In our last "bring your own device" post we explored some of the key security, privacy and incident response issues related to BYOD. These issues are often important drivers in a company's decision to pursue a BYOD strategy and set the scope of personal device use within their organization. If the risks and costs associated with BYOD outstrip the benefits, a BYOD strategy may be abandoned altogether. One of the primary tools (if not the most important tool) for addressing such risks are BYOD-related policies. Sometimes these policies are embedded within an organization's existing security and privacy policy framework. More frequently, however, companies are creating separate personal device use policies that stand alone or work with/cross-reference existing company security, privacy and incident response polices. This post lays out the key considerations company lawyers and compliance personnel should take into account when creating personal device use policies and outlines some of the important provisions that are often found in such policies.
Employees are increasingly using (and demanding to use) their personal devices to store and process their employer's data, and connect to their networks. This "Bring Your Own Device" trend is in full swing, whether companies like it or not. Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable.Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including "reasonable" BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.
This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at dnavetta@infolawgroup.com
Service contracts that involve protected personal information should include provisions allocating responsibility for protecting that information and responding to security breaches. Increasingly, this means incorporating specific references to applicable laws and information security standards, and often certifications of conformance.