Information governance managers are often inundated with requests as executives, sales personnel, contractors and telework employees clamor to stay connected and improve mobile data access. Under pressure to respond, these managers are often required to patch together existing desktop controls onto newly enabled mobile devices.
Doing so can expose a company and its information managers to considerable risks that, like a silent, ticking time bomb, are often undetected. Enabling users to bring their own devices to work (the policy termed BYOD) can be particularly hazardous and create overlooked traps. A solid governance and mobile device management strategy, however, can help the company avoid these complications.
The global regulatory landscape is now rapidly harmonizing toward a new concept: The use of personally identifiable information (PII) increasingly requires privacy controls that meet consent and permission guidelines set by privacy laws.
Building and executing those privacy controls is challenging. This is due to antiquated records management practices focused on both paper and electronic records, whether those are purchase orders, shipping notices, electronic checks, warehouse receipts or employment history files. Records management is now being shaped according to data type and data element, forcing companies to build and apply rules at a more detailed level.
The company must have the right to access mobile devices to preserve potentially relevant digital assets, including non-work-related information.
Public privacy laws and regulations do not exempt companies from executing those controls across mobile devices that are enabled to access PII. If that information is part of the corporate assets employees access to do their work, the company must build and execute the same rules that apply when that information is accessed from a desktop computer. But there is a second, more challenging privacy dimension that comes with BYOD management: how to protect the personal information stored on employee devices that is unrelated to performing their jobs. Most commonly, this includes email, photos and Web browsing history. While employees want the convenience of using their own devices, they have difficulty reconciling that work-related data stored on and accessed by those personal devices is subject to corporate and government mandated compliance rules. Put simply: Legal and regulatory requirements require access to mobile data.
There are two options for navigating this conflict. To allow BYOD, the company must first be transparent and clearly describe access and information governance mandates to the employee. The company should also obtain the employee's acknowledgement that personal data may be accessed, as well explicit consent that allows the company to do so. A second option is that, in lieu of BYOD, the company will provide its own mobile devices with more rigorous controls for operating systems and applications. Devices provided by the company allow for more consistency among information governance controls, and browser settings can prohibit any non-work-related use.
Companies have legal duties to preserve and produce electronically stored information. In the last decade of the 20th century, many companies tried to limit these legal obligations by storing data with third parties, in foreign locations or on mobile devices.
The courts, however, have now whittled those defenses away and confirmed that data preservation and production duties extend to all information under the company's control. As a consequence, corporate data stored on mobile devices fall within a company's information governance responsibilities.
More on mobile device management
The four essential rules of BYOD strategy
Mobile data regs to protect both corporate and private information
The same principles apply for BYOD management. The company must have the right to access mobile devices to preserve potentially relevant digital assets, including non-work-related information. When a company issues instructions describing employees' information preservation duties, these instructions must explicitly address their mobile device use.
Companies must carefully develop a way to fulfill their e-discovery duties to not expose data or other records stored on mobile devices to possible destruction or loss. Routine notices of litigation or internal investigations must be authored and timed so relevant mobile device data is not altered in accordance with legal and regulatory mandates. Explicit policies on the company's rights to access, collect and preserve data should be put into place. In addition, the company must find a way to obtain users' acknowledgment that they understand these policies.
Device reset and cleansing
Solid information security practices will often require resetting or cleansing devices following certain adverse security events. Doing so, of course, can expose and even delete users' personal data assets. Similarly, data and BYOD management strategies mentioned previously will be required: Clear policies and explicit user acceptance or the delivery of dedicated corporate devices are the two viable strategic options.
About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information governance, security, the use of digital information as evidence and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and business value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at his website.
What you need to know about IBM's Information Governance Catalog