Get started Bring yourself up to speed with our introductory content.

Why your mobile device management policy must include wearables

Wearable technology has started to creep into the business world, but companies must overcome the data governance complications to reap any benefits.

Wearables have been touted as the next big thing in mobile technology, and it's only a matter of time before employees want to use them at work alongside their personal phones and tablets. But while businesses are no doubt hesitant to allow new wearable technology use due to security concerns, wearables could revolutionize some business processes if data management adapts accordingly, said Scott Christensen, director of technology at Edwards Wildman Palmer LLP.

At the ARMA 2014 International Conference in San Diego, Christensen led a session on using mobile device management policy to reduce data risk. In this interview conducted at the conference, he discusses the data loss prevention steps companies must take to protect business information stored on new wearable technology.

How can companies ensure they are reaping benefits, such as increased flexibility, when they allow wearable technology use, but also protecting valuable company information?

Scott Christensen: If you are a logistics company that has messengers or truck drivers, GPS has revolutionized those kinds of businesses. Wearable technology could revolutionize many other kinds of businesses. We shouldn't look at all this stuff as a negative thing that we have to clamp down on; we should be embracing it where it makes sense but have policies to determine when, where and how it is used, the data it collects, and how it can be used so our employees are comfortable with it.

What specific information should be included in a mobile device management policy to ensure data security when using wearable technology?

Christensen: Most organizations have policies that say you have a phone on your desk, and you have [a] computer on your desk, and it's OK to make a personal call here or there. Or it might be OK to use the computer to occasionally order something from Target, or do a little personal email business on the company computer. But all of that is governed by what organizations call acceptable use policies. It has to be reasonable. Most of our acceptable use policies don't acknowledge wearable technology. Today, companies say in their acceptable use policies that you don't have to use the phone and computer we provide, but we reserve the right to record your conversations or look at email because it's considered company property. Now, when we start to drift over to wearable stuff, I might have to have a wearable technology if my employer asks me to as part of my job. All of a sudden, it's going to raise additional questions.

You can get fired for being on the phone too much making personal calls. We can get fired for doing too much personal business over email. Wearables are an example of how that will be compounded a bit more. More information is being collected. Where is it going to go? Where is it going to be stored? How is it going to be used? It's sort of the same thing with insurance companies that put devices in cars to track driving habits and all that stuff. They do offer a discount, but it tracks your location, your speed and things like that, but it begs many questions about tracking movement. What is reasonable as we have newer technology? It makes things cheaper and easier, but we don't think about the negative connotations. You can apply that to drones, anything else that the average person can now own.

How can companies make sure their mobile device management policy can adapt as new technology, such as wearable devices, are developed and gain popularity?

Christensen: Employees want to be able to use the devices of their choice, they don't want their employer to just hand them a BlackBerry. They want to use iPhones, they want to use Android devices. It's still bring your own device, but I don't think it's so much a matter of who owns the device, it's more of where we meet in the middle in terms of policy. It's still within the company's purview to decide what the protocol and policy [are] when I ask for that device to be hooked up to the corporate email system, for example.

We've been doing this stuff a long time, going back to the BlackBerry days. Making sure encryption is not a choice and is turned on; that there is password or PIN protection; that if the device is lost or misplaced, you don't have an open gateway to data loss. The ability to wipe information on it if the device is lost or stolen. Mobile device management [MDM] solutions provide containerization, which allows personal data and corporate data to exist on the same device. People want to carry one device and do everything on it, and the MDM solutions with the other policy things, are the things that allow that to happen.

As wearable technology becomes more popular, how can companies stay flexible to adapt to the change?

Christensen: I think the message is simple: You just have to stay ahead. Everybody has a cell phone today, and policies have had to adapt to that. Google Glass has been out for a while, and it's pretty obvious when you are walking around with it on your head what it is doing and what it is capable of doing. It's pretty easy to say, OK, here is a clause in my acceptable use policy or an HR policys that says, don't go into the washroom wearing Google Glass.

It's really taking it a step farther and understanding and anticipating new technology. Every clothing manufacturer, every jewelry manufacturer, every sports and fitness manufacturer is coming out with a wearable technology line. What does that mean to me and my business? IT and information governance leaders should be keeping up on this kind of stuff, and saying 'What types of positives can that technology bring to my business, and how do my policies have to change to protect the data that those things collect? What are the negatives of using those technologies? Where do we draw that line for personal privacy?'

We have to be thinking ahead and examining these technologies. We're all putting in data-loss prevention [DLP] programs that keep people from emailing sensitive information to a personal account, preventing people from uploading it to DropBox. But have we looked to see if the DLP solutions we're putting in today address wearable technologies? Part of it is IT leaders researching these technologies and how it's going to work, and then saying what are the advantages, what are the disadvantages -- then hopefully constructing their policies in advance so we aren't dealing with a data loss or an embarrassing situation by reacting after the fact.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

More Q&As with ARMA 2014 Conference presenters
Use data governance and analytics to reduce risk and boost info value
RIM professionals likely to lead privacy compliance strategy

Dig Deeper on Information technology governance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How is your organization adapting mobile device management policies to protect company data stored on new wearable technology?
Because my industry handles very sensitive materials that are shared between mobile devices, we have adapted multi-tiered authentication systems to ensure the recipient of the exchanged mobile documents is the actual recipient. We send updated scripts and data on film shoots, which if compromised would ruin a show we produce, so implementing multi-tier authentication has helped with our mobile device usage. If wearables become feasible the same system will be used with those.
Those are all good measures to help with BYOD/mobile security - has your company talked specifically about the possibility of wearable device use and how they would impact those measures? Just curious if wearables were even on companies' radar yet, or if they aren't considered ubiquitous enough (like mobile devices are now) to worry about from a security standpoint.
Companies that adopt wearable technology will require new policies. We use Google glasses in our law firm but most people only use them at work.
I agreed David48, any companies that allow employees to use wearable tech will have to adjust their information governance/BYOD policies accordingly. The question is how different will the policy have to be from those that cater to other devices, such as phones and tablets? Will wearables create more potential breach opportunities or more lost data? Companies will have to think ahead when developing these policies to avoid any GRC headaches.
There are definitely some different use cases for wearables that would have to be taken into account (especially as new devices come out that don't require you have your phone along with you). But I'm not sure if that means they're more or less open to data loss - that's the problem, we don't quite know what's in store so it's a little difficult to plan ahead. 
It's true that organizations have started deploying wearables for business operations. However, the future of their large-scale adoption depends on enterprises' ability to track and manage wearable computing devices while also ensuring security and privacy of data exchanged through them. There are enterprise mobility solution providers like 42Gears that offer wearable management solution to manage the associated risks of wearable adoption in a business scenario.