Many organizations are embracing BYOD (Bring Your Own Device) policies, and organizations that have yet to implement it are under great pressure from their employees to begin the practice. But in many industries, especially ones with heavy regulation like health care and finance, there are legal liabilities to protecting the data in addition to covering the basic security requirements. BYOD has reshaped the way many organizations think about security. The shift has been from control over hardware to access control of data.
Change is always difficult for large organizations. Change with legal ramifications attached becomes even more daunting. However, there is such a large opportunity around BYOD that organizations cannot ignore it, and must instead implement strategies to protect the integrity of their data, making it accessible to the employees who need it while at the same time protecting themselves from legal liabilities.
There is great uncertainty in the level of legal liability companies have for data stored and accessed through personal devices. Who is legally responsible for data on personal devices? Is it the company or the individual? For that matter, who is legally responsible for the security of data stored in third-party data centers or in cloud computing environments? The easiest way to answer the question of legal liability is to just assume that the business will be responsible. Customers or business partners who suffer financial loss or sue for damages will not go after an employee or third-party vendor to seek restitution. They will come after the business. Despite the legal uncertainties, deploy any BYOD policy with the assumption that your business will ultimately be legally liable for data security. This requires data security professionals to determine how best to maintain control over data security without having direct control over the hardware from which that data is accessed. This requires a software solution.
BYOD Hardware vs. Software
BYOD hardware has gotten easier with modern tools, but software on BYOD is tricky. BYOD gives employees the opportunity to use the devices they prefer and use services that help them do their jobs most effectively. One major challenge with BYOD is employees using third-party software to do their jobs. This poses challenges when teams or individuals within a company entrust their data to third-party vendors that either don’t have approval from the IT security departments or don’t meet the data security requirements required to stay compliant. With the wide availability of web apps and mobile applications, it is very difficult to prevent employees from using unapproved applications even if the hardware is under the full control of the IT department. This means there will have to be policies in place and enforced around what sort of data can be put into unapproved third-party applications.
Data security over hardware security
Obvious examples for what data needs to be protected involve policies around financial and medical data being PCI and HIPPA compliant. These are legal requirements regardless of who owns the hardware. The data has to be protected whether it is on the organization’s mainframe, on the CEO’s personal laptop, or in a cloud computing provider’s data center. Solving the security problem across these platforms is a software and policy challenge, not one that requires specialized hardware. Who owns the hardware is a non-issue. What is important is who owns and has access to the data. Every effort should still be made to keep hardware secure, but IT security managers shouldn’t be kept up at night worrying about laptops being sold in airports.
There will continue to be legal uncertainties in the realm of data security. However, instead of getting caught up in legal debates, or making all company data inaccessible except through approved and owned company hardware, security managers should focus on protecting and controlling the data through strong encryption and robust access controls.
If you’re thinking about starting a GPS tracking business, sign up for a free trial of the Position Logic platform. During the demo you will learn about the benefits of GPS tracking for fleets and about how you can use the platform to quickly bootstrap your own GPS business.