A ”bring your own device” (BYOD) program is a popular arrangement used by employers, whereby employees use their personal devices (e.g., smartphones, laptops, or tablets) for both personal and business purposes. Last year, about two-thirds of Canadian private sector employers had at least one employee using personal devices for business-related activities.[1] While the BYOD approach may offer certain advantages, such as greater flexibility and cost savings, employers should be mindful of the cybersecurity and privacy risks when leaving employees to their own devices.
In this article, we explore some of these risks along with best practices employers can implement to mitigate these concerns.
Cybersecurity Risks
In the course of the digital transformation of workplaces, cybersecurity is more important than ever. Employers could suffer significant harm in the event of a breach, especially where sensitive business information is stored on employees’ personal devices. A BYOD model can cause employees to inadvertently introduce vulnerabilities to their employer’s network, including by:
- Limiting patching and/or updates to devices, leading to outdated security systems;
- Failing to implement appropriate safeguards (e.g., antivirus, anti-malware, “jailbreak”[2] detection);
- Accessing unauthorized applications or websites;
- Leaking data between business and personal applications;
- Sharing personal devices with family and friends; and
- Limiting employers’ ability to monitor and detect threats.[3]
These vulnerabilities all come down to the employer having less visibility and control over how personal devices are used outside of business-related activities. If a BYOD model is in place, employers should set out clear guidance and enforce appropriate security-related requirements to address these risks.
Employee Privacy Considerations
Monitoring activity, restricting access, and hardening security measures would mitigate most of the risks outlined above; however, employers must also balance cybersecurity with employees’ expectation of privacy. Canadian courts have affirmed that information in a cell phone or other electronic devices may be considered personal to its owner.
Before implementing a monitoring policy for personal devices, employers should understand what obligations, if any, they may be subject to and ensure compliance with them. For instance, the Personal Information Protection and Electronic Documents Act (“PIPEDA”)[4] requires federally regulated employers to inform employees of the collection, use and disclosure of their personal information. Employees’ consent is not required where the collection, use or disclosure is necessary to manage the employment relationship and the employees are clearly informed of all the purposes for its use.[5]
The Office of the Privacy Commissioner of Canada has held that this exception to consent does not apply where the notice to its employees fails to identify all of the purposes for collecting, using or disclosing personal information. It is a best practice for federally regulated employers to obtain employees’ consent to ensure their monitoring policy is compliant.
While provincially regulated employers are not subject to PIPEDA in relation to employee personal information, employee privacy rights may arise from a collective agreement in a unionized workplace and, in limited circumstances, from the common law in non-unionized workplaces. In addition, provincial privacy legislation substantially similar to PIPEDA has been enacted in British Columbia, Alberta and Quebec. Therefore, provincially regulated employers in these provinces will be subject to the obligations under their respective privacy legislation.
Furthermore, Ontario’s Employment Standards Act, 2000[6]now requires provincially regulated employers in Ontario who have 25 or more employees to adopt a workplace “electronic monitoring policy.” The contents and scope of this policy are discussed in our previous article here.
Employee privacy considerations may also be relevant even when the personal device is no longer part of the BYOD program, such as when an employee leaves the company or if the device gets lost or stolen. Employers should take care to ensure their BYOD policy gives them the discretion to wipe all or some employee information from their personal devices as necessary to protect the employer. While a full wipe may be more secure, employees may find it unreasonable and thus, selective wiping may be preferred.
BYOD Best Practices
The Office of the Privacy Commissioner of Canada published guidelines on what employers should consider when preparing a BYOD policy. We have summarized below some of these best practices:
- Employers should consult appropriate departments, such as information technology/management, legal, finance, and human resources, when developing their policy and prior to their implementation.
- Training materials and programs should be developed and delivered regularly, to educate employees on topics such as encryption, malware, data retention, and authentication.
- The policy should outline the employer’s accountability for its employees’ personal information. Provisions relating to collecting personal information, electronic monitoring, and device wiping should be clearly set out, and appropriate consents should be obtained.
- The policy should set out security-related controls and restrictions. Employers should consider implementing mobile device management software to ensure optimization and security of device functionality and communications.
The full list of the guidelines can be found here.
Key Takeaways
Employers that adopt a BYOD model need to be mindful of the cybersecurity and employee privacy considerations at play. A robust BYOD policy can help mitigate these risks by clearly outlining employer and employee expectations.
[1] BYOB – Bring Your Own Business (device), Statistics Canada: https://www.statcan.gc.ca/o1/en/plus/2222-byob-bring-your-own-business-device.
[2] Jailbreaking is the process of modifying a device to remove restrictions imposed by the manufacturer or operator. This is typically done to allow for installing unauthorized software.
[3] End-user device security for bring-your-own-device (BYOD) deployment models (ITSM.70.003), Canadian Centre for Cyber Security: https://www.cyber.gc.ca/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003.
[4] SC 2000, c 5.
[6] SO 2000, c 41.