Presentation to the Science and Technology Committee of the American Bar Association on legal issues associated with employers enabling employee Bring Your Own Device policies.

1. BYOD
Bringing Technology to Work
Sending Data Everywhere

2. SPEAKER
Jim Brashear is a member of the Bar of the United
States Supreme Court, the California Bar Association and
the State Bar of Texas. He frequently appears as a public
speaker on corporate governance, data security and
information technology legal topics.
He currently serves as Programs Co-Chair and
Cloud/SaaS Co-Chair for the Association of Corporate
Counsel’s Information Technology, Privacy & Electronic
Commerce Committee.
He received a Juris Doctorate degree, magna cum
laude, from the University of San Diego School of
Law, and a Bachelor of Arts degree in political science
from the University of California at San Diego.
James F. Brashear
General Counsel
Zix Corporation
@jfbrashear
This program is for educational purposes only. The content does not constitute
legal advice. No attorney-client relationship is created by your participation.
2

3. A Leader in Email Data Protection
 Committed to innovative, easy-to-use email
security
 Recognized by Gartner Research as the industry
leader in email encryption
 Email-specific DLP solution
 Innovative BYOD solution
3
Zix Corporation

4. AGENDA
• Background
• Data (in)Security
• Legal Risks
• Ethics
• Policy Approaches
• Technology Solutions

5. Background

6. BYOD is part of a larger phenomenon
Individual IT Empowerment
6

7. Devices
Connectivity
Cloud
Social
BIG DATA
CIOs Look for Ways to Marry Social Data
with Big Data
Wall Street Journal (July 26, 2013)
CONFLUENCE

8. Mobile Devices are an
Essential Part of Modern Life
People are emotionally attached
to their devices
They take them everywhere
Enable work whenever and
wherever they go

9. Work
Phone
Personal
Phone
It is common for employees to
use company-provided devices
plus personally-owned devices
This is BYOD
Multiple Devices
Average U.S. user carries
3 mobile devices
Sophos survey

10. o Improved employee productivity
o Adopting technology at the speed of
consumer markets
o Enhanced employee morale
o Attract and retain staff.
o Potential cost savings
o Offloading the management of non-strategic
devices from IT
Why BYOD?
Source: Gartner, BYOD The Facts and The Future

11. Challenges to IT Departments
• Consumerization of IT =
Decentralization
• Flood of new devices
• Hundreds of thousands of apps
• News ways of sharing data
– Hundreds of social media sites
– Many file sharing websites

12. Data (in)Security

14. It’s Easy to Understand Why
IT Departments Are Nervous
of employees already use personal devices at work
81%
Source: Harris Interactive
of tablet users have disabled auto-lock security
91%
of smartphone users have
75%

16. BYOT = Unsecured Data Bridge
In addition to device security, BYOD solutions must address
data security, secure connectivity & controlled access

17. Legal Risks

18. Law Lags Technology
didn’t contemplate
today’s technology
Privacy laws

19. Going Too Fast?
Supreme Court mired in 19th century
communication modes
―Court hasn't really 'gotten to' email‖
Justice Elena Kagan
19
Challenge for Courts
Supreme Court’s real challenge for the next 50 years will be
identifying the fundamental principle underlying constitutional
protection and applying it to new issues and new technology
Chief Justice John Roberts

20. Employee Personal Data
Employee consent to remote wipe
• Private photos
• Personal documents
• Financial information
• Medical facts
• Accounts and Passwords
• Application metadata
• Location data
Containerization and mixed use of
company-provided apps

21. Employee Privacy
Rulings differ based on employer policies and practices
• Clear notice to employees
• Coordinate with workers’ councils
• U.S. federal and state laws
• Non-U.S. laws
Reasonable expectation of privacy?
Employer-provided
City of Ontario v. Quon
Lazette v. Kulmatycki
BYOD may result in greater expectations of privacy

22. Social Media Password Laws
Arkansas, California, Colorado, Illi
nois, Maryland, Michigan, Nevada
, New
Mexico, Oregon, Utah, Washingto
n
• Some include email
• Proposed federal law: Social
Networking Online Protection Act of
2012
11 states limit employer access to social media usernames
and passwords
Employer monitoring?

23. 2
Discrimination
• Protected categories
• Criminal history
• Employee non-work behavior

24. Graham-Leach-Bliley
Safeguards Rule
• Article 9 of the UCC is, in practice, requiring lenders to obtain a copy
of each client's driver's license before making a loan secured by
personal property
• Loan officers sometimes photograph the driver's license with their
smartphone and send it by email or SMS to their office

25. HIPAA Privacy and Security
#1 HIPAA violation is unencrypted data
on lost or stolen devices
• $1.5M lost laptop fine
• $1.7M lost USB drive fine
PwC Health Research Institute
• Increase in healthcare BYOT
• Mobile security one of the top 10 issues hospitals will face
in 2013

26. Investigations and Legal Holds
FRCP Rule 37(e)
failure to preserve
• Triggering events
• Preservation issues
FRCP Rule 26(b)(1)
proportionality
• Possession, custody or
control

27. Stored Communications Act
• Restricts access to email and other
communications in electronic storage
– Warrant needed to access communication in
electronic storage for 180 days or less
Split of authority on “storage”
• Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)
• Jennings v. Broome et al., No. 27177, 2012 S.C. LEXIS 204 (S.C. Oct. 10, 2012)
• Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010)
Calls to revise 1986 Electronic Communications Privacy Act
Not clear how it applies to today’s electronic
communications
Smartphone not a “facility” under SCA
• Garcia v. City of Laredo, No. 11-41118 (5th Cir. Dec. 12, 2012)

28. Key to Protecting Trade Secrets
Take reasonable steps to
protect information from
improper and unauthorized
access or exposure
• Identify and classify confidential information and trade secrets
• Physical and electronic security protocols for limiting access to
confidential information
• System to prevent disclosure of confidential information by insiders
Obligations under Non-Disclosure Agreements
• Developing standard of care for BYOD data security

29. Traders allegedly emailed to personal accounts computer
code containing employer’s secret high-frequency
trading algorithms
• One shared the files through Dropbox
BYOT and Trade Secrets

30. BYOT and Trade Secrets
Employee uploaded source
code used to execute high
frequency trades and offered
it to competitors
• NSPA does not criminalize
theft of intangible property
• No economic espionage
because code was not a
product
United States v. Aleynikov
Employee uploaded files
containing step-by-step
instructions for assembling
medical equipment
– Employer detected him
forwarding trade secrets
from his work email
account to a personal
email account
United States v. Agrawal
Email is a major source of data leakage
• Cloud file transfer services too

31. Ethics Issues

32. Lawyers are Targets
“Already making chump-meat of the most
sophisticated of computer defenses, hackers are
unleashing a new wave of malware on unsuspecting
law firms. And among the newest targets are mobile
phones and similar portable devices.”
Security
New hacker technology threatens lawyers’ mobile devices
Posted Sep 1, 2013 3:10 AM CDT
By Joe Dysart
“We fear that we will have to suffer more very public data
breaches before law firms collectively agree to batten down
the hatches and put security first.”
Sharon D. Nelson, Sensei Enterprises

33. Ethics: Competence
Model Rule 1.1
A lawyer shall provide competent
representation to a client
A lawyer should keep abreast of
the risks associated with
technology

34. Ethics: Client Confidences
Model Rule 1.6(c)
A lawyer shall make reasonable efforts to
prevent the inadvertent disclosure of, or
unauthorized access to, information relating to
the representation of a client

35. Law Firm Cybersecurity Audits
“Since mobile electronic devices are a likely weak
area, one issue is whether confidential information
sent to them is encrypted.”
Business of Law
Bank’s new cybersecurity audits catch law firms flat-footed
Posted Jun 13, 2013 4:10 PM CDT
By Martha Neil
Under pressure from federal regulators, who are concerned about lax cybersecurity at
law firms, the Bank of America Merrill Lynch has begun conducting audits on the law
firms it does business with, to verify what they are doing to protect sensitive
information.

36. When to Encrypt
Mandatory Data Protection
 Law or regulations require encryption or provide a safe harbor
from data breach requirements if data is encrypted
36
Heightened Risk of Interception
 Lawyers should not use unencrypted communications where there is a particularly
high risk that it may be accessed by unauthorized third parties
Responding to Encrypted Communication
 Lawyers should reply using equivalent security, because prior emails often are
appended to replies
Highly Sensitive Information
 Lawyers should not send highly sensitive client
communications unencrypted

37. Policy Approaches

38. Companies Lack BYOT Policies
of companies have not trained employees
on BYOT risks, practices and policies
of businesses that permitted BYOD had no specific security or
support policies
71%
80%
Source: ITIC, 2012

39. Unworkable Policies
Banning BYOT is unrealistic
and unworkable
• Only 12% of companies say they have
no plans to allow BYOD
Information Week – 2013 State of Mobile Security

40. Top 10 Banned Apps
Android
• Dropbox
• Facebook
• Netflix
• Google+
• Angry Birds
• Google Play Movies & TV
• Google Play Books
• Sugarsync
• Google Play Music
• Google+ Hangouts
iOS
• Dropbox
• SugarSync
• BoxNet
• Facebook
• Google Drive
• Pandora
• SkyDrive
• Angry Birds
• HOCCER
• Netflix

41. Non-Compliance
Employees with high potential for
harm are among the most likely
to violate security policies
CEB Information Risk Executive Council End-User
Awareness Survey, 2009–2012
Policy and training exceptions
for senior executives increase
risks
of employees admit violating policies designed to
prevent breaches and noncompliance
93%

42. Non-Compliance
Proxy work-around for workplace web site ban
Credit: www.labnol.org

43. WHAT THEY DON’T WANT IS:
 Company monitoring of their personal activities or
restricting the apps they use
 Interruption of their calendar, contacts, phone and
texting functions
 Invasion or deletion of their personal data
Users want flexibility
Companies want safe data
WHAT THEY DON’T WANT IS:
 Corporate data distributed on thousands of
devices and web sites
 Users resorting to personal solutions and other
insecure means of maintaining productivity

44. 2/3 of employees don't trust employers
with their mobile data and privacy
MobileIron survey
Must Balance
Competing Wants
Employers #1 concern is securing
corporate data on personal devices
Information Week: 2013 State of
Mobile Security Employee Privacy
Enterprise
Control and Security
Individual
Empowerment and Privacy

45. The Right Balance
Solution should support both
perspectives
 Companies get security, productive
employees and improved morale
 Employees get flexibility and privacy

46. BYOD
Guidelines
• NIST Special Publication 800-124
Guidelines for Managing the Security of Mobile Devices in the Enterprise
• NIST recommends mitigation measures
– Adopt Strong General Policies
– Incorporate Mobile Devices In Existing System Threat Models
– Develop Multiple Security Strategies
– Pre-Production of Security Solutions
– Install Secure Baseline Configurations for Company-Issued Devices
– Maintenance and Assessment

47. Technology Solutions

48. Complete Solutions?
Strategy
Policies
TechnologyTraining
Monitoring
No system can anticipate and control every possible use
of new technologies or every form of non-compliance
Trust May Trump Controls
• Detailed and strictly
enforced policies may cause
employees to “work to rule”
• Describe objectives and give
general guidance

49. Data Loss Prevention
Intercept Outbound Data
Analyze Content
Apply Policies
Notification
Archive

50. Spectrum of BYOD Solutions
Mobile Device Management
Mobile App Management
Mobile File Management
Separate Interfaces
Containerization
App Wrapping
Desktop Virtualization
App Virtualization
Enterprise
Control
Employee
Empowerment

51. Most BYOD approaches
are missing the point
MDM & Containerization
 Assume Data is on the Device
 Too Complex
 Too Expensive
 Too Invasive For Users
 Too Difficult To Implement
 Problem Getting Worse
MDM

52. The Holy Grail
The holy grail remains full
mobile virtualization
– It’s probably a better bet to just
keep persistent data off the
device in the first place
Information Week: 3 Ways To Virtualize Mobile Devices —
And Why You Should Do So

53. o EMAIL NEVER RESIDES ON THE DEVICE
o USERS RETAIN COMPLETE CONTROL
o No monitoring, restrictions or risk of data loss
o FIREWALLING OF PERSONAL DATA
o Limits company liability
o SEAMLESS INTEGRATION WITH NATIVE
FUNCTIONS AND UI
o Contacts can be used for phoning and texting
o COMPLIANCE REPORTING
o Because each email is only on the phone while viewed,
the number of messages at risk is almost nothing
Email App Virtualization

54. Inside View
TLS
Customer
Exchange
Server
TLS
Exchange
Web Services
Presentation
Protocol
Mobile
Device
Hosted service
or on-site gateway
ZIXONE demo on Apple’s App Store and Google Play
RAM Only

55. Questions