Privacy & Cybersecurity Law Blog

On February 4, 2013, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or “BSI”) published a paper (in German) providing an overview of the information technology risks inherent in consumerization and bring your own device (“BYOD”) strategies. The Paper responds to what the BSI views as a growing trend of employees making personal use of employer IT systems as well as using their personal IT devices for work purposes.

The Paper addresses a number of BYOD-related risks ranging from data protection concerns to software licensing and issues of civil liability. Notably, it provides a list of suggested technical and organizational measures that companies should implement to minimize certain risks associated with consumerization and BYOD. These measures include:

• Central administration of BYOD devices through the use of detailed policies (which also should cover remote deletion and virus protection).
• Separating private use from professional use. The Paper discusses several ways of achieving this separation, such as installing a data container for professional use, using different virtual machines, or keeping all data server-side and accessing the data through thin clients.
• Securing connections between BYOD devices and the company network (e.g., by using virtual private networks).
• Entering into clear agreements with employees to establish rules regarding BYOD. Such agreements may include (1) obligations to apply patches and use strong passwords, (2) encryption requirements for locally stored data, (3) a prohibition on rooting devices, (4) rules regarding which data can be synchronized, (5) consent for automated scans for security purposes, and (6) employee separation procedures.

The Paper also recommends that companies restrict the types of permissible BYOD devices and define user groups of employees who wish to make use of BYOD.