A discussion on this very relevant topic was held at the Annual Meeting in Boston, sponsored by the ABA Criminal Justice Section. The moderator was Peter McLaughlin, of Counsel at DLA Piper LLP in Boston. Panelists were J. Antonio Sesin, senior council at Agero Inc. in Medford, Mass.; Ellen Giblin, privacy council at Ashcroft Sullivan Law Firm in Boston; and Don Ulsch, managing director of Advisory, IT Security, Privacy and Risk at PricewaterhouseCoopers in Boston.
The BYOD topic is an increasingly prevalent one for law firms and all types of organizations.
“I’d rather carry one than two,” said McLaughlin, referring to carrying separate devices for work and personal use. “In addition to having my kids’ photos, I also get work emails. But these devices are extraordinarily easy to lose, to leave in taxicabs. Part of the challenge is how do we manage the risk of an increasingly mobile workforce?”
Companies must find the right balance of security versus employees’ privacy, Sesin said. “The increasing use of iPhones and tablets, not to mention laptops for work, carry all kinds of sensitive data. How do we reduce the likelihood of data breaches? How can a company make sure, in the event of litigation, that we can access what’s on an employee’s device? A lot of this will focus on risk. Weighing the pros and cons. There is a lot of balancing to be done.”
You also have to ask yourself what your clients expect. That is a top consideration. Counsel should figure out the right fit depending on the type of organization it is, whether you’re in a regulated environment or not, whether you can let anyone come in and have unrestricted access versus not allowing anyone any access. Most organizations fall somewhere in between. You have to weigh the right ingredients for compliance.
“It’s also a matter of expectations,” Giblin said. “This is a two-step between the company and employee. The company wants to have control to make sure data is protected, and the employee wants to bring their own device.”
The cost savings are undeniably attractive to companies, Ulsch said.
“The fairytale is the employee says ‘I want my own device because I don’t like yours.’ So you think hey, we’ll save money, it’ll be great,” Ulsch said. “But the reality is far different. Folks looking at security issues and risk are saying that this is going to complicate things.”
An additional problem is that these mobile devices are not as secure as people think. They don’t have good malware protection.
“So now you have data that’s less protected with this device,” Ulsch said. “We don’t yet know if BYOD was an issue in the recent revelations of the Russian cyber thefts. We do know a lot of information was compromised. The projection is that by 2020, there will be 15 billion mobile devices on the planet. How can you effectively manage that risk? How can you ensure that the many different third-party vendors are going to have policies acceptable to you in the management of data on their devices?”
Companies also need to manage data restrictions among staff, Giblin said. “You have to look at access rights, department-wide, and make sure leavers (employees who leave) have their access terminated. All this needs to be managed.”
The average person doesn’t think about the security of their phone, Ulsch said. He shared a story about a large bank that wanted to know if their employees’ devices were vulnerable to hackers. They discovered that 6,600 bank employees were being actively profiled by hackers, who gained access by monitoring the use of Facebook on employees’ smartphones.
“That’s how data gets from your phone to hackers,” Ulsch said. “So you have the fairytale that the companies save money, with a low level of security on mobile devices. And hackers are bright people, very sophisticated. They understand the vulnerabilities very well. Going forward, the biggest breaches will happen through mobile devices.”
Another concern is when an employee is doing something they’re not supposed to, is the company liable?
“Every law firm should have an acceptable use policy,” Giblin said. “If there’s an incident, every employee should know how to report it. Look at technology solutions around mobile devices. Mediate the risks. You should have a privacy risk assessment for employee side, security risk assessment, they go hand in hand. Whether you’re a large or small firm, create a map of sensitive data that has no regulatory constraints around it, and map out who needs access to what. The service we use is updated monthly. Regulate usage. Cutting off usage rights, you can go back and check the map and see what data is seen by whom. You must intellectually manage this process. You need to include this in your business continuity and disaster planning for when devices are lost or stolen.”
Firms must also make sure they’re covered with cyber insurance.
“As we see more security breaches involving mobile devices, insurers are going to look at that,” Ulsch said. “What if an incendiary device is launched or armed by a mobile device; is the damage to a building covered under a cyber-insurance policy?