BYOD and Martha Graham: The interpretive dance of security, privacy
The relationship between security and privacy in a BYOD environment is like an "interpretative dance," explains Constantine Karbaliotis, America's privacy leader for consultancy Mercer.
"Security pros and privacy people are going through all sorts of insane contortions to try and make BYOD actually work. It is becoming clearer that we have to engage in this dance with our business partners to manage this area of risk and opportunity," Karbaliotis told an RSA Conference panel here on Friday.
There are times when security and privacy coincide, such as efforts to prevent data breaches where both corporate and personal information of employees and customers could be exposed. But there are other times when security and privacy conflict, such as when IT wants to have extensive monitoring capabilities of its employees' personal devices.
Karbaliotis cautioned that enterprise efforts to provide security in a BYOD environment could run afoul of employees' personal privacy rights. "You will be getting data now about your employees and that is going to reveal a great deal more than you ever knew about them or you wanted to know about them…You learn exactly what they are doing and you have to think about it from the point of view from your IT staff being able to have access a level of personal information you didn't have before."
Karbaliotis stressed that enterprises have to put in place clear BYOD policies spelling out what is permissible for employees to do and also what is permissible for IT staff to do in terms of access to personal information of employees.
"It is really about telling your employees what you are going to do. There is a combination of training and awareness that needs to take place. If you say, here is what is permissible and here is what we will monitor for, then you have carved out some rights to be able to monitor," Karbaliotis explained.
Laws about employee privacy are stricter in Canada than in the United States.The Canadian Privacy Commission has said that "you can't turn your workplace into a prison camp and have constant monitoring and no expectation of privacy. There is a reasonable expectation of privacy, and monitoring has to be limited to what is necessary to prevent the harm that the monitoring is intended for. It has to be proportional and effective," he said.
In the U.S., certain types of information are protected, such as medical records, explained Ellen Giblin, privacy and data protection group leader with the Ashcroft Law Firm. "Employees could have their medical records on their device or their children's medical records. If someone in corporate is looking at their information and there is no permission to do so, that is not an acceptable use and that is a breach," Giblin said.
Giblin noted that for other types of information, the legal issue is not as clearcut in the United States. That contrasts with the European Union, where there are significant restrictions on disclosure of sensitive personal information to employers.
"Our laws are different; we have sectorial specific restrictions, plus we have differing state laws. I don't think U.S. law is ever going to cover information such as what organizations you belong to or your religion. I don't think we are ever going to have privacy laws that cover the same type of information that the EU covers," she tells FierceMobileIT.
To address privacy risk, Giblin advises enterprises to minimize the opportunities to collect personal data about others, minimize the amount of personal data being collected, and minimize how long personal data is retained.
Despite promised productivity gains, not all organizations embracing mobility
Mobile privacy can be legal minefield for enterprises
Infographic: Mobility frustrating for employees, risky for firms