Clearly state employer’s right to access/inspect, delete, or demand return or destruction of company data
- Consequences of non-compliance
- Intellectual property rights
- Emphasize employee’s duty to comply with data privacy laws
- Disclaimer of employer liability
- Assertion of employer’s legal right to seek indemnity or contribution
- Cross-reference to other existing policies such as general IT policy, cyber security policy, social media policy, anti-discrimination/anti-harassment/anti-bullying policy
- Contain an acknowledgment form that the employees should sign and return to the employer
BYOD according to the Personal Data Protection Commission – Speaker: Bryan Tan
Guiding to Securing Personal Data in Electronic Medium
Security measures taken to protect portable computing devices should apply whether the devices are issued by organizations or owned by employees (e.g. Bring Your Own Device or BYOD).
Advisories on Collection of Personal Data for Covid-19 Contact Tracing and Use of SafeEntry
If you are permitting employees to install and run organization-supplied apps on their own personal devices, you should: Implement BYOD policies to govern the installation and use of organization-supplied apps on employees’ personal devices.
PDPA 2020 amendments – Enforcement ( not in force until at least 1 Feb 2022)
Financial penalty cap – higher of 10% annual Singapore turnover or S$1M
BYOD – Mandatory Breach Notification – (in force)
- “data breach”, in relation to personal data, means-
- (a) the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data; or
- (b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorized access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
- s26C – where an organization has reason to believe that a data breach has occurred affecting personal data in its possession or under its control, the organization must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach.
PARIMA Zoom Conference BYOD – Legal and Regulatory considerations
- Data Breach – do you need to report, what do you report, what are the consequences?
- Investigations – how do you respond to production orders for BYOD equipment? How to do conduct a litigation hold or legal hold? Over-collection? Under-collection? What if BYOD has been disposed of? What if the employee has left?
PARIMA Zoom Conference – Question
Steve Tunstall’s question ” How will Risk Managers handle BYOD?”
Bryan Tan responded, ” remote test Protocol and insurance premium.”
This was a great webinar. When the next PARIMA Zoom conference occurs, we will post it in the articles.
©J&L Risk Management Inc Copyright Notice
