Depends on the data kept on the device, lawyer says
Governments around the world are casting a wary eye toward employees using social media app TikTok, which is owned by Chinese company ByteDance.
Some of its practices include the ability to track users, sometimes without their full consent or knowledge. And what if sensitive data falls into the wrong hands, such as the Chinese government or organized crime?
Many are asking whether employers are within their rights to take such actions.
“The technology is owned by the government so, in other words, handheld devices, smartphones, because they own it, they can do what they want in terms of how the device is used,” says Daniel Tsai, lecturer on law and technology at the University of Toronto and Toronto Metropolitan University (TMU).
Obviously, government employees might potentially have access to more sensitive data, versus that of a private employee but the move makes a lot of sense, he says.
“Me hearing that [governments are] banning TikTok on government phones, that doesn’t raise any alarms; to me, it sounds reasonable.”
Should other employers, particularly those in the private sector, consider this kind of ban? There are some laws that must be accounted for, according to Savvas Daginis, associate business law at Siskinds Law Firm.
When thinking about how much protection needs to be offered, it is the type of data that matters most, he says.
“If you’re just holding onto somebody’s name and maybe address, and let’s say that name and address are in a phonebook that is readily available to everyone, you won’t need to implement incredibly detailed security measures. Whereas maybe you’d have to implement such measures if you had medical data.”
When it comes to protecting data that might be found on, or be available via a company-issued phone, there are several considerations employers should undertake to keep everything safe, says Liam Ledgerwood, associate labour and employment law also at Siskinds Law Firm.
“Each individual employer will likely set out what their expectations are about the extent to which employees need to safeguard confidential and proprietary information and that will generally be dictated by contract — or by an employer policy, about what employees must do,” says Ledgerwood.
In the U.S., the federal government is also cracking down on TikTok.
The White House endorsed a bipartisan bill that could give the president authority to ban or force a sale of TikTok, support that could hasten passage and break a deadlock over how to address privacy concerns around the popular app.
The bill introduced recently would give the president the ability to force the sale of foreign-owned technologies, applications, software or e-commerce platforms if they present a national security threat to Americans.
It doesn’t mention Beijing-based Bytedance’s TikTok by name, but the video-sharing app, which has about 100 million users in the U.S., is the clear target.
This is the first time the Biden administration has weighed in on legislation to deal with the app, which the White House says pose national security risks. Critics of TikTok say it allows the Chinese government access to data and viewing trends of the roughly 100 million Americans — as well as users globally — who have made it one of the world’s most popular apps.
While governments are beginning to sense a security threat from various questionable apps, organizations are fighting similar battles.
Who is attacking?
Ransomware, backdoor exploits and phishing are terms that IT professionals have come to know well.
So, how can employers better prepare for the onslaught? It starts with understanding the “enemy,” knowing your organization’s weaknesses and seeing cyber attacks as a business risk — not just an IT problem, say the experts.
Apart from the stereotypical hooded individual who might wish to cause harm, there are two main threats to be aware of for businesses, according to Adil Palsetia, partner in cyber security at KPMG.
“On one end, you have nation states. Some of those are adversarial to ours and they’re attacking infrastructure, organizations, our IP infrastructure, our connection infrastructure, the communications infrastructure, as well as our financial and banking infrastructure.
As well, there are organized criminals with a simple goal, he says. “Their mandate is crime usually, a means to make more money, and so they’re the ones that we’re hearing about around this uptick in ransomware attacks.”
New ways to exploit organizations are often being rewarded in the criminal underworld, according to Evan O’Regan, associate partner, digital trust and IAM, at IBM.
“Whereas if our credit card number will fetch maybe $10 on the dark web, the identity information can fetch a much higher price on the dark web because those can be used to create synthetic identities to perpetrate more sophisticated fraud and even more. So if I develop an exploit, a backdoor into a company, I can sell that exploit on the dark web multiple times at $10,000 a pop.”