In our last "bring your own device" post we explored some of the key security, privacy and incident response issues related to BYOD. These issues are often important drivers in a company's decision to pursue a BYOD strategy and set the scope of personal device use within their organization. If the risks and costs associated with BYOD outstrip the benefits, a BYOD strategy may be abandoned altogether. One of the primary tools (if not the most important tool) for addressing such risks are BYOD-related policies. Sometimes these policies are embedded within an organization's existing security and privacy policy framework. More frequently, however, companies are creating separate personal device use policies that stand alone or work with/cross-reference existing company security, privacy and incident response polices. This post lays out the key considerations company lawyers and compliance personnel should take into account when creating personal device use policies and outlines some of the important provisions that are often found in such policies.
Employees are increasingly using (and demanding to use) their personal devices to store and process their employer's data, and connect to their networks. This "Bring Your Own Device" trend is in full swing, whether companies like it or not. Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable.Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including "reasonable" BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.
What happened in the privacy world last week? On Thursday, just before the release of the White House Paper, California Attorney General Kamala Harris announced an agreement with the leading operators of mobile application platforms to privacy principles designed to bring the mobile app industry in line with a California law requiring mobile apps that collect personal information to have a privacy policy. It might be argued that the White House is now enunciating principles and best practices, and encouraging legislation of principles, that have long been embodied not only as best practice but as actual legislation under California law.
As 2011 is coming to a close, many of us are thinking about what 2012 will bring. With regard to privacy, there are numerous key issues to choose from (and I am sure many privacy professionals would add to this list) - but from a corporate compliance standpoint, here are my top five picks for hot topics to address in 2012:
On May 16, 2011, EU's Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services.WP29 is comprised of representatives from the EU member states' data protection authorities (DPAs), the European Data Protection Supervisor and the European Commission. WP29's mandate includes (i) giving expert advice to the EU member states regarding the implementation of European data protection directives, and (ii) promoting uniform implementation of the directives in all EU state members as well as in Norway, Liechtenstein and Iceland. WP29's opinions, therefore, carry significant weight in the interpretation and enforcement of data protection laws by European DPAs. Not surprisingly, WP29 has concluded that geolocation data is "personal data" subject to the protections of the European data protection framework, including the EU Data Protection Directive 95/46/EC. The Working Party also determined that the collection, use and other processing of geolocation data through mobile devices generally requires explicit, informed consent of the individual. Below are the highlights of the opinion.
On May 10, 2011, the Senate Subcommittee on Privacy, Technology and the Law held a hearing on mobile privacy. We covered the hearing in detail on our blog. Yesterday, InfoLawGroup partner Boris Segalis spoke with Fox Live's Tracy Byrnes about the balance between business and consumer interests that mobile privacy implicates.The clip from the interview is available on Fox at http://video.foxnews.com/v/4689248/the-congressional-mobile-privacy-hearing/?playlist_id=86861
2010. What a year for data security and privacy, and the law. Choose whatever story you want: Facebook privacy practices, Google Buzz, Wikileaks data breach , TSA full body scanning at the airports, FTC Do Not Track, etc. I am having trouble thinking of a week (perhaps even a day) in 2010 where there wasn't a big privacy or data security story reported at a major media outlet. It is difficult to come up with an issue in 2010 (except perhaps "the economy" or the healthcare debate) that became more firmly lodged in the public consciousness than privacy and data security.While we were all thinking about Halloween and Thanksgiving, and trying to avoid the crush of Hanukah, Christmas and New Years, several privacy lawsuits were filed against online behavioral tracking companies and some of their clients. In my view these lawsuits and the activity that arises out of them (regulatory and otherwise) will be one of the big data security and privacy stories of 2011. What follows is a very brief listing of some the key lawsuits from 2010 that InfoLawGroup is aware of and tracking. There may be more that are not on the list (such is pace of change in this space) and if you know of others, please send them to me so I can list them here to serve as a resource for the larger privacy community. Over the course of 2011 (and beyond) InfoLawGroup will be taking a deeper look at these cases and providing updates as they progress through motion practice, trial and settlement.