byod - legal considerations · 8 legal landscape – liability issues 1. licensing and ipr risks...

BYOD - Legal Considerations

8 May 2013

Legal and risk considerations in

developing BYOD policies

Arvind Dixit Senior Associate

Corrs Chambers Westgarth

[email protected] 03 9672 3032

8636757/1

2

Outline

BYOD – Legal Considerations

• BYOD Policies and considerations

• Legal landscape

• Liability issues

• Liability for personal devices

• Licensing and intellectual property law issues

• Insurance considerations

• Data Security

• Confidential Information

• Discovery issues

• Compliance with legislation

• Privacy

• Workplace surveillance and Telecommunications laws

• Managing the legal risks - policy checklist

8 May 2013

3 9 May 2013

BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE MANAGING LEGAL RISKS – POLICY CHECKLIST

BYOD – Legal Considerations 8 May 2013

4

BYOD Policies

• Purposes • Manage liability and risk

• Ensure data security

• Minimise data loss

• Ensure compliance with legal and third party contractual

obligations

• Clearly define cost responsibilities


5

BYOD Policies

• Considerations • What devices can employees bring in?

• What corporate applications will employees be granted

access to?

• What is acceptable use?

• How much support will the organisation provide?

• Security mechanisms?

• What communications will be monitored?

• What are the ramifications for violating the user policy?

• How will the organisation handle security breaches, malware

attacks, loss or theft of devices, data removal on

employment ceasing?


6 9 May 2013

BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE I. LIABILITY ISSUES II. DATA SECURITY III. COMPLIANCE WITH LEGISLATION

MANAGING LEGAL RISKS – POLICY CHECKLIST


7

Legal framework – Liability issues

• BYOD Policies need to consider how liability will

be apportioned between individual and the

company. • Responsibility for lost or stolen devices

• Responsibility for malware or virus attacks

• Generated from a BYOD device?

• Affecting the performance of a BYOD device but

generated from company servers or other devices?

• Specific liability issues • IPR and Licensing issues

• Insurance considerations


8

Legal Landscape – Liability issues

1. Licensing and IPR risks

• Review licensing agreements to ensure use of BYOD technologies will not

breach licensing agreements organisation has with third parties

• Per user per device / per user / per device?

• Allowing employees to use company applications on their own devices, for example, may

breach the company’s current licensing agreement.

• Consider licence agreement for the BYOD applications

• What are the licence rights - one device per user?

• Consider restricting use of apps/software for work purposes where the

company does not hold the licence rights.

• Mitigating against intellectual property claims from third party


9

Legal landscape – Liability issues cont …

2. Insurances

• What happens if a device is lost or stolen? Is it the

company’s responsibility or the individual?

• Will the company’s insurance cover an employee’s

personal device that is being used for BYOD

purposes? • Review insurances

• If the company will not be liable, clearly provide for this in

the BYOD Policy


10 9 May 2013




11

Legal landscape – Data Security

• Confidential Information

• Discovery and litigation obligations


12

Legal Landscape – Data Security

1. Confidential Information

- What confidential information do your employees have access to? - Confidential information of the organisation

- Confidential information of third parties

- Confidential Information is protected under common law if: - the information has the necessary quality of confidence about it; and

- the circumstances in which the information was communicated or obtained gives rise to a

relationship of confidence.

- Disclosure can result in loss of protection at law as “confidential information”.

- Possible security measures to manage data security risk: - Manage data security by limiting ability to access highly sensitive confidential information on a

“need to know basis”.

- Ability to remotely wipe company data from a device and include such rights in your BYOD

Policy.

- Minimum user password requirements included in BYOD Policies.


13

Legal Landscape – Data Security

2. Discovery Obligations

• In litigation proceedings, parties must generally discover relevant documents

that have been in the party’s possession, custody or control

• Documents produced by an employee in relation to their employment may need

to be discovered, even if stored on their own device

• Parties cannot object to producing these devices on the basis that they also

contain personal information

• To the extent possible, have procedures to separate ‘work’ and ‘personal’ data

• Ensure that data is adequately backed up

• Remind employees that personal emails may be ‘caught up’ in the discovery

process

• If litigation is imminent, take steps to ensure that relevant electronic files are not

erased


14 9 May 2013




15

Legal Landscape – Ensuring compliance with regulatory obligations

1. Privacy Act 1988 (Cth)

2. Workplace Surveillance

3. Telecommunications (Interception and Access)

Act 1979 (Cth)


16

Legal Landscape – Ensuring compliance with regulatory obligations - Privacy


• Convergence of personal and corporate data on the one device

• Scenario 1: Organisation handling personal information of individual using a

BYOD device.

• Scenario 2: Disclosure/handling of personal information of others stored on

corporate system.

8 May 2013

17

Privacy – existing regime


• Privacy Act 1988 (Cth)

• Australian privacy laws do not specifically address BYOD-related privacy issues, and accordingly,

it is a matter of applying existing privacy laws.

• Companies implementing BYOD policies may be subject to the National Privacy Principles.

• NPP 4: Data security

• Requires an organisation to take reasonable steps to protect the information it holds from misuse

and loss and from unauthorised access, modification or disclosure.

8 May 2013

18

Privacy – reforms

• Privacy Amendment (Enhancing Privacy Protection) Act 2012

• Key changes include:

• A single set of Australian Privacy Principles to replace and unify the current National Privacy

Principles and Information Privacy Principles

• Replace the existing NPP 4 with a new APP 11: Security of personal information

• New enhanced powers for the Privacy Commissioner


19

Legal Landscape – Ensuring compliance with regulatory obligations - Workplace surveillance


• NSW and the ACT have specific legislation governing data surveillance (such

as the monitoring of emails and use of devices) by employers:

• Workplace Surveillance Act 2005 (NSW)

• Workplace Privacy Act 2011 (ACT)

• Notice of all workplace surveillance must be provided to employees.

• Employers should have in place, and make easily available, a data

surveillance policy

8 May 2013

20

Legal Landscape – Ensuring compliance with regulatory obligations – GPS tracking

• All Australian jurisdictions have Acts dealing with the use of surveillance

devices, for example: • Surveillance Devices Act 1998 (WA)

• Surveillance Devices Act 1999 (Vic)

• Surveillance Devices Act 2007 (NSW)

• In some states (such as WA, Vic and NSW) these acts make it unlawful for

any person to install a tracking device to monitor the location of a person or

an object (such as a BYOD device) without the express or implied consent

of that person or the person in lawful possession of the object.

• It is therefore necessary to ensure all employees consent to any GPS

tracking of their BYOD devices as mere notice of the tracking is insufficient.


21

Legal Landscape – Ensuring compliance with regulatory obligations – Telecommunications (Interception and Access) Act

• Similar to requirements under workplace surveillance laws, it is an offence

for an employer to “intercept” any communication (either voice, or text) that

travels over a telecommunications system (including an internal

telecommunications system).

• “Interception” consists of listening to or recording, by any means, a

communication in its passage over a telecommunications system without

the knowledge of the person making the communication.

• Employers should ensure that any ability to record communications from a

BYOD must be clearly disclosed to employees.


22 9 May 2013

BYOD POLICY CONSIDERATIONS LEGAL LANDSCAPE MANAGING LEGAL RISKS – POLICY CHECKLIST


23

Managing the legal risks - policy checklist


Issues

Included?

Other Policies Tie BYOD policy to existing Acceptable Use Policy

Confidential

Information

Security measures are implemented such as ability to remotely wipe data.

Are devices password protected?

Privacy

Protecting data integrity

Handling of security breaches, malware attacks, loss or theft of device

To which corporate applications will access be granted to? Decommissioning devices Implementing a data breach policy

Workplace

surveillance

Implementing a data surveillance policy

Notifying BYOD device holders of monitoring or recording of communications from device

Informing employees of what is acceptable use

Discovery Procedures for separating work and personal data, ensuring data is backed up and ensuring

relevant documents are not deleted

Informing employees of discovery obligations should litigation arise

Liability and

Insurance

Clearly identify in BYOD policy whether the user or company will be liable for loss or theft of

BYOD Devices considering whether company insurance policies cover an employee-owned

device being used under a BYOD policy.

Clearly identify in BYOD policy whether the user or company is responsible for support and

maintenance of BYOD devices including as arising from security threats.

Licensing

Are the licensing terms of the BYOD software reflected in the company’s BYOD policy?

Will use of software be restricted for work purposes where company does not hold licence ?

BYOD - Legal Considerations

8 May 2013

Legal and risk considerations in

developing BYOD policies

Arvind Dixit Senior Associate

Corrs Chambers Westgarth

[email protected] 03 9672 3032