FAQ: How do BYOD security concerns complicate regulatory compliance?

Bring-your-own-device programs are touted as a way to improve employee satisfaction, increase productivity and reduce costs. They also create huge security and compliance risks. Is your program prepared?

The bring-your-own-device movement has enticed organizations that pursue BYOD to increase productivity, improve morale and possibly even reduce capital costs. When employees use their own devices without constraint, however, they are susceptible to unsecure networks, application downloads and data. They are also more likely to visit dubious websites and sometimes forget the devices in places such as on a train or at a bar, creating more BYOD security concerns.

Allowing employees to use personal devices for work increases the risk that company data is lost or vulnerabilities are exploited. When users choose their own equipment and operating systems, it becomes more challenging for IT to secure hardware and data, and it becomes harder to ensure compliance with data-related regulations. As a result, meeting compliance requirements for data security, e-discovery and industry standards without endangering user privacy becomes complicated in the BYOD environment.  

This FAQ is part of SearchCompliance.com's IT Compliance FAQ series.

Table of contents:

What compliance risks does the BYOD movement introduce?

With employee-owned devices, the hardware itself may be lost or stolen, leaving company data and networks vulnerable. The U.S. government addressed these and other challenges in 2012, issuing a BYOD "toolkit" for federal agencies. The document notes that data security could be at risk if an operating system is compromised by malware or device misuse. Operations security could be jeopardized if a device divulges data about a user in particular environments or if transmission can be intercepted.

IBM adopted a BYOD policy in 2010 -- and two years later, the company made headlines when it banned employees from using certain popular applications on mobile devices because of a "tremendous lack of awareness" about security risks. Among the apps banned were public file-transfer services such as Dropbox and the iPhone's voice-activated assistant, Siri. Because IBM doesn't control these applications, company officials were concerned that a lack of BYOD security would put confidential data at risk.

More resources:

IBM confronts BYOD security obstacles

Toolkit to support federal agencies implementing bring-your-own-device programs

What privacy-related compliance risks arise in the BYOD context?

Organizations have an obligation to safeguard their sensitive data, but they have to be careful not to violate employee privacy when doing so. Employee behavior on corporate-owned devices and networks can be monitored, but the same measures may raise privacy and security concerns if employees are using their own devices.

Similarly, remote wiping of lost or stolen personal devices "becomes complicated from a legal and cultural point of view," Gartner researchers noted in a 2012 study. If a user hasn't authorized personal data to be wiped, the organization could face liability. Selective wiping may create less of a privacy red flag, but Gartner found that it "is proving to be difficult in ensuring that all business data, and only business data, has been deleted from the device." When users are given the option of participating in a BYOD program, Gartner recommends that they be required to give explicit, written consent to data deletion in the case of a lost, stolen or compromised device.

More resources:

Security hurdles when moving from enterprise-owned devices to BYOD

BYOD legal issues a concern due to data protection, privacy laws

What special compliance risks do health care and financial organizations face with BYOD?

The highly regulated health care industry faces an array of data privacy and security obligations. Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), for example, health organizations have strict requirements for how electronic protected health data (ePHI) can be handled. If an employee-owned device is used to access or store ePHI, it would be subject to HIPAA compliance requirements. Organizations would then have to encrypt corporate data, remotely configure and manage devices, then apply dynamic policy controls restricting access to particular data or apps. The health care organization would also have to enforce access controls and data rights, monitor device integrity, protect against malware, manage policies and generate compliance reports.

The financial industry is subject to extensive regulatory requirements regarding data safeguarding as well. Under Securities and Exchange Commission rules, firms have to maintain records of employees' business communications and make sure the records can be readily retrieved and reviewed. Financial institutions allowing employees to use their own devices for work must ensure that the organization can still locate, access and retrieve relevant data when needed.

More resources:

BYOD security policies help health care organizations secure personal devices

SIFMA releases BYOD trends and audit considerations

What legal-related compliance issues complicate BYOD security?

During the litigation process known as e-discovery, data has to be available if requested, and it is more complicated to safeguard, locate and retrieve data when it's stored on employee-owned devices. When Intel developed its corporate e-discovery program, it did so with BYOD security in mind, the company explained in a June 2012 white paper.

Intel encourages data to flow over its own servers, which not only makes it easier to find data when requested, but also helps the company comply with privacy laws. Employees who participate in the BYOD program must sign a service agreement, which outlines how e-discovery requests are handled.

More resources:

Intel: Successful e-discovery when implementing a BYOD policy

E-discovery tools lacking in cloud, BYOD era

What nonregulatory compliance issues arise under BYOD?

Employee use of personal devices for work purposes can complicate compliance with industry standards. The Payment Card Industry Data Security Standard (PCI DSS), for example, presents extensive guidelines on how data should be collected and stored. Businesses subject to PCI DSS rules have to take several precautions, including configuring BYOD devices themselves and ensuring that firewalls are installed. In February 2013, the PCI Security Standards Council warned against BYOD as a best practice because merchants don't have control over the content and configuration of a device.

Complying with software licensing obligations can also become tricky in a BYOD environment. With Microsoft's Enterprise Licensing Agreements, for example, a company agrees to license any device that is used for the company's benefit using the software. If an employee is using his or her own devices for work, it needs to be included in the licensing agreement.

More resources:

Security guidelines for PCI mobile payment acceptance

BYOD and mobile cloud apps complicate licensing compliance

How can organizations mitigate the compliance risks associated with BYOD?

To reduce the risk of corporate data being lost or compromised via an employee-owned device, organizations should establish clear mobile device security policies and make sure users adhere to them. Devices should be password-protected and data stored on them should be encrypted and require security patching. User agreements should authorize the organization to remotely wipe data if a device is lost or stolen.

Usage policies restricting applications and website access can reduce compliance risks as well. An enterprise app store, application blacklisting and whitelisting, and URL-filtering tools can help enforce these policies.

More resources:

More companies allowing employees to bring their own device

BYOD benefits and risks: A guide for IT managers