MITIGATING PRIVACY AND DATA SECURITY R ISKS IN BYOD AND BYOC

I N T E R N AT I O N A L A S S O C I AT I O N O F P R I V A C Y P R O F E S S I O N A L S

W W W . P R I V A C Y A S S O C I A T I O N . O R G

Presented to the CBA Public Sector Lawyers Forum and Privacy and Access Law Committee

By: Abigail Dubiniecki, B.C.L., LL.B., CIPM Legal Counsel, Canadian Air Transport Security Authority

October 28, 2015

WHAT IS BYOD?

INSERT PHOTO OF DATA ENVIRONMENTALISM

The use by employees of personal electronic communication devices, such as smart phones and tablets (“personal devices”) to perform some or all of their work duties, usually while connected to the employer’s network.

OR AS GARTNER, A GLOBAL IT RESEARCH & ADVISORY COMPANY DESCRIBES IT….

Bring Your Own Device:

The practice of deliberately breaching enterprise security by putting sensitive data on an unknown, uncontrolled, untrusted, unmanaged device.

TECH-SAVVY EMPLOYEES WHO LOVE THE FUNCTIONALITY & FAMILIARITY OF THEIR MOBILE DEVICES & APPS WANT TO INCORPORATE THEM

INTO THEIR PROFESSIONAL LIVES.

BYOD & BYO

C AS

INEVITA

BLE“NO ONE IS GOING TO GIVE UP THEIR DEVICES DURING WORK HOURS AND IF YOU TRY AND BAN THEM, THEY’LL JUST USE THEM ON THE SLY. FORCING PEOPLE TO GO UNDERGROUND WITH THEIR SMARTPHONES INCREASES RATHER THAN DECREASES YOUR SECURITY RISKS…”

“WHETHER YOU LIKE IT OR NOT, ENDORSE IT OR NOT, YOUR EMPLOYEES

WILL USE THEIR OWN DEVICES FOR WORK RELATED ACTIVITIES , SO SETTING

PARAMETERS IS CRITICAL, AND BOTH YOUR POLICY AND DATA SECURITY

PROTOCOLS NEED TO BE TIGHT”

EVEN FORMER SECRETARIES OF STATE DO IT

• Data mining (Yahoo)

• Terms of use monitoring

• E-discovery/spoliation

• ATIP/FIPPA compliance

• Privilege • Trade secrets

• Unknown 3rd parties

• Savvy subpoenas

• Security (hackers)

• Info-governance (CIA)

PERSONAL EMAIL ACCOUNTS FOR PUBLIC BUSINESS – MANY RISKS WITH LITTLE REWARD?

BYOD has a close cousin lurking in the shadows…

“Bring Your Own Cloud” (BYOC)

The use of third party, cloud-based applications to generate, store, share, or otherwise transmit data for work-related purposes. Also called “shadow IT” when

done without corporate approval or blessing.

MOST POPULAR APPS ARE CLOUD-BASED…

WITH FAR-REACHING, NON-NEGOTIABLE PERMISSIONS…

CLOUD USE AS BREACHBitGlass 2015 experiment: Deliberately posted Excel spreadsheet containing fake credit card, SSNs, fake names, phone numbers, addresses and profiles to a public DropBox account & to a few cybercrime fora.Findings• First 8 days, no movement, 200 views. 4 days later, 800 views. • After 12 days: opened at least 1081 times in 22 different countries, with

clusters in Russia and Nigeria.• Footprint of private chatroom? Coordinated criminal enterprise? Dark web?Ponemon study showed it takes over 40 days to detect a non-malicious breach. Often takes months, not days to discover a breach, even a malicious one. Target : 24 days. Home Depot: 4 months. PF Chang’s: 10 months.

THE NON-MALICIOUS INSIDER AS THREAT“While external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious…Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today,...”

– Ponemon 2013 Cost of Data Breach

Gartner says that by 2017, 75 percent of mobile security breaches will be the result of mobile application misconfiguration. “A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices.”

ESDC (2012) and CRA (2006) breaches illustrate that even without BYOD, non-malicious insiders played key roles in serious breaches of personal information. “Employees must therefore be provided timely access to training to ensure that they have the necessary knowledge, skills and competencies to effectively carry out their [ILM] duties.

Click icon to add picture

DIFFER

ENT, Y

ET THE SAME

Thou

gh corpora

tion re

linquish

es co

ntrol in

an im

portan

t way

,

Informati

on Li

fe Cyc

le Man

agem

ent (

ILM) p

rincip

les, p

rivac

y oblig

ation

s,

discov

ery ob

ligati

ons, an

d fair i

nformati

on prin

ciples

contin

ue to a

pply.

Data security is about people, and organizations are only as strong as their weakest link. Employees are the biggest wild card, whether or not BYOD or BYOC are formally permitted.

A PARADIGM SHIFTBYOD & BYOC put privacy, security (and your data) in the hands of the

biggest wild cards – employees, 3rd party app developers, cloud providers, family members, data brokers, and networks.

BYOD and BYOC can be secure, but drastic changes required. This is as much a Legal issue as it is an IT issue

Re-orient enterprise security programs: Track & protect data, monitor & enforce compliance, protect privacy, meet regulatory requirements = info-governance, HR, risk management,

cybersecurity. Re-think traditional IM/IT approaches: Outlaw (good luck) or

leverage the Cloud & 3rd-party apps while protecting security & privacy. ISO 27018; SLAs; shareware (Soonr, Druva InSync),

IBM Cloud Security Enforcer.

BYOD & BYOC BLUR PROFESSIONAL AND PERSONAL, CREATING VARIOUS RISKS: (1) PRIVACY(2) DATA & IT SECURITY(3) COMPLIANCE(4) HR/IP

WE CAN’T H

AVE P

RIVACY

WITHOUT S

ECURITY

Monitoring abnormal activity can identify potential misuse of information or policy breaches & permit early intervention to prevent leaks BUT can lead to over-collection of PII, incl. metadata, such as:• IP address• Geo-location/geo-fencing• Identification & authentication• Keystroke & screen shots• Filters & firewalls• DLP• Logs, browser history• Usage stats

BUT IF W

E DON’T

BALANCE D

ATA PROTE

CTION W

ITH EM

PLOYEE

PRIVACY, PROTE

CTIVE M

EASURES

CAN LEAD TO

INVASIVE

SURVEILLA

NCE

PRIVACY IN THE DIGITAL AGEThe devices which give us this freedom also generate immense stores of data about our movements and our

lives. Ever-improving GPS technology even allows these devices to track the locations of their owners. Private digital devices record not only our core biographical information but our conversations, photos, browsing interests, purchase records, and leisure pursuits. Our

digital footprint is often enough to reconstruct the events of our lives, our relationships with others, our likes and dislikes, our fears, hopes, opinions, beliefs

and ideas. Our digital devices are windows to our inner private

lives. ..our law must also evolve so that modern mobile devices do not become the telescreens of George

Orwell’s 1984.

PRIVACY IN THE DIGITAL AGESearches of Text Messages and Email - Akin to

WiretappingR. v. TELUS Communications Co., 2013 SCC 16:

Printing of stored text messages subject to wiretap provisions.

R. v. Pelucco, 2015 BCCA 370: Applies to sent text messages.

R. v. S.M., 2012 ONSC 2949: Text conversation is similar to voice conversation.

R. v. Ley and Wiwchar, 2014 BCSC 2108: Zoomed casino CCTV live feed to read text

messages.

EMPLOYEES HAVE A REASONABLE EXPECTATION OF PRIVACY, EVEN ON WORK-ISSUED DEVICESComputers that are used for personal purposes,

regardless of where they are found or to whom they belong, “contain the details of our financial, medical, and personal situations”…. This is

particularly the case where, as here, the computer is used to browse the Web. Internet-connected devices

“reveal our specific interests, likes, and propensities, recording in the browsing history and cache files the information we seek out and read,

watch, or listen to on the Internet”. (R.v.Cole, 2012 SCC 53)

A REASONABLE THOUGH DIMINISHED EXPECTATION OF PRIVACY IS NONETHELESS A REASONABLE EXPECTATION OF PRIVACY

THE POLICIES, PRACTICES, AND CUSTOMS OF THE WORKPLACE ARE RELEVANT TO THE EXTENT THAT THEY CONCERN THE USE OF

COMPUTERS BY EMPLOYEES. THESE “OPERATIONAL REALITIES” MAY DIMINISH THE EXPECTATION OF PRIVACY THAT REASONABLE

EMPLOYEES MIGHT OTHERWISE HAVE IN THEIR PERSONAL INFORMATION.

EVEN AS MODIFIED BY PRACTICE, HOWEVER, WRITTEN POLICIES ARE NOT DETERMINATIVE OF A PERSON’S REASONABLE

EXPECTATION OF PRIVACY. WHATEVER THE POLICIES STATE, ONE MUST CONSIDER THE TOTALITY OF THE CIRCUMSTANCES IN

ORDER TO DETERMINE WHETHER PRIVACY IS A REASONABLE EXPECTATION IN THE PARTICULAR SITUATION.

INFORMATIONAL PRIVACY RIGHTS IN THE DIGITAL AGE

PER THE SUPREMES

RIGHT TO PRIVACY, INCLUDING INFORMATIONAL PRIVACY, IS A PRINCIPLE OF FUNDAMENTAL JUSTICE & ESSENTIAL ASPECT OF

LIBERTY IN A FREE AND DEMOCRATIC SOCIETY (MILLS)

INFORMATIONAL PRIVACY INCLUDES RIGHT TO ANONYMITY (SPENCER)

SMART PHONES ARE THE FUNCTIONAL EQUIVALENT OF COMPUTERS, AND CELL PHONE SEARCHES MAYCONSTITUTE “VERY SIGNIFICANT INTRUSIONS OF PRIVACY” (R V. FEARON, 2014 SCC 77)

3 MAJOR TYPES OF RISK AT A GLANCEPa

rticip

ant P

rivac

y • Apps• Location• Wireless

usage• BGI • Texts• Support• VPN usage• Phone

activity

Cybe

r & D

ata

Secu

rity• Malware

• Breach• Cloud• Exfiltration• Device

loss• Social

media• Sharing • Cyber

attack• Bandwidth

Com

plia

nce

/ HR

/Leg

al• ATIP/LAC• E-discovery• CASL 2.0• OT / costs• Privilege• Security

classification• 3rd party

confidentiality

• Exceptions

THE OTHER CLINTON SCANDAL – EMAIL-GATE

• Mingled personal & work emails

• Incomplete FOIA response: 30,490 of 62,320 e-mails were printed & given to State Department. 31,380 were not because “private”.

• Who vetted messages? • Security clearance?• Keyword searches generally

can either be over-inclusive or under-inclusive."The current controversy over Secretary Clinton’s use of a private e-

mail network for transacting government business presents a wonderful opportunity to have a lively discussion on what information governance means in 2015, for both the public sector and the private sector…The circumstances surrounding Mrs. Clinton’s actions are so highly unusual, and so packed with legal issues going to recordkeeping, open government, privacy, security, not to mention the limitations of keyword searching,…

PART II: W

HAT’S AN

EMPLO

YER TO

DO?

• Seize the opportunity

• Adopt PbD & SbD• Customize• Compromise• Collaborate• Contract

Creatin

g BYOD &

BYOC program

s that

strike

s a bala

nce betw

een

data se

curit

y and priv

acy,

and w

hich re

spec

ts ILM

and ot

her

complia

nce oblig

ation

s

ASK WHY AND HOW?

W H Y ?

Organization’s objective? Employee’s objective?Employee’s favourite devices, apps, functionsIT capability & toleranceConsult stakeholdersAlign expectations & objectives of eachTrade-offs?

H O W ?

Voluntary? Mandatory?Level of AccessSensitivity of dataEligibility/SegmentationEnrollment/ApprovalDevices/OS/AppsSupport – self-serveExceptions (VIPs)

BYOD SPECTRUM: FROM ROGUE TO MANAGED

Rogue (on the sly)/unmanaged (free-for-all) Wi-Fi Access only (internet) – no Corporate Data, can surf Corporate Data via Intranet (kiosk-style) or push/pull

notifications Email, address book, calendar (Outlook/BB model) Other Corporate Databases – read-only Corporate d-bases/apps – Write/create/edit Full functionality (same access as corp-issued workstation, e.g.

VDI) Workstation + - add mobile app functionality – complete mobilityConsider why and how you hope BYOD will meet organization needs.

Corp

orat

e Ac

cess

and

Con

trol

LEVERAGING TH

E CLOUD

• SLAs• PbD/SbD apps• ISO Cloud

Standard• Specialized

clouds• Private clouds

Options t

o reg

ain co

ntrol, i

mprove s

ecurit

y hav

e

chan

ged th

e lan

dscape,

lettin

g organ

izatio

ns finall

y

benefi

t from

the c

loud

BYOC SPECTRUM: FROM ROGUE TO MANAGED

Rogue (on the sly)/unmanaged (free-for-all, head in sand approach) Blanket prohibition (how to monitor & enforce?) Good app / bad app list with clear policies (violate provider Ts & Cs?) Corporate-issued/designed apps (copy-paste issues; can you compete?) 3rd party apps – Business versions of retail apps (Evernote, DropBox) 3rd party apps – designed for business (Soonr), law-specific (InSync) App-agnostic platforms (IBM Cloud Security Enforcer)

Consider why and how BYOC will meet organization needs, leverage Cloud and implement standards (ISO 27018; TBS & regulator guidance). Where is data stored? Store-in-Canada requirements must be met. Location, location, location!!! See

Taking Privacy into Account Before Making Contracting Decisions (data must be stored in Canada)Co

rpor

ate

Acce

ss a

nd C

ontro

l

SEGREGATE PERSONAL FROM PROFESSIONAL

Integrated (Native) Segregated (Container) Virtualized (Thin Client)

Lowest-risk: no corporate work or data “sticks” to device

MDM solution & BYOC policy & tools required

Higher Risk Lower

Risk

MDM SOLUTIONS – NOT A SILVER BULLET

When considering allowing the connection of mobile device platforms into the GC corporate enterprise, managers must realize that MDM solutions are not

the silver bullet to solving the security issues brought by these platforms. They must consider both the limitations and capabilities of the MDM

solution, and the choice of the mobile device platform and the device’s set of implemented

security controls.CSEC ITSB-64

PIA• Data

flow/inventory• User Segments• Defaults –

disable unless justified

• Justify rest of PI• How used?

TRA• Snapshot in time• External/internal• Monitoring &

enforcement • Cyber risk?• 3rd parties?• Business

Continuity

ASSEMBLE THE DREAM TEAM: IT, LEGAL, PRIVACY, IM, RISK MANAGEMENT

Policy Baseline• Risk appetite• Monitoring• Enforcement• Expectation of

privacy• Acceptable use• Gaps?

Other issues• HR

management• IT capability• Level of

security awareness

• Culture• Accountability

ALIGN WITH CORPORATE STRATEGY

Policy – Build into Code of Ethics

• Eligibility• Security

requirements• Acceptable use• Mine/yours• Download restrictions• No expectation of

privacy • Reserve rights• Mandatory training • Privilege can be

revoked (leave, departures)

Privacy Notice & User Agreement

• Risks (back-up)/Support

• Loss/Remote-Wipe• Compliance w/ all

policies• OT, stipend,

reimbursement?• ILM obligations• Corporate data in

corporate apps only - classification

• Privacy expectations• Specific monitoring if

nec.• ATIP/e-Discovery obs

CLEAR POLICY – NOTICE - CONSENT

TREASURY BOARD GUIDANCEPolicy on Acceptable Network and Device Use3.1 The Government of Canada recognizes that open access to Government of Canada electronic networks and devices, including the Internet, is essential to transforming the way public servants work and serve Canadians. Open access to the Internet including Government of Canada and external Web 2.0 tools and services will enhance productivity, communication and collaboration, and encourage the sharing of knowledge and expertise to support innovation. 3.2 This policy applies to the use of Government of Canada electronic networks for conducting government business and professional and limited personal use, regardless of location of access or device used.

TREASURY BOARD GUIDANCE Guideline on Acceptable Network and Device Use2. Defining Professional and Personal UseIn an interactive and mobile work environment, it is important that employees are aware of the expectations of acceptable use when using Government of Canada electronic networks and devices, and Web 2.0 tools and services. This is particularly pertinent given that the networks, devices and social media platforms used for professional purposes are sometimes the same as those used for personal activities, thus potentially blurring the boundaries between the professional and personal use by public servants.

This guideline applies to professional and personal use of Government of Canada electronic networks and devices, and Web 2.0 tools and services by authorized individuals, irrespective of location of access. This includes using government-issued devices on government and public networks, as well as using personal devices, if permitted, on Government of Canada networks (e.g., use of a Virtual Private Network on a personal computer).

Training & Awareness

• Pre-req.• Annual/semi-

annual• Consent Form –

incl. preservation obs & legal holds

• Assume nothing• Make it fun

Monitoring & Enforcement

• Message (Cole)• ActionReassessment: • Expand? • Update? • Insure?

PREPARE, REINFORCE, REASSESS

The regulators speakBYOD: Is Your Organization Ready? (Ontario)IT Security and Employee Privacy (BC)Is a Bring Your Own Device Program the Right Choice for your Organization? (Canada, Alberta, BC)Bring Your Own Device (Saskatchewan)White House BYOD Toolkit (US)Pentagon to launch BYOD pilot this summer (US)Bring Your Own Device (BYOD) Considerations for Executives (PDF) (AUS)Fact Sheet: Introduction to Cloud Computing (OPC)Industry Cloud Computing Consultation RFI (TBS – 2014)Cloud Computing Guidelines for Public Bodies (BC)Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations (OPC, Alberta, BC)

The Regulators Speak….

The regulators speakIXmaps: Mapping Canadian Privacy Risks in the Internet Cloud (OPC funded research project)Assessing the Privacy Implications of Extra-National Outsourcing to the Cloud (OPC-funded research project)Certification/ accreditation (FedRAMP (US), ISO/IEC 27018) Guidelines on Security and Privacy in Cloud Computing (US) Federal Cloud Computing Strategy (USA)

Bernier, Chantal (Dentons Canada LLP), Privacy on the Cloud: Comparative Analysis with Canadian Law of ISO/IEC 27018 – A Code of Practice for PII Portection in Public Clouds acting as PII Processors, 16 June 2015.

Bernier, Chantal (Dentons Canada LLP), Privacy and Security Guidance: Cloud Computing in the MUSH Sector, 16 June 2015. Millard, Christopher (Ed.), Cloud Computing Law, Oxford: Oxford University Press, 2013

More on the Cloud….

A B O U T T H E I N T E R N AT I O N A L A SS O C I AT I O N O F P R I VA C Y P R O F E SS I O N A L S ( I A P P)

L A R G E S T P R I V A C Y A S S O C I A T I O N I N T H E W O R L D W I T H M O R E T H A N 1 5 , 0 0 0 M E M B E R S I N 8 3 C O U N T R I E S . I S O C E R T I F I C A T I O N

L E A R N , C E R T I F Y, C O N N E C T, T R A I N … J O I N!

Next Ottawa KnowledgeNet – November 24 - DELOITTE:

E V E RY T H I N G Y O U E V E R W A N T E D T O K N O W A B O U T T H E E U ' S G E N E R A L D ATA P R O T E C T I O N

R E G U L AT I O N A N D D E - I D E N T I F I C AT I O N ( W I T H A H A N D S - O N E X E R C I S E )

Check out a KnowledgeNet or Privacy After Hours event near you!

QUESTIONS?

Abigail Dubiniecki, B.C.L., LL.B., CIPMLegal Counsel, Canadian Air Transport Security Authority

(CATSA) IAPP KnowledgeNet Chair, Ottawa Chapter

Secretary-Treasurer, CBA Public Sector Lawyers Forum

Email: Abigail.C.Dubiniecki@gmail.com LinkedIn: https://ca.linkedin.com/in/abigaild

THANK YOU!