Why your mobile device management policy must include wearables

Wearable technology has started to creep into the business world, but companies must overcome the data governance complications to reap any benefits.

Wearables have been touted as the next big thing in mobile technology, and it's only a matter of time before employees want to use them at work alongside their personal phones and tablets. But while businesses are no doubt hesitant to allow new wearable technology use due to security concerns, wearables could revolutionize some business processes if data management adapts accordingly, said Scott Christensen, director of technology at Edwards Wildman Palmer LLP.

At the ARMA 2014 International Conference in San Diego, Christensen led a session on using mobile device management policy to reduce data risk. In this interview conducted at the conference, he discusses the data loss prevention steps companies must take to protect business information stored on new wearable technology.

How can companies ensure they are reaping benefits, such as increased flexibility, when they allow wearable technology use, but also protecting valuable company information?

Scott Christensen: If you are a logistics company that has messengers or truck drivers, GPS has revolutionized those kinds of businesses. Wearable technology could revolutionize many other kinds of businesses. We shouldn't look at all this stuff as a negative thing that we have to clamp down on; we should be embracing it where it makes sense but have policies to determine when, where and how it is used, the data it collects, and how it can be used so our employees are comfortable with it.

What specific information should be included in a mobile device management policy to ensure data security when using wearable technology?

Christensen: Most organizations have policies that say you have a phone on your desk, and you have [a] computer on your desk, and it's OK to make a personal call here or there. Or it might be OK to use the computer to occasionally order something from Target, or do a little personal email business on the company computer. But all of that is governed by what organizations call acceptable use policies. It has to be reasonable. Most of our acceptable use policies don't acknowledge wearable technology. Today, companies say in their acceptable use policies that you don't have to use the phone and computer we provide, but we reserve the right to record your conversations or look at email because it's considered company property. Now, when we start to drift over to wearable stuff, I might have to have a wearable technology if my employer asks me to as part of my job. All of a sudden, it's going to raise additional questions.

You can get fired for being on the phone too much making personal calls. We can get fired for doing too much personal business over email. Wearables are an example of how that will be compounded a bit more. More information is being collected. Where is it going to go? Where is it going to be stored? How is it going to be used? It's sort of the same thing with insurance companies that put devices in cars to track driving habits and all that stuff. They do offer a discount, but it tracks your location, your speed and things like that, but it begs many questions about tracking movement. What is reasonable as we have newer technology? It makes things cheaper and easier, but we don't think about the negative connotations. You can apply that to drones, anything else that the average person can now own.

How can companies make sure their mobile device management policy can adapt as new technology, such as wearable devices, are developed and gain popularity?

Christensen: Employees want to be able to use the devices of their choice, they don't want their employer to just hand them a BlackBerry. They want to use iPhones, they want to use Android devices. It's still bring your own device, but I don't think it's so much a matter of who owns the device, it's more of where we meet in the middle in terms of policy. It's still within the company's purview to decide what the protocol and policy [are] when I ask for that device to be hooked up to the corporate email system, for example.

We've been doing this stuff a long time, going back to the Blackberry days. Making sure encryption is not a choice and is turned on; that there is password or PIN protection; that if the device is lost or misplaced, you don't have an open gateway to data loss. The ability to wipe information on it if the device is lost or stolen. Mobile device management [MDM] solutions provide containerization, which allows personal data and corporate data to exist on the same device. People want to carry one device and do everything on it, and the MDM solutions with the other policy things, are the things that allow that to happen.

As wearable technology becomes more popular, how can companies stay flexible to adapt to the change?

Christensen: I think the message is simple: You just have to stay ahead. Everybody has a cell phone today, and policies have had to adapt to that. Google Glass has been out for a while, and it's pretty obvious when you are walking around with it on your head what it is doing and what it is capable of doing. It's pretty easy to say, OK, here is a clause in my acceptable use policy or an HR policys that says, don't go into the washroom wearing Google Glass.

It's really taking it a step farther and understanding and anticipating new technology. Every clothing manufacturer, every jewelry manufacturer, every sports and fitness manufacturer is coming out with a wearable technology line. What does that mean to me and my business? IT and information governance leaders should be keeping up on this kind of stuff, and saying 'What types of positives can that technology bring to my business, and how do my policies have to change to protect the data that those things collect? What are the negatives of using those technologies? Where do we draw that line for personal privacy?'

We have to be thinking ahead and examining these technologies. We're all putting in data-loss prevention [DLP] programs that keep people from emailing sensitive information to a personal account, preventing people from uploading it to DropBox. But have we looked to see if the DLP solutions we're putting in today address wearable technologies? Part of it is IT leaders researching these technologies and how it's going to work, and then saying what are the advantages, what are the disadvantages -- then hopefully constructing their policies in advance so we aren't dealing with a data loss or an embarrassing situation by reacting after the fact.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

More Q&As with ARMA 2014 Conference presenters
Use data governance and analytics to reduce risk and boost info value
RIM professionals likely to lead privacy compliance strategy

Dig Deeper on Information technology governance