By Paul Hemsley

Recent trends of employees bringing their own devices to the workplace in public and private sector spheres have unleashed many complications for organisations managing the privacy and security of sensitive information.

Communications technology company, Cisco Systems hosted an expert panel discussing the complexities of ‘Bring Your Own Device’ (BYOD) in workplace environments.

Speaking at the panel were director of KPMG’s IT advisory practice, Scott Cass-Dunbar; Telstra chief information security officer, Glenn Chisholm; Cisco vice president and chief security officer, John Stewart; and head of school and professor of digital forensics at Edith Cowan University, Craig Valli.

Professor Valli said organisations including government agencies and departments are able to intercept information exchanged on devices if they are within the confines of the work zone because information belonging to the organisation is on the device, but are unable to during non-work hours.

He said if an organisation makes such a move, they would be in violation of Australian privacy laws, which complicates an agency’s desire to move because of additional content on the device belonging to the user and not the organisation.

According to Professor Valli, a search and seizure warrant would need to be obtained to extract the data from a BYOD.

Mr Cass-Dunbar said the main legal issue for BYOD within government is around the ownership of data.

“If I brought my own device and installed my own material along with data from the organisation I work for, the question is raised whether it is a corporate device or my device,” Mr Cass-Dunbar said.

He said the legal complexities raised by BYOD are around personal content such as financial records and the potential erasure or theft of that material along with corporate data leading to the question of who is responsible for that material.

Mr Chisholm said once people have a mass storage device, “you have a problem” because they take that mass storage device in and out of the workplace.

“If you watch an R-rated movie on your personal Macbook and you walk that into work, you potentially have an HS&E issue, and that’s not a security problem, it’s an HR, corporate and legal problem,” Mr Chisholm said.

According to Mr Chisholm, if organisations do not forbid people to do their e-tax on their work machine and that work machine gets erased, the implications of the organisation’s liability are put into question.

“This is where the lawyers come into the discussion; it stems from everything in respect to responsibility to the staff and customers,” he said.

Mr Stewart said it is difficult to redact out the speed of technology in relation to the problems faced in terms of BYOD.

“If you codify a law in a very short period of time, which is difficult to do anyway but if you’re able to do it, it’s entirely possible that the law can be codified at a speed at which it’s no longer actually going to solve the problem in the time that it was written,” Mr Stewart said.

According to Mr Stewart, the debate over things like the nature of privacy on a personally owned device in a corporate environment is being argued in the courts in Australia and the United States.

“With every single name right now, operators have no sense if someone is breaking a rule or are they being adherent to a rule, because a rule is in flux of an interpretation,” he said.

Mr Stewart said with the rules in place as they are, it is difficult for managers to crack encrypted data if the employee has left for the day and cannot protect it.

According to Mr Stewart’s scenario, a manager cannot intercept a communication without breaking the Telecommunications Act, needs to encrypt the data to be compliant and make sure they are protecting the company, but are not allowed to know whether the encrypted data is leaving.

“Essentially, I’m exposed if I actually haven’t protected the data from the company but you haven’t allowed me to protect myself, so we’re meant to do the right thing, but I’m left in a Catch-22,” Mr Stewart said.