Presentation to the Science and Technology Committee of the American Bar Association on legal issues associated with employers enabling employee Bring Your Own Device policies.
2. SPEAKER
Jim Brashear is a member of the Bar of the United
States Supreme Court, the California Bar Association and
the State Bar of Texas. He frequently appears as a public
speaker on corporate governance, data security and
information technology legal topics.
He currently serves as Programs Co-Chair and
Cloud/SaaS Co-Chair for the Association of Corporate
Counsel’s Information Technology, Privacy & Electronic
Commerce Committee.
He received a Juris Doctorate degree, magna cum
laude, from the University of San Diego School of
Law, and a Bachelor of Arts degree in political science
from the University of California at San Diego.
James F. Brashear
General Counsel
Zix Corporation
@jfbrashear
This program is for educational purposes only. The content does not constitute
legal advice. No attorney-client relationship is created by your participation.
2
3. A Leader in Email Data Protection
Committed to innovative, easy-to-use email
security
Recognized by Gartner Research as the industry
leader in email encryption
Email-specific DLP solution
Innovative BYOD solution
3
Zix Corporation
8. Mobile Devices are an
Essential Part of Modern Life
People are emotionally attached
to their devices
They take them everywhere
Enable work whenever and
wherever they go
9. Work
Phone
Personal
Phone
It is common for employees to
use company-provided devices
plus personally-owned devices
This is BYOD
Multiple Devices
Average U.S. user carries
3 mobile devices
Sophos survey
10. o Improved employee productivity
o Adopting technology at the speed of
consumer markets
o Enhanced employee morale
o Attract and retain staff.
o Potential cost savings
o Offloading the management of non-strategic
devices from IT
Why BYOD?
Source: Gartner, BYOD The Facts and The Future
11. Challenges to IT Departments
• Consumerization of IT =
Decentralization
• Flood of new devices
• Hundreds of thousands of apps
• News ways of sharing data
– Hundreds of social media sites
– Many file sharing websites
14. It’s Easy to Understand Why
IT Departments Are Nervous
of employees already use personal devices at work
81%
Source: Harris Interactive
of tablet users have disabled auto-lock security
91%
of smartphone users have
75%
15.
16. BYOT = Unsecured Data Bridge
In addition to device security, BYOD solutions must address
data security, secure connectivity & controlled access
19. Going Too Fast?
Supreme Court mired in 19th century
communication modes
―Court hasn't really 'gotten to' email‖
Justice Elena Kagan
19
Challenge for Courts
Supreme Court’s real challenge for the next 50 years will be
identifying the fundamental principle underlying constitutional
protection and applying it to new issues and new technology
Chief Justice John Roberts
20. Employee Personal Data
Employee consent to remote wipe
• Private photos
• Personal documents
• Financial information
• Medical facts
• Accounts and Passwords
• Application metadata
• Location data
Containerization and mixed use of
company-provided apps
21. Employee Privacy
Rulings differ based on employer policies and practices
• Clear notice to employees
• Coordinate with workers’ councils
• U.S. federal and state laws
• Non-U.S. laws
Reasonable expectation of privacy?
Employer-provided
City of Ontario v. Quon
Lazette v. Kulmatycki
BYOD may result in greater expectations of privacy
22. Social Media Password Laws
Arkansas, California, Colorado, Illi
nois, Maryland, Michigan, Nevada
, New
Mexico, Oregon, Utah, Washingto
n
• Some include email
• Proposed federal law: Social
Networking Online Protection Act of
2012
11 states limit employer access to social media usernames
and passwords
Employer monitoring?
24. Graham-Leach-Bliley
Safeguards Rule
• Article 9 of the UCC is, in practice, requiring lenders to obtain a copy
of each client's driver's license before making a loan secured by
personal property
• Loan officers sometimes photograph the driver's license with their
smartphone and send it by email or SMS to their office
25. HIPAA Privacy and Security
#1 HIPAA violation is unencrypted data
on lost or stolen devices
• $1.5M lost laptop fine
• $1.7M lost USB drive fine
PwC Health Research Institute
• Increase in healthcare BYOT
• Mobile security one of the top 10 issues hospitals will face
in 2013
26. Investigations and Legal Holds
FRCP Rule 37(e)
failure to preserve
• Triggering events
• Preservation issues
FRCP Rule 26(b)(1)
proportionality
• Possession, custody or
control
27. Stored Communications Act
• Restricts access to email and other
communications in electronic storage
– Warrant needed to access communication in
electronic storage for 180 days or less
Split of authority on “storage”
• Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)
• Jennings v. Broome et al., No. 27177, 2012 S.C. LEXIS 204 (S.C. Oct. 10, 2012)
• Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010)
Calls to revise 1986 Electronic Communications Privacy Act
Not clear how it applies to today’s electronic
communications
Smartphone not a “facility” under SCA
• Garcia v. City of Laredo, No. 11-41118 (5th Cir. Dec. 12, 2012)
28. Key to Protecting Trade Secrets
Take reasonable steps to
protect information from
improper and unauthorized
access or exposure
• Identify and classify confidential information and trade secrets
• Physical and electronic security protocols for limiting access to
confidential information
• System to prevent disclosure of confidential information by insiders
Obligations under Non-Disclosure Agreements
• Developing standard of care for BYOD data security
29. Traders allegedly emailed to personal accounts computer
code containing employer’s secret high-frequency
trading algorithms
• One shared the files through Dropbox
BYOT and Trade Secrets
30. BYOT and Trade Secrets
Employee uploaded source
code used to execute high
frequency trades and offered
it to competitors
• NSPA does not criminalize
theft of intangible property
• No economic espionage
because code was not a
product
United States v. Aleynikov
Employee uploaded files
containing step-by-step
instructions for assembling
medical equipment
– Employer detected him
forwarding trade secrets
from his work email
account to a personal
email account
United States v. Agrawal
Email is a major source of data leakage
• Cloud file transfer services too
32. Lawyers are Targets
“Already making chump-meat of the most
sophisticated of computer defenses, hackers are
unleashing a new wave of malware on unsuspecting
law firms. And among the newest targets are mobile
phones and similar portable devices.”
Security
New hacker technology threatens lawyers’ mobile devices
Posted Sep 1, 2013 3:10 AM CDT
By Joe Dysart
“We fear that we will have to suffer more very public data
breaches before law firms collectively agree to batten down
the hatches and put security first.”
Sharon D. Nelson, Sensei Enterprises
33. Ethics: Competence
Model Rule 1.1
A lawyer shall provide competent
representation to a client
A lawyer should keep abreast of
the risks associated with
technology
34. Ethics: Client Confidences
Model Rule 1.6(c)
A lawyer shall make reasonable efforts to
prevent the inadvertent disclosure of, or
unauthorized access to, information relating to
the representation of a client
35. Law Firm Cybersecurity Audits
“Since mobile electronic devices are a likely weak
area, one issue is whether confidential information
sent to them is encrypted.”
Business of Law
Bank’s new cybersecurity audits catch law firms flat-footed
Posted Jun 13, 2013 4:10 PM CDT
By Martha Neil
Under pressure from federal regulators, who are concerned about lax cybersecurity at
law firms, the Bank of America Merrill Lynch has begun conducting audits on the law
firms it does business with, to verify what they are doing to protect sensitive
information.
36. When to Encrypt
Mandatory Data Protection
Law or regulations require encryption or provide a safe harbor
from data breach requirements if data is encrypted
36
Heightened Risk of Interception
Lawyers should not use unencrypted communications where there is a particularly
high risk that it may be accessed by unauthorized third parties
Responding to Encrypted Communication
Lawyers should reply using equivalent security, because prior emails often are
appended to replies
Highly Sensitive Information
Lawyers should not send highly sensitive client
communications unencrypted
38. Companies Lack BYOT Policies
of companies have not trained employees
on BYOT risks, practices and policies
of businesses that permitted BYOD had no specific security or
support policies
71%
80%
Source: ITIC, 2012
39. Unworkable Policies
Banning BYOT is unrealistic
and unworkable
• Only 12% of companies say they have
no plans to allow BYOD
Information Week – 2013 State of Mobile Security
40. Top 10 Banned Apps
Android
• Dropbox
• Facebook
• Netflix
• Google+
• Angry Birds
• Google Play Movies & TV
• Google Play Books
• Sugarsync
• Google Play Music
• Google+ Hangouts
iOS
• Dropbox
• SugarSync
• BoxNet
• Facebook
• Google Drive
• Pandora
• SkyDrive
• Angry Birds
• HOCCER
• Netflix
41. Non-Compliance
Employees with high potential for
harm are among the most likely
to violate security policies
CEB Information Risk Executive Council End-User
Awareness Survey, 2009–2012
Policy and training exceptions
for senior executives increase
risks
of employees admit violating policies designed to
prevent breaches and noncompliance
93%
43. WHAT THEY DON’T WANT IS:
Company monitoring of their personal activities or
restricting the apps they use
Interruption of their calendar, contacts, phone and
texting functions
Invasion or deletion of their personal data
Users want flexibility
Companies want safe data
WHAT THEY DON’T WANT IS:
Corporate data distributed on thousands of
devices and web sites
Users resorting to personal solutions and other
insecure means of maintaining productivity
44. 2/3 of employees don't trust employers
with their mobile data and privacy
MobileIron survey
Must Balance
Competing Wants
Employers #1 concern is securing
corporate data on personal devices
Information Week: 2013 State of
Mobile Security Employee Privacy
Enterprise
Control and Security
Individual
Empowerment and Privacy
45. The Right Balance
Solution should support both
perspectives
Companies get security, productive
employees and improved morale
Employees get flexibility and privacy
46. BYOD
Guidelines
• NIST Special Publication 800-124
Guidelines for Managing the Security of Mobile Devices in the Enterprise
• NIST recommends mitigation measures
– Adopt Strong General Policies
– Incorporate Mobile Devices In Existing System Threat Models
– Develop Multiple Security Strategies
– Pre-Production of Security Solutions
– Install Secure Baseline Configurations for Company-Issued Devices
– Maintenance and Assessment
48. Complete Solutions?
Strategy
Policies
TechnologyTraining
Monitoring
No system can anticipate and control every possible use
of new technologies or every form of non-compliance
Trust May Trump Controls
• Detailed and strictly
enforced policies may cause
employees to “work to rule”
• Describe objectives and give
general guidance
50. Spectrum of BYOD Solutions
Mobile Device Management
Mobile App Management
Mobile File Management
Separate Interfaces
Containerization
App Wrapping
Desktop Virtualization
App Virtualization
Enterprise
Control
Employee
Empowerment
51. Most BYOD approaches
are missing the point
MDM & Containerization
Assume Data is on the Device
Too Complex
Too Expensive
Too Invasive For Users
Too Difficult To Implement
Problem Getting Worse
MDM
52. The Holy Grail
The holy grail remains full
mobile virtualization
– It’s probably a better bet to just
keep persistent data off the
device in the first place
Information Week: 3 Ways To Virtualize Mobile Devices —
And Why You Should Do So
53. o EMAIL NEVER RESIDES ON THE DEVICE
o USERS RETAIN COMPLETE CONTROL
o No monitoring, restrictions or risk of data loss
o FIREWALLING OF PERSONAL DATA
o Limits company liability
o SEAMLESS INTEGRATION WITH NATIVE
FUNCTIONS AND UI
o Contacts can be used for phoning and texting
o COMPLIANCE REPORTING
o Because each email is only on the phone while viewed,
the number of messages at risk is almost nothing
Email App Virtualization