BYOD - Bringing Technology to work | Sending Data Everywhere


Published on

Presentation to the Science and Technology Committee of the American Bar Association on legal issues associated with employers enabling employee Bring Your Own Device policies.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

BYOD - Bringing Technology to work | Sending Data Everywhere

  1. 1. BYOD Bringing Technology to Work Sending Data Everywhere
  2. 2. SPEAKER Jim Brashear is a member of the Bar of the United States Supreme Court, the California Bar Association and the State Bar of Texas. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics. He currently serves as Programs Co-Chair and Cloud/SaaS Co-Chair for the Association of Corporate Counsel’s Information Technology, Privacy & Electronic Commerce Committee. He received a Juris Doctorate degree, magna cum laude, from the University of San Diego School of Law, and a Bachelor of Arts degree in political science from the University of California at San Diego. James F. Brashear General Counsel Zix Corporation @jfbrashear This program is for educational purposes only. The content does not constitute legal advice. No attorney-client relationship is created by your participation. 2
  3. 3. A Leader in Email Data Protection  Committed to innovative, easy-to-use email security  Recognized by Gartner Research as the industry leader in email encryption  Email-specific DLP solution  Innovative BYOD solution 3 Zix Corporation
  4. 4. AGENDA • Background • Data (in)Security • Legal Risks • Ethics • Policy Approaches • Technology Solutions
  5. 5. Background
  6. 6. BYOD is part of a larger phenomenon Individual IT Empowerment 6
  7. 7. Devices Connectivity Cloud Social BIG DATA CIOs Look for Ways to Marry Social Data with Big Data Wall Street Journal (July 26, 2013) CONFLUENCE
  8. 8. Mobile Devices are an Essential Part of Modern Life People are emotionally attached to their devices They take them everywhere Enable work whenever and wherever they go
  9. 9. Work Phone Personal Phone It is common for employees to use company-provided devices plus personally-owned devices This is BYOD Multiple Devices Average U.S. user carries 3 mobile devices Sophos survey
  10. 10. o Improved employee productivity o Adopting technology at the speed of consumer markets o Enhanced employee morale o Attract and retain staff. o Potential cost savings o Offloading the management of non-strategic devices from IT Why BYOD? Source: Gartner, BYOD The Facts and The Future
  11. 11. Challenges to IT Departments • Consumerization of IT = Decentralization • Flood of new devices • Hundreds of thousands of apps • News ways of sharing data – Hundreds of social media sites – Many file sharing websites
  12. 12. Data (in)Security
  13. 13. It’s Easy to Understand Why IT Departments Are Nervous of employees already use personal devices at work 81% Source: Harris Interactive of tablet users have disabled auto-lock security 91% of smartphone users have 75%
  14. 14. BYOT = Unsecured Data Bridge In addition to device security, BYOD solutions must address data security, secure connectivity & controlled access
  15. 15. Legal Risks
  16. 16. Law Lags Technology didn’t contemplate today’s technology Privacy laws
  17. 17. Going Too Fast? Supreme Court mired in 19th century communication modes ―Court hasn't really 'gotten to' email‖ Justice Elena Kagan 19 Challenge for Courts Supreme Court’s real challenge for the next 50 years will be identifying the fundamental principle underlying constitutional protection and applying it to new issues and new technology Chief Justice John Roberts
  18. 18. Employee Personal Data Employee consent to remote wipe • Private photos • Personal documents • Financial information • Medical facts • Accounts and Passwords • Application metadata • Location data Containerization and mixed use of company-provided apps
  19. 19. Employee Privacy Rulings differ based on employer policies and practices • Clear notice to employees • Coordinate with workers’ councils • U.S. federal and state laws • Non-U.S. laws Reasonable expectation of privacy? Employer-provided City of Ontario v. Quon Lazette v. Kulmatycki BYOD may result in greater expectations of privacy
  20. 20. Social Media Password Laws Arkansas, California, Colorado, Illi nois, Maryland, Michigan, Nevada , New Mexico, Oregon, Utah, Washingto n • Some include email • Proposed federal law: Social Networking Online Protection Act of 2012 11 states limit employer access to social media usernames and passwords Employer monitoring?
  21. 21. 2 Discrimination • Protected categories • Criminal history • Employee non-work behavior
  22. 22. Graham-Leach-Bliley Safeguards Rule • Article 9 of the UCC is, in practice, requiring lenders to obtain a copy of each client's driver's license before making a loan secured by personal property • Loan officers sometimes photograph the driver's license with their smartphone and send it by email or SMS to their office
  23. 23. HIPAA Privacy and Security #1 HIPAA violation is unencrypted data on lost or stolen devices • $1.5M lost laptop fine • $1.7M lost USB drive fine PwC Health Research Institute • Increase in healthcare BYOT • Mobile security one of the top 10 issues hospitals will face in 2013
  24. 24. Investigations and Legal Holds FRCP Rule 37(e) failure to preserve • Triggering events • Preservation issues FRCP Rule 26(b)(1) proportionality • Possession, custody or control
  25. 25. Stored Communications Act • Restricts access to email and other communications in electronic storage – Warrant needed to access communication in electronic storage for 180 days or less Split of authority on “storage” • Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004) • Jennings v. Broome et al., No. 27177, 2012 S.C. LEXIS 204 (S.C. Oct. 10, 2012) • Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010) Calls to revise 1986 Electronic Communications Privacy Act Not clear how it applies to today’s electronic communications Smartphone not a “facility” under SCA • Garcia v. City of Laredo, No. 11-41118 (5th Cir. Dec. 12, 2012)
  26. 26. Key to Protecting Trade Secrets Take reasonable steps to protect information from improper and unauthorized access or exposure • Identify and classify confidential information and trade secrets • Physical and electronic security protocols for limiting access to confidential information • System to prevent disclosure of confidential information by insiders Obligations under Non-Disclosure Agreements • Developing standard of care for BYOD data security
  27. 27. Traders allegedly emailed to personal accounts computer code containing employer’s secret high-frequency trading algorithms • One shared the files through Dropbox BYOT and Trade Secrets
  28. 28. BYOT and Trade Secrets Employee uploaded source code used to execute high frequency trades and offered it to competitors • NSPA does not criminalize theft of intangible property • No economic espionage because code was not a product United States v. Aleynikov Employee uploaded files containing step-by-step instructions for assembling medical equipment – Employer detected him forwarding trade secrets from his work email account to a personal email account United States v. Agrawal Email is a major source of data leakage • Cloud file transfer services too
  29. 29. Ethics Issues
  30. 30. Lawyers are Targets “Already making chump-meat of the most sophisticated of computer defenses, hackers are unleashing a new wave of malware on unsuspecting law firms. And among the newest targets are mobile phones and similar portable devices.” Security New hacker technology threatens lawyers’ mobile devices Posted Sep 1, 2013 3:10 AM CDT By Joe Dysart “We fear that we will have to suffer more very public data breaches before law firms collectively agree to batten down the hatches and put security first.” Sharon D. Nelson, Sensei Enterprises
  31. 31. Ethics: Competence Model Rule 1.1 A lawyer shall provide competent representation to a client A lawyer should keep abreast of the risks associated with technology
  32. 32. Ethics: Client Confidences Model Rule 1.6(c) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client
  33. 33. Law Firm Cybersecurity Audits “Since mobile electronic devices are a likely weak area, one issue is whether confidential information sent to them is encrypted.” Business of Law Bank’s new cybersecurity audits catch law firms flat-footed Posted Jun 13, 2013 4:10 PM CDT By Martha Neil Under pressure from federal regulators, who are concerned about lax cybersecurity at law firms, the Bank of America Merrill Lynch has begun conducting audits on the law firms it does business with, to verify what they are doing to protect sensitive information.
  34. 34. When to Encrypt Mandatory Data Protection  Law or regulations require encryption or provide a safe harbor from data breach requirements if data is encrypted 36 Heightened Risk of Interception  Lawyers should not use unencrypted communications where there is a particularly high risk that it may be accessed by unauthorized third parties Responding to Encrypted Communication  Lawyers should reply using equivalent security, because prior emails often are appended to replies Highly Sensitive Information  Lawyers should not send highly sensitive client communications unencrypted
  35. 35. Policy Approaches
  36. 36. Companies Lack BYOT Policies of companies have not trained employees on BYOT risks, practices and policies of businesses that permitted BYOD had no specific security or support policies 71% 80% Source: ITIC, 2012
  37. 37. Unworkable Policies Banning BYOT is unrealistic and unworkable • Only 12% of companies say they have no plans to allow BYOD Information Week – 2013 State of Mobile Security
  38. 38. Top 10 Banned Apps Android • Dropbox • Facebook • Netflix • Google+ • Angry Birds • Google Play Movies & TV • Google Play Books • Sugarsync • Google Play Music • Google+ Hangouts iOS • Dropbox • SugarSync • BoxNet • Facebook • Google Drive • Pandora • SkyDrive • Angry Birds • HOCCER • Netflix
  39. 39. Non-Compliance Employees with high potential for harm are among the most likely to violate security policies CEB Information Risk Executive Council End-User Awareness Survey, 2009–2012 Policy and training exceptions for senior executives increase risks of employees admit violating policies designed to prevent breaches and noncompliance 93%
  40. 40. Non-Compliance Proxy work-around for workplace web site ban Credit:
  41. 41. WHAT THEY DON’T WANT IS:  Company monitoring of their personal activities or restricting the apps they use  Interruption of their calendar, contacts, phone and texting functions  Invasion or deletion of their personal data Users want flexibility Companies want safe data WHAT THEY DON’T WANT IS:  Corporate data distributed on thousands of devices and web sites  Users resorting to personal solutions and other insecure means of maintaining productivity
  42. 42. 2/3 of employees don't trust employers with their mobile data and privacy MobileIron survey Must Balance Competing Wants Employers #1 concern is securing corporate data on personal devices Information Week: 2013 State of Mobile Security Employee Privacy Enterprise Control and Security Individual Empowerment and Privacy
  43. 43. The Right Balance Solution should support both perspectives  Companies get security, productive employees and improved morale  Employees get flexibility and privacy
  44. 44. BYOD Guidelines • NIST Special Publication 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise • NIST recommends mitigation measures – Adopt Strong General Policies – Incorporate Mobile Devices In Existing System Threat Models – Develop Multiple Security Strategies – Pre-Production of Security Solutions – Install Secure Baseline Configurations for Company-Issued Devices – Maintenance and Assessment
  45. 45. Technology Solutions
  46. 46. Complete Solutions? Strategy Policies TechnologyTraining Monitoring No system can anticipate and control every possible use of new technologies or every form of non-compliance Trust May Trump Controls • Detailed and strictly enforced policies may cause employees to “work to rule” • Describe objectives and give general guidance
  47. 47. Data Loss Prevention Intercept Outbound Data Analyze Content Apply Policies Notification Archive
  48. 48. Spectrum of BYOD Solutions Mobile Device Management Mobile App Management Mobile File Management Separate Interfaces Containerization App Wrapping Desktop Virtualization App Virtualization Enterprise Control Employee Empowerment
  49. 49. Most BYOD approaches are missing the point MDM & Containerization  Assume Data is on the Device  Too Complex  Too Expensive  Too Invasive For Users  Too Difficult To Implement  Problem Getting Worse MDM
  50. 50. The Holy Grail The holy grail remains full mobile virtualization – It’s probably a better bet to just keep persistent data off the device in the first place Information Week: 3 Ways To Virtualize Mobile Devices — And Why You Should Do So
  51. 51. o EMAIL NEVER RESIDES ON THE DEVICE o USERS RETAIN COMPLETE CONTROL o No monitoring, restrictions or risk of data loss o FIREWALLING OF PERSONAL DATA o Limits company liability o SEAMLESS INTEGRATION WITH NATIVE FUNCTIONS AND UI o Contacts can be used for phoning and texting o COMPLIANCE REPORTING o Because each email is only on the phone while viewed, the number of messages at risk is almost nothing Email App Virtualization
  52. 52. Inside View TLS Customer Exchange Server TLS Exchange Web Services Presentation Protocol Mobile Device Hosted service or on-site gateway ZIXONE demo on Apple’s App Store and Google Play RAM Only
  53. 53. Questions