Yesterday, we looked at some of the big issues around the Bring Your Own Device movement in the enterprise — including remote wiping. Today we are going to focus on liability issues — who’s responsible if a phone gets lost or stolen, and will cyber risk insurance policies that covered your corporate phones cover ones owned by individuals?
Once again, we turned to Rich Santalesa, who is Senior Counsel at the InfoLawGroup, LLP, a law firm specializing in privacy, security, technology, media, advertising and intellectual property law — and he warns companies to be cautious as they move to BYOD, making sure that there are clear policies in place.
Santalesa said with this change to user-owned devices, there are liability issues you need to consider.
“There may be significant differences as between corporate-owned devices and personally-owned devices if a device is stolen, lost and then involved in a data breach or broader lawsuit,” Santalesa explained.
In fact, it can have a big impact if you carry cyber risk insurance. “For starters, any existing cyber risk insurance policy may not cover employee-owned devices and it’s important to review the definitions and coverages provided,” Santalesa said.
And if there’s a data breach, an insurance company might claim they aren’t responsible if a BYOD phone is involved if the language of the policy is restricted to only corporate devices. “Responding to a data breach is extremely expensive and time consuming and a company may, in the end, find itself in for a rude awakening if it’s determined a breach can be traced back to a BYOD situation and an existing policy clearly or arguably declaims coverage for defense, investigation, notification costs and any penalties imposed as a result.”
He points out, howver, that you need to check the language in your particular policy because it varies and if it explicitly states that it only covers “devices owned by or leased to the insured organization,” you might want to revisit your coverage.
Even when insurance doesn’t come into play, Santalesa says, there are other legal issues that could. “Regardless of whether insurance covers costs, in a breach or other related lawsuit situation use of BYOD will raise the issue of “legally defensible” security as a court interprets whether reasonable security was utilized in its determination as to the existence of negligence.”
One way to alleviate that risk is to implement sensible enterprise-wide security policies, something that IT pro Brian Katz recommended in a post today called BYOD, The Secret Sauce. Katz suggests creating a sensible Acceptable Use Policy that brings together all the stake holders in the organization including end users.
Santalesa agrees, but looks at it strictly from a legal standpoint, explaining that if you have a security policy in place, it can help protect you in the event of a lawsuit related to a data breach on a BYOD device, assuming the individual complied with it.
And that could be a problem. In a recent blog post by his colleague, Dave Navetta, The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device), Navetta explained, ” A BYOD situation inevitably, to some extent, means that companies are relying on individual employees to reasonably secure personal devices used for company purposes and accessing company data.”
If they fail to comply, that’s when problems arise. So you have to ensure that people are on the same page about this.
None of this is to suggest that you should stay away from BYOD. You probably couldn’t even if you wanted to because employees are increasingly using their own devices on company time regardless of the policies you have in place.
It’s also important to note that Santalesa is looking at this strictly from a legal point of view, not from a pure technology or IT professional’s viewpoint, but it’s worth heeding his advice and looking for ways to build sensible policies around BYOD before your company is subject to some expensive legal action.