Bring your own device—BYOD
More and more organizations around the globe are permitting employees to bring their own mobile computing devices to work so that employees can access company data from any location at any time with any device. The bring-your-own-device (BYOD) trend started gaining traction around 2007 when executives and board members brought the first personal smartphones, tablets, and ultrabooks into the corporate workspace. The BYOD trend has become a corporate reality, with up to 95 percent of organizations allowing the use of employee-owned devices in some way, shape, or form according to a Cisco survey.
WithBYOD, IT departments have recognized an average of $300–$1,300 in annual hardware and support savings as employeesrealized increased productivity, collaboration, and connectivity from personal devices and mobile apps.
Although BYOD started by executive fiat, fast forward a few years and many of today's younger corporate employees believe that using their own devices for work and personal use is a right. For example, more than 33 percent of employees age 20–29 said that they would break any company anti-BYOD rules to use their personal devices.2
Unfortunately, this BYOD trend highlights the fact that the rapid pace of evolution in technology often outpaces the development of good internal policies and procedures that can minimize the risks and costs of deploying them. The problem is common because the deployment of technology solutions is typically perceived as a function of the IT department and the business units they support. Little thought is given to the consequences of accessing and managing sensitive corporate data from personal devices when IT's prime mandate is maximizing operational efficiency and profitability.
This corporate culture leads to technology being deployed without adequate input from corporate legal departments and other stakeholders. The result is that policies accompanying technology rollouts are commonly nonexistent or sorely inadequate in meeting foreseeable downstream problems related to data security, employee privacy, retention management, and eDiscovery requests. The good news is that proactive policies and controls have the potential to mitigate or eliminate the possible risk and costs of these BYOD challenges. The bad news is that 7 percent of survey respondents reported that their IT departments have not discussed mobile/cyber security awareness, and 44 percent reported that their company did not have a mobile device usage policy. This last statistic can be misleading, as other surveys of IT managers have indicated that a majority of companies now have some kind of mobile device usage policy, even if their users are not aware of it.
1. Legal, Security, and IT Tackle BYOD
Who should read this paperWho should read this paper
CIO, CISO, VP IT operations, mobile architect, mobile program manager,
and legal counsel. This paper briefly reviews how the uninhibited and
unchecked use of mobile devices for enterprise functions can lead to
serious litigation risks. Enterprise mobile management solutions can
provide the controls necessary to establish a strong information
governance policy that supports BYOD.
WHITEPAPER:
LEGAL,SECURITY,ANDITTACKLEBYOD
........................................
4. Bring your own device—BYOD
More and more organizations around the globe are permitting employees to bring their own mobile computing devices to work
so that employees can access company data from any location at any time with any device. The bring-your-own-device (BYOD)
trend started gaining traction around 2007 when executives and board members brought the first personal smartphones,
tablets, and ultrabooks into the corporate workspace. The BYOD trend has become a corporate reality, with up to 95 percent of
organizations allowing the use of employee-owned devices in some way, shape, or form according to a Cisco survey.
1
With
BYOD, IT departments have recognized an average of $300–$1,300 in annual hardware and support savings as employees
realized increased productivity, collaboration, and connectivity from personal devices and mobile apps.
Although BYOD started by executive fiat, fast forward a few years and many of today's younger corporate employees believe
that using their own devices for work and personal use is a right. For example, more than 33 percent of employees age 20–29
said that they would break any company anti-BYOD rules to use their personal devices.
2
Unfortunately, this BYOD trend
highlights the fact that the rapid pace of evolution in technology often outpaces the development of good internal policies and
procedures that can minimize the risks and costs of deploying them. The problem is common because the deployment of
technology solutions is typically perceived as a function of the IT department and the business units they support. Little
thought is given to the consequences of accessing and managing sensitive corporate data from personal devices when IT's
prime mandate is maximizing operational efficiency and profitability.
This corporate culture leads to technology being deployed without adequate input from corporate legal departments and other
stakeholders. The result is that policies accompanying technology rollouts are commonly nonexistent or sorely inadequate in
meeting foreseeable downstream problems related to data security, employee privacy, retention management, and eDiscovery
requests. The good news is that proactive policies and controls have the potential to mitigate or eliminate the possible risk and
costs of these BYOD challenges. The bad news is that 47 percent of survey respondents reported that their IT departments have
not discussed mobile/cyber security awareness,
3
and 44 percent reported that their company did not have a mobile device
usage policy. This last statistic can be misleading, as other surveys of IT managers have indicated that a majority of companies
now have some kind of mobile device usage policy, even if their users are not aware of it.
BYOD challenges, risks, and impact
LLoosst devicest devices
Mobile devices are easily lost or stolen—most in social settings or while people are traveling. Simple four-digit passcodes can
be cracked in less than an hour. Unsecured apps, easy to obtain access credentials, and local files stored directly on devices
combine to pose significant data loss and security breach threats. Device upgrades can result in unwiped devices being sold
overseas. The loss of personally identifiable information (PII) carries high remediation costs
4
and the risk of enforcement
actions from state and federal agencies like the Federal Trade Commission (FTC).
5
High-profile losses of laptops and devices by
health provider executives and employees highlight the risks and consequences of lost mobile devices.
6
1-
2-
3-
4-
5-
6-
Cisco press release, “Cisco Study: Saying Yes To BYOD,” May 16, 2012, http://newsroom.cisco.com/release/854754/Cisco-Study-IT-Saying-Yes-To-BYOD.
Ellen Messmer, “Young employees say BYOD a ‘right’ not ‘privilege,’” Network World, June 12, 2012, http://www.networkworld.com/news/2012/061912-byod-20somethings-260305.html.
Weber, Mike, and Chris Lietz, 2013, “BYOD 2013: Employees and Companies Remain Lax with BYOD Security,” A Coalfire Perspective, http://www.coalfire.com/Resources/Perspectives/Private/
BYOD-2013-Companies-Remain-Lax.
Ponemon Institute (benchmark research sponsored by Symantec), “2013 Cost of Data Breach Study: Global Analysis,” May 2013, http://tinyurl.com/lc4mhp3.
Inside Counsel (sponsored by Symantec), “The Federal Trade Commission on Fraud, Deception, & Data Privacy Enforcement Actions,” December 12, 2013, http://www.insidecounsel.com/webseminars/the-
federal-trade-commission-on-fraud-deception-d.
iHealthBeat, “Health Data Breaches Reported by Providers, Agencies in Three States,” December 11, 2013, http://www.ihealthbeat.org/articles/2013/12/11/health-data-breaches-reported-by-providers-
agencies-in-three-states?view=print.
Legal, Security, and IT Tackle BYOD
1
5. IP thefIP theft—data breachest—data breaches
The mobile workforce requires 24x7 access to critical enterprise systems and confidential data on 2–4 devices at a time. That
access from outside the security of the corporate firewall makes mobile devices a prime target for corporate espionage,
hackers, and other cyber criminals. The comingling of personal email, Web browsing, apps, and third-party connections creates
vulnerabilities outside of corporate control without the benefit of mobile device and app management technologies. Every
device needs active protection against malware, viruses, and other malicious Web threats.
Information governance of mobile devices
Policy—BYOD and usage policies should be designed to minimize the creation of unique mobile electronically stored
information (ESI) without impacting user productivity. As surveys show, too many users are not aware of existing mobile device
policies or usage guidelines. All major stakeholders (legal, compliance, security, HR, IT, and users) should participate in policy
creation. Policies without the necessary education, acceptance, and enforcement are often worse than having no policies at all.
Such practices demonstrate that the company understood acceptable practices and then proceeded to ignore them.
Management technology—Mobile device management (MDM) systems control basic security access and device settings such
as passwords, encryption, remote wipe capabilities, and more. MDM security systems can be considered a foundational
protection strategy, but they do not address privacy, retention, or discovery requirements. Another early strategy pioneered by
government agencies isolates sensitive email, contacts, and other data in an encrypted “sandbox” container within the device
that requires authenticated credential keys to access that information. The relatively rigid sandbox strategy has evolved into
more flexible application “wrapping” methodology that enables organizations to secure approved corporate apps and their
content with a mobile application management (MAM) system. Restricting work on employee devices to secured corporate apps
automatically identifies and segregates work from personal data where possible. High-publicity lawsuits such as City of Ontario
v. Quon
7
demonstrate the need to protect private personal communications in an era where work and personal life is often
blurred, thereby creating privacy issues. These MAM systems can restrict corporate data to known devices and apps, and can
prevent critical information from being copied or forwarded outside of the company apps, closing a big security gap.
Process and people—The creation of effective policies and controls requires the establishment of a stakeholder team that has
executive backing. The 2013 eDJ Group survey shows that most respondents have no effective mobile ESI retention policy. The
7- Wikipedia entry, “Ontario v. Quon,” last modified February 9, 2014, http://en.wikipedia.org/wiki/Ontario_v._Quon.
Legal, Security, and IT Tackle BYOD
2
6. stakeholder team’s goal should be to balance user enablement and productivity with controls and documented protocols that
can achieve effective information governance and compliance. Critical corporate data should not reside solely on user-owned
devices. This data should be synchronized with corporate record systems such as enterprise archives to minimize the amount
of unique data created and stored on user devices. If all unique records or potential legal evidence lives on enterprise systems,
then mobile devices can be excluded from retention and discovery requirements in most cases.
eDiscovereDiscovery and iny and invesvestigationstigations
Over 60 percent of legal respondents to the eDJ survey have been required to discover data from mobile devices as part of a
legal proceeding. However, only 14.5 percent said that mobile devices were commonly requested, and 46 percent said that
mobile devices were requested only in special matters. Moreover, it is difficult or impossible for users to preserve texts, call
logs, and other ESI on these devices over the typical 1- to 2-year legal hold period.
Another concern for global corporations is meeting the compliance requirements of increasingly stringent European Union (EU)
data privacy laws when corporate ESI is comingled with personal email, texts, chats, and other private ESI. BYOD blurs the line
between work and personal life with serious consequences for the intentional or possibly even inadvertent collection and
disclosure of personal data to third parties in legal proceedings.
Corporate discovery of mobile devices
Preservation and collection—Creating an effective, defensible legal hold strategy for mobile devices is especially challenging
due to their dynamic storage management. Unlike laptops and network shares, mobile devices delete texts, call logs, and other
volatile data automatically. Users under legal hold can refrain from manually deleting app files, but it is almost impossible for a
user to preserve volatile, dynamic mobile data when a device is in use. This forces corporations to employ collection or backup
technologies to comply with legal holds when that data is potentially relevant. Mobile device collection is still accomplished
through a local cable connection and can take hours when performed on 8 GB to 32 GB devices. The mobile data is stored in a
specialized container file for later filtering and extraction. Civil
8 9
and criminal
10
sanctions for failure to preserve mobile content
8-
9-
10-
Santa Clara Law Digital Commons, “Christou v. BeaPort,” January 23, 2013, http://digitalcommons.law.scu.edu/historical/301/.
PRWeb, “Pradaxa Lawsuit News: Federal Court Imposes Sanctions Against Manufacturer of Pradaxa, notes Schlichter, Bogard & Denton, LLP,” December 11, 2013, http://www.prweb.com/releases/2013/12/
prweb11409789.htm.
Kunzelman, Michael, “Ex-BP engineer convicted on 1 obstruction charge,” AP, December 18, 2013, http://bigstory.ap.org/article/jury-standstill-ex-bp-engineers-trial.
Legal, Security, and IT Tackle BYOD
3
7. provide a clear mandate for corporate IT and legal departments to minimize unique mobile data and have a preservation plan
for legal holds.
Mobile Discovery Process
Elements
• Standardized declarations &
interrogatory responses
• Mobile data relevance
checklist
• Custodial questionnaire
• Preservation process &
custodian hold instructions
• Collection technology &
process
• Processing & review workflow
with selected technology or
partners
• Change management process
to keep stakeholders updated
on rapidly evolving usage &
data
Processing and the European Compliance Academy (ECA)—Once content is
collected from mobile devices, it must be made accessible so that a legal review can be
performed to determine if the content is responsive, privileged, or nonresponsive to the
matter at issue. Most collection software creates one or more forensic container files
that must be processed to extract tables and file objects such as photos, emails, and
more. A very few mainstream eDiscovery platforms have built-in connectors that can
directly ingest these packages for search and review. The majority of users manually
extract selective data from individual mobile devices container files based on data type,
date, or other filter criteria such as phone numbers, names, or search terms. If
corporate data is not segregated in secured apps, the personal data may need to be
filtered out or even held for custodial release in certain countries. Most legal review
systems are not optimized for mobile data, and the discovery team should consider all
review, filter, and review strategies to prevent escalating costs and having a negative
impact on deadlines. Remember that voicemail, videos, and other audio content cannot
be searched by most systems.
Legal, Security, and IT Tackle BYOD
4
8. Managing BYOD—takeaways for corporate stakeholders
BYOD management elements for organizations
BYOD policy considerations
• Does the policy address device
ownership and privacy
interests?
• Does the policy specify who
has the right to access and
control information on the
device?
• Can devices be used for
personal and business
purposes and can that
information be partitioned?
• Does policy specify acceptable
devices, apps, and cloud
services?
• Can the device be wiped if it is
lost or stolen?
• What happens when an
employee leaves an
organization?
• Does the policy cover device
access and discovery rights?
• Mobile device usage policy (see “BYOD policy considerations”)
• End-user guidelines, training, and policy acceptance documentation
• Mobile device content retention schedule, enforcement tools, and process
• MDM to control access, settings, and administrative rights
• MAM, secured apps, or some other protection system for corporate data
• Procedures for terminated employees and device replacement to protect corporate data
• Standardized declarations and interrogatory responses
• Mobile data relevance checklist
• Custodial questionnaire
• Preservation process and custodian hold instructions
• Processing and review workflow with selected technology or partners
• Change management process to keep stakeholders updated on rapidly evolving usage and
data
• Mobile collection tool(s)—local device collections in 2–4 hours to minimize the impact on
users
• Search, process, and ECA tools for mobile collection container files for early relevance and
scope management
• Mobile data extraction and processing capabilities—done in house or using preferred provider
partners
For better or worse, BYOD has penetrated most enterprise environments despite the lack of a mature mobile information
governance infrastructure to support stakeholder requirements. These critical downstream security, compliance, and discovery
requirements can be leveraged to obtain the executive mandate and budget needed to acquire and implement a mature mobile
management lifecycle. This report has explored the challenges, risks, and proactive solution strategy elements needed to
manage the increasing number of remote workers as they conduct business on their personal devices. The benefits in user
productivity, collaboration, and accessibility can be lost without a balanced solution that addresses both employee privacy and
data security. Reactive discovery of mobile devices exponentially increases the cost as well as the risk of inadvertently losing
relevant data that is under legal hold. Bring your key stakeholders together and bring mobile devices into your information
governance lifecycle with the right policies and technologies.
Legal, Security, and IT Tackle BYOD
5