IAPP Panel Discusses BYOD and the “Technology Divorce”

Published: May 15, 2013 by Michael Bruemmer

As mobile technology continues to dominate the workplace, look for more organizations to adopt “bring your own device” programs to stay competitive.  If your organization falls into this category, how will you protect your data? And just as importantly, how will you control your employees’ activities on their devices?

This was the subject of mock debate held recently at the IAPP Global Privacy Summit. The debate, sponsored by Experian®, pitted an employer against an employee who wanted to use his own devices.  Dan VanBelleghem, Chief Security Architect with NCI Information Systems, played the employee and Orrie Dinstein, Chief Privacy Leader & Senior IP Counsel with GE Capital, played an attorney for the employer.  Murray Johnston,  Director, Government Affairs and Public Policy at Experian, was the moderator. The debate sparked much interest, as it’s a conversation being heard in boardrooms across the globe.

So if you want to adopt a BYOD program, how do you get started? Well the best way, according to security experts, is to have employees sign a comprehensive agreement. Here are some important concepts to keep in mind when drafting this agreement.

The technology divorce separates your employee’s data from your data. There are various ways to accomplish this. For instance, you can put an encrypted container on your employee’s device and have all of your organization’s data live inside of that container. Your employee can then store all of his or her personal data outside the container. You can also use dual boot scenarios. So if Dan is your employee, he can log in either as an employee or individual. There are other ways to separate data but regardless of the method, security experts say it must be done.

The control freak needs to use some discipline. When an employee – let’s say Dan – uses his own device, can you restrict the types of sites he visits? What if there’s an investigation, can you get access to his text messages or emails? These are issues that need to be addressed upfront. Your employee agreement can stipulate that you need to have access to your employee’s device.  Also, that you need to install anti-virus software and have access to the employee’s email or text messages if there’s an investigation. But as an employer, you need to understand the complexity and legal ramifications surrounding BYOD and monitoring your employees.  There is a fine line between privacy and business needs that should be addressed when monitoring employee activity on devices.

Paying the tab needs to be addressed, too. If Dan wants to use his own smartphone instead of the company issued hardware and your anti-virus software breaks his phone, who pays for it? You can stipulate that Dan would pay because he wanted to use his device instead of the company-issued smartphone.

However, BYOD agreements need to be fair. If organizations use agreements that are too rigid and violate their employees’ privacy, then employees will either refuse to work for the organization or they’ll sign the agreement and violate it. In either case, you’ll be defeating the purpose of having a safe and secure BYOD program.

For a better understanding of the risks and challenges associated with BYOD programs, visit

http://www.ustream.tv\ExperianDBR    to watch the panel debate.