Establishing a mobile strategy
for law firms
Stephen S. Wu
The world is undergoing a transformation in which people are integrating mobile devices into their work and personal lives, said Stephen S. Wu, author of the new book "A Legal Guide to Enterprise Mobile Device Management." "Let's face it: We love our mobile devices," Wu wrote in the preface of his book.
The guide examines key concepts, considerations and issues in mobile device management from business, legal and technical perspectives. In addition, the chapters provide background information on business drivers and technology, with the goal of aiding lawyers who may be unfamiliar with them — and assisting lawyers in counseling their clients.
Wu, who advises organizational clients on information governance policies, is a Silicon Valley partner in the law firm Cooke Kobrick & Wu LLP. YourABA spoke with Wu recently about his book and the topic of mobile device management.
How does the issue of managing mobile devices touch law firms, both large and small?
Managing mobile devices is relevant to law firms because many of our clients are undergoing a transformation in the way they process information. Our clients are increasingly using mobile devices for day-to-day computing tasks so they can obtain access to work information from multiple devices and from multiple locations. Whether they are traveling out of town or telecommuting, they will frequently need to access information outside their normal office settings. With this new work reality impacting our clients, attorneys will need to be up on the latest legal issues surrounding the use of mobile devices in a business setting.
In addition, law firms are businesses that need to manage mobile devices. Whether in a trial or at a negotiation, lawyers will need to access work information outside the office. In using mobile devices, lawyers will need to safeguard the confidences of their clients by maintaining the security of client data.
What is "consumerization," and how does it affect law firms?
"Consumerization" is hard to define, but it generally refers to an information technology trend in which business users bring consumer devices, applications and services into the workplace for use at work. Workers may have become familiar with this technology as a consumer, they may like the technology, they become productive using it for personal applications, and they want to use the same technology for work.
Consumerization as a trend is occurring because workers want to use top-selling smartphones, tablets and other devices with the latest technology, which provide them with more capabilities, more features and greater productivity than older employer-issued devices. Modern consumer technology allows workers to access all of their work information anytime, anywhere and with any device.
Consumerization affects law firms because it is affecting their clients. Attorneys need to understand the legal issues arising from consumerization and how best to counsel clients to overcome their legal challenges. Law firms, as businesses themselves, will also need to decide how to manage the consumerization of technology when it comes to determining which devices and services their professionals will use and how best to manage them.
A law firm has decided to roll out a mobile device program that includes a "bring your own device" policy. What are some ways that firms can manage their risk with BYOD?
I describe in my book a five-part process for implementing a mobile device management program at a law firm, business or other organization.
Conduct a risk assessment to consider:
- The sensitivity of the information managed by the organization
- The security and other threats the organization faces
- The vulnerability of the organization to those threats
- The likelihood of the threats causing harm
- The likely resulting harm from those threats
Managing the risk from these threats involves determining which risks the organization can address through administrative, physical and technical safeguards, which risks the organization will shift through insurance or indemnities from vendors and which risks the organization should accept.
- Determine whether BYOD is really the best option. BYOD is not right for every organization.
- Decide critical questions, such as who will pay for devices, which workers should use mobile devices and what devices the organization will support. The organization should memorialize these decisions in documentation of its policies and procedures.
- Procure the technology to implement the mobile device program. Even with a BYOD policy, the organization may want to procure enterprise software or hardware to manage the mobile devices.
- Implement the mobile device program as designed.
Which is preferable: BYOD or employer-issued devices? Why?
There is no one answer to the question of whether BYOD is better than an organization issuing its own devices. Each organization is different and has different circumstances. BYOD frequently yields cost, worker efficiency and worker satisfaction advantages. An organization issuing its own mobile devices has greater control over its devices.
Some businesses will decide that the risk is simply too great to permit BYOD. Or they may decide that some kinds of workers must use only business-issued devices, while other workers may use their own devices. BYOD may not be an all-or-nothing decision. For example, BYOD may be too risky for workers handling very sensitive information in highly regulated industries or government agencies. It may be fine for other workers who don't have access to sensitive information. Each organization will have to weigh the pros and cons and decide the scope of any BYOD policy.
What are some key points about discoverability of information on mobile devices?
Litigation and business attorneys are, by now, well aware of the use of electronic discovery — requesting and disclosing electronically stored information to prepare their cases for hearings and trial. ESI discovery focused mainly on information located on computer hard drives in desktop computers, laptops, servers and portable media, such as external hard disks, diskettes and tapes. Parties also sought information from databases on servers and mainframe computers. Other sources of ESI might include telephone recordings, voice recordings and voicemails, and information sent by pagers. With the increasing use of non-laptop mobile devices, attorneys began requesting, and courts began ordering, discovery of ESI stored on other mobile devices, such as smartphones and tablets.
In addition, the rules of procedure do not distinguish between ESI on desktops, laptops and servers on one hand, and non-PC mobile devices on the other. Accordingly, a party to a lawsuit can request ESI on non-PC mobile devices just as it could request ESI on desktops, laptops and servers. Moreover, general requests for "all ESI" referring or relating to a given topic are broad enough to include non-PC mobile devices. Thus, a responding party must engage in a reasonable search for responsive ESI, including in non-PC mobile devices.
Practices for searching non-PC mobile devices for ESI, and certainly forensic software and protocols specific to non-PC mobile devices, are not as mature as those for searching PCs and their storage media. It may be possible to argue that ESI stored on some mobile devices are not "reasonably accessible" as a reason to object to disclosure, but generally, organizations will have to integrate non-PC mobile devices in their ESI collection and preservation practices and protocols.
What is the importance of information security in a mobile device program?
Protecting sensitive data is a key concern for our clients. Our clients are seeing data breaches in the news every day and don't want to fall victim to a data breach themselves. Data security is a pocketbook issue for them. Companies sued for sustaining data breaches are paying staggering amounts to investigate and settle the cases against them. For major breaches, the legal fees alone could amount to millions of dollars. Finally, data breaches harm a company's reputation because customers frequently don't want to do business with a company that is unable or unwilling to protect their sensitive information.
What are some tips for managing a security incident, such as a data breach?
I mention a number of steps that an organization can undertake to manage data breaches and other security incidents. The organization should:
- Plan for inevitable security incidents with defined and documented policies and procedures and assigned roles and responsibilities.
- Monitor its systems and otherwise take steps to detect security incidents.
- Implement the previously prepared response plan when an incident is detected.
- Undertake an internal investigation of the incident and, if appropriate, bring in independent third-party investigators.
- Preserve evidence relating to the incident in case it is needed for future legal proceedings.
- Consider whether to obtain law enforcement assistance, understanding that there are pros and cons to law enforcement involvement.
- Assess its legal posture, considering possible claims it may need to defend, as well as possible offensive claims the organization may have against others.
- Determine whether it needs or wants to make notifications arising from the incident and then complete the required or desired notifications.
- Remediate any discovered security vulnerabilities and re-evaluate its risks and the security program undertaken to manage those risks.
What should employers know about their employees' privacy rights as it relates to their mobile devices?
People on the job have privacy rights, both as citizens and as workers. The scope of those rights depends on the laws of the specific jurisdiction in which the workers are located. In some jurisdictions, such as California, citizens have a right to privacy under a constitution or other fundamental legal document. European countries recognize privacy as a human right. State laws also recognize tort liability for intrusion into a worker's privacy. For instance, workers have a right not to be videotaped in restrooms or dressing areas. Government employers face additional possible privacy liability for unreasonable searches and seizures of their employees in violation of the Fourth Amendment.
When it comes to mobile device programs, liability under a claim of intrusion or a privacy violation generally depends on, first, the nature of the intrusion upon a worker's reasonable expectation of privacy, and second, the offensiveness or seriousness of the intrusion. The second factor takes into account any justification or relevant interests of the employer. Whether a worker has a reasonable expectation of privacy in live or stored mobile device communications or other electronic information in a mobile device will depend on the facts and circumstances in each case.
An employer can significantly reduce the expectation of worker privacy if it communicates a policy that clearly describes the kind of monitoring it plans to undertake and tells workers that they should have no expectation that their monitored conduct will be private. Employers should keep in mind that for unionized workforces and European offices and locations, mobile device surveillance and review policies will likely be deemed a mandatory subject for collective bargaining with a union or European works council.
Any additional important tips to add about your book?
Mobile devices are changing the corporate information technology landscape, but the mobile revolution is just beginning. In the future, businesses will likely see ever-accelerating changes in technology that will raise even more legal issues. The following technology trends will make mobile device management even more challenging:
- Increasing miniaturization of ever more powerful computers, such as smart watches and screenless 3-D devices. With smaller and smaller form factors, it will be easier and easier to conceal mobile devices and use them outside of a business's control or management.
- Increasing internationalization of mobile commerce and computing. International law issues will arise from global electronic commerce, including in many developing countries, and laws applicable to traveling, remote and telecommuting workers scattered around the globe.
- The replacement of paper currency with electronic payments, probably most commonly used with mobile devices. Businesses will need controls in place to address fraud in connection with payments, to protect the privacy of personal payments and to prevent compromises of the payment platform.
- The scope of mobile devices that workers may use in a business setting may expand greatly, leading to even more legal issues. For instance, auto manufacturers are developing in-dash systems that are the equivalent of having an Internet-enabled tablet computer built into your car. Moreover, Google Glass, a wearable computer in the form of eyeglasses and similar wearable computers will become commonplace in the work environment. Also, employers will increasingly use telepresence and other personal and service robots in their offices, warehouses and other work locations. The robots themselves will be mobile devices that the employer will need to manage. In the future, employers will ask whether they should implement a "bring your own robot" policy for the workplace.
Changes in mobile technologies and their applications are occurring rapidly. The developments in business practices and law will need to keep pace. Attorneys and their clients will need the flexibility to adapt to changes wrought by technology. As a result, attorneys will continue to play a key role in helping their clients account for new technologies, new business practices and new legal issues that are sure to arise from changes in technology.
Back to top