Daniel B. Garrie, Senior Managing Partner, Law & Forensics LLC
With more and more companies allowing employees to bring their own mobile devices to work and to use those devices during non-work hours to continue to work, corporate counsel needs to fully understand the potential pitfalls and ramifications of this issue. The long-term impact of outside devices cannot fully be realized as technology and the court’s adjudication of such devices is constantly evolving. The following tips will assist counsel in understanding the territory.
1. Know the territory. Familiarize yourself with the landscape and know the conditions you are starting from.
1. How many mobile devices are used by employees?
2. What kind of mobile devices are used by employees?
3. What are the internal policies for use?
4. Are these policies enforced?
5. Does IT set up email on devices?
6. Are emails downloaded using POP or IMAP?
7. Do you have integrated internal messaging accessible by mobile devices?
One way to learn the landscape is to attempt to build an internal mobile device data map. It is essential when building a mobile device data map that counsel link each mobile device to a unique user, identify any internal company mobile applications running on the specific mobile device, and establish the level of access the mobile device has to corporate systems and data.
Our organization utilizes a proprietary framework and custom software to build this mobile data-map and keep it up to date. In-lieu of this type of solution, Counsel can work with their internal IT staff and develop the above data and track it in a spreadsheet, or depending on the size of your organization, you might need to utilize a dynamic database.
2. Establish Mobile Device Use Policies.
Counsel, in conjunction with IT, should establish clear use policies and guidelines for all mobile devices. Whether the mobile devices are owned by your organization, or employees are allowed (or required) to use their own mobile devices, policies should clearly delineate what can and cannot be done with corporate data on mobile devices. Require at least one level of passwords.And, of course, once these policies are created, ensure proper follow-through and adherence.
The use policies become particularly grey as employees’ behavior and use of their mobile device during non-working hours will certainly complicate any internal investigations. For example, an employee loans his phone to his teenage son, who then films another kid getting beat up. The police subpoena the phone and data, but the phone has sensitive corporate data on it.
3. SecureBYOD Environments.
Counsel and IT should evaluate and deploy a solution that provides a data protection platform that can unify data security and business transaction into a single platform providing IT the ability to manage data transiting in, out, and within the enterprise including Bring Your Own Device (“BYOD”). Many organizations allowing employees to bring their own mobile devices, especially law firms, must act to ensure that their clients’ sensitive data is protected and properly managed. For example, the security for a law firm’s data management system must be airtight if it is possible to access that system from a mobile device. If someone obtains a mobile device that has access to the data management system, either because an associate leaves it behind at a bar, or it is left sitting on the nightstand of a hotel room, a lack of security leaves a gaping hole for criminals, the curious, or an unscrupulous opposing party to obtain confidential information.
In our experience, we have evaluated many such platforms and have found that 90%+ fall short in delivering BYOD data protection. One platform worth looking at is Safe-T, which solves data protection problems without requiring users to change their behavior. It behooves counsel to validate and verify that the security solution being purchased can deliver the necessary level of protection.
4. Safety and Security of Mobile Devices.
If bring-your-own-device (BYOD) is enforced, make sure the mobile devices used by employees have an acceptable level of safety and security to prohibit any proprietary and confidential information from being misappropriated or hacked. In addition, we strongly encourage that the employer only permit mobile devices that can be remotely wiped and that employees that utilize personal mobile devices be required to consent to wiping of their mobile device, if the device is lost. Most major mobile platforms allow for remote wiping. Apple iPhone use the Find My Phone app in conjunction with iCloud. Android users can use Android Lost to remote wipe, or enterprise users can install Google Apps Device Policy. For Windows phones, users can log onto www.windowsphone.com and remotely locate and erase their devices. Blackberry users can install Blackberry Protect locate, lock, and erase data remotely. Blackberry also offers enterprise options as well.
Despite these options, remote wiping isn’t a fail-safe. If the battery dies, the device is out of range of accessible Wi-Fi or cellular service, or the device owner doesn’t realize her device is missing before confidential data is accessed, sending out a command for the phone to erase all data will be useless.
5.Segregation of Data.
Ensure segregation of data to remove the need to image the entire mobile device in the event of litigation -- just the applications and email accounts that are relevant to the issues. It is advisable that counsel ensure that any BYOD environments segregate such data or risk running afoul of U.S., European, or Dubai privacy law. It is not difficult to image a family’s iPad containing the medical records of the father (the CEO of a major private corporation on the verge of an IPO…who was recently diagnosed with cancer), the school counselor reports by the mother (as part of her required duty to report suspected child abuse of a student), and the son’s misadventures on a bachelor weekend in Vegas (where…as it turns out, what happens in Vegas will not stay in Vegas if the iPad does not segregate data).
6. Employee Agreements.
Modify all employee agreements to require employees to furnish their mobile device in a reasonable amount of time for copying, should forthcoming litigation dictate that mobile devices need to be imaged.In addition, litigation holds should put employees on notice that wiping of a device is prohibited without consent of counsel. As new privacy laws are regularly being introduced, counsel should ensure that BYOD devices can be obtained by the employer if necessary for litigation, or conversely be aware that imaging a personal device may violate new privacy regulations.
7. Gain Support From All Corporate Departments.
Ensure all departments, including IT and Legal, are on the same page with regards to which mobile devices IT can support and secure, which mobile devices employees want to use, and how counsel can ensure mobile devices do not negatively impact legal discovery.Employees are more likely to support a plan to secure devices if they understand the importance of security. In addition, have a user-friendly way to secure mobile devices and segregate all their personal information from their corporate information.
8. Mobile Monitoring Software to Secure Mobile Devices.
Consider software to monitor use and access of mobile. If your company creates or maintains extensive amounts of confidential or proprietary information about your company or your clients, consider automating data monitoring to notate when confidential or proprietary information is being accessed on the network by a mobile device. While installing a monitoring program on the mobile device would arguably violate the personal privacy in a BYOD situation, monitoring the corporate network traffic is possible. For example, an employee working for a pharmaceutical company has network access on his iPad. While traveling abroad, the iPad is stolen by a competitor who is trying to obtain research material on a new drug. If there is network monitoring software in place that flags any attempts to access certain “high-security” files, the company can immediately be aware that a mobile device with an IP address outside of the U.S. is attempting to access sensitive research material.
9. Legal Ramifications.
Know where the law stands on your organization’s responsibilities to monitor, track, and preserve data on mobile devices. As technology blurs the line between work time and personal time, counsel should be aware of this impact on tracking and monitoring of employee’s use of mobile devices. This is especially true for employees that may be located outside of the US and have different regulations regarding employer-employee relations.
Counsel has a number of balls to juggle, including personal privacy of employees, a need to protect trade secrets, a need to protect confidential client and employee information, and a duty to prevent security breaches. Each of these topics comes with a host of relevant rules and regulations, which often require a delicate balance of interests to ensure across-the-board compliance.
10. Go slow.
While possibly counter-intuitive in the age of ever-evolving software and hardware applications, consider adopting mobile devices in a piecemeal fashion. If your organization is in the process of starting a BYOD plan, or you are considering loaning devices to employees, do not feel obligated to allow for all devices and full access to the network. Survey employees to determine the most common devices used to access the company’s data. Then start by providing support to the most common. To test security and scalability, consider starting with email access for employees. If the nature of your business necessitates broader access to the network or cloud drives, you should proceed with allowing access to network shared folders or cloud drives only after feeling secure with the email roll-out.
Finally, it is important to remember that there are many ways to misappropriate sensitive or confidential information, and with all eyes monitoring the network, it is easy to forget that taking a quick snapshot of a computer screen or print out, making a photocopy, copying and pasting information into an web-based email account, or simply writing the information down by hand, is all it may take for someone to carry away your organization’s most important secrets.