If you let employees access company resources using a mobile device they own -- or if you equip employees with operational devices such as scanners used by package delivery companies -- you need policies that govern how those devices are used and managed. And you need to make sure the legal department double-checks the policies, because the enterprise mobility and bring your own device (BYOD) trend comes with legal complications.
"Mobile devices in the hands of employees lead to potential increases in productivity, which is great," said Bryan Barringer, an enterprise mobility consultant. "With an increase in opportunity for that, that's also an increase in opportunity for data loss with legal ramifications."
In a recent SearchCompliance webcast titled Policies for Effective BYOD Management and Endpoint Security, Barringer discussed some of those BYOD legal issues. Many of them stem from the fact that a lot of customer and employee data stored on employee-owned devices is outside of the reach of company systems and firewalls.
"These are all fairly easy to control inside the firewall," Barringer explained, "but now with these devices out there and more information out there, you need to be able to get to that information, even when you're talking about a personal device in a BYOD initiative."
In courts around the world, there are legal discussions over retention policies and how to include personally owned devices in those policies without violating privacy. Even though the data is not on a company-provided device, "that is content you're going to have to protect," Barringer said. Similarly, litigation hold orders are now requiring all content be retained regardless of who owns the device.
"There are going to be instances very soon, if not already, where employees are going to be terminated for a variety of reasons and companies are going to need to subpoena that device in order to get access to information that they never thought they would before," Barringer said.
In addition, enterprises must keep in mind that legislation such as Health Insurance Portability and Accountability Act (HIPAA) extends to mobile and employee-owned devices, too. "You need to make sure that you're covered even when it's on a mobile device as well, whether that's in the customer's hands or an employee's hands," Barringer said.
Although there can be many BYOD legal issues, Barringer assured that adopting mobility is worthwhile. "There's a lot more data that's going to be pushed out to those endpoints, and that's a good thing. You want to be able to equip your employees and your customers with more information."
Visit SearchCompliance to view part two of this webcast series, where Barringer discusses best practices for BYOD policy management, and part three, in which he covers cutting-edge technologies to help improve BYOD initiatives.
Transcript - Don't let BYOD legal issues sink your BYOD initiative
Bryan Barringer: We're going to be talking about policies for effective BYOD management and endpoint security. As we continue to move into the mobile age, there are a lot of things that companies will want to take advantage of, specifically around BYOD and other mobility solutions. The problem is that there's probably not enough awareness as to what that actually entails. Today, we're going to go over some things that you should be aware of, as well as go over best practices, some techniques and technologies to help you along the way. Without further ado, let's go ahead and talk about some of the things to be aware of.
This discussion will focus on around enterprise mobility, including the following:
•BYOD includes operational customer devices. It's not just about the personal devices that an employee will bring to the table and introduce in a BYOD program or initiative.
You must also understand that there are different purposes for devices out there, including operational and customer devices -- the devices that are actually in the customer's hands. You might be managing either through a device management solution or an application management solution, where you put an app on their device.
Operational devices are different than BYOD devices. When a FedEx courier walks through the door he has a scanning device. Those devices are becoming more consumerized and have more information than they ever had before. They're not just simply scanning solutions. You really need to think beyond just BYOD.
•Regulatory and legal changes are occurring rapidly. You can read in the papers about new court cases being upheld for employment code. [This happened] in California just recently and [then there are] other regulation and legislation changes around mobility related to reimbursement for BYOD, as well as other things for litigation hold which we'll talk about a little bit later.
Being mobile pushes the endpoints to the extreme. It's typical -- and we talk about this in a few slides down the road here -- to think about it as a very finite kind of ecosystem or environment that you can control. Going mobile pushes those endpoints that you've been very comfortable with for the last decade all the way up to the furthest extreme. With the billion smartphones that are out there today, and [with them] being in your hands at all times, at arm's length at all time, you can imagine where those endpoints are always going to be available. They're always going to be out there wherever the employee is the person with that device. Your endpoints are going to grow dramatically.
•Data loss prevention and electro-property prevention and loss [are being] tested like never before. Once again, you have these devices in your hands at all times, so these areas of opportunity and vulnerability are going to increase dramatically and you need to be aware of that.
•New content and application encryption minimums, depending on the industry that you're in, you're going to have your own standards that you're going to want to put on yourself -- or you'll be mandated by either your customers or whoever you're doing business with, i.e. your business partners.
Some other ones:
•Network intrusion vulnerability opportunities will increase. Once again your endpoints are going to be pushed out to the extreme, and your intrusion vulnerabilities are also going to be more rampant, more fraught for opportunity for people to take advantage of.
•New updates in policies, standards and guidelines for mobility governance and control are required. It's not about just simply updating your appropriate use standards for laptops. You're going to have mobile phones, mobile devices, tablets, you name it, out there with appropriate use and different types of policies. You're going to have to really almost reinvent many of your old, dated policies and come up with a whole new host of policies and standards in governance to cover yourself and your employees.
•An investment in modern enterprise mobility management technologies and techniques must be budgeted. You can't simply say, "We're going to go mobile." You can say it, but the actual doing it is going to be quite different and if you're not budgeting for it, you're going to be surprised.
Now, what I've said over these last few slides have probably led you to be a little bit fearful of what we're going to talk about. Being in this industry and around mobility for a number of years, as well as just over the last 12 months, I contend that this is the fastest growing technology push ever before witnessed (at least, by me in my tenure). There are lots of techniques and technologies to put in place, as well as best practices to cover every one of these bullets. Even though it's a somewhat scary concept to think about and many opportunities for negative impacts to your operations, the positive gains from going mobile and pushing the envelope with your customers and new operational devices are going to far outweigh the costs that you've had to date. You're going to have much more cost savings and better productivity, as well as opportunities for new revenue.
From a positive perspective, employing some of the technologies and techniques that we'll discuss in the later slides are definitely going to be worth the while. I wanted to kind of scare you a little bit, but at the same time, I wanted to tell you -- and will tell you a little later on in the slides -- that there's some great tools out there to help you.
Understanding BYOD legal issues and regulation
Let's talk about regulation and legal. I'm calling it a regulation and legal reboot. There are lots of codes, specifically ones in California right now that are in the news, and a lot of it is legislation and regulation. It's been around for a while, but it's really getting a different look in this mobile age. It really is a reboot on some of the old, and the launch of some new areas of concern and control that change regulatory positions for BYOD data loss and protection.
With more mobility come increased regulation concerns. Mobile devices in the hands of employees lead to potential increases in productivity, which is great. That's also an increase of opportunity for data loss with legal ramifications.
Customer and employee data will be more in transit outside the firewall than ever before. There's a lot more data being pushed out to those endpoints and that's a good thing. You want to be able to equip your employees and your customers with more information. It's going to bring more business to you. It's going to make your employees more capable of delivering the higher levels of customer satisfaction. It's certainly not something to shy away from; it's just something to be aware of.
Acts and legislation like PCI, HIPAA, and fund transfer rules and guidelines all need to be considered in regard to the transfer of information from one point to another. You really need to make sure that even though you might have standards in place, you need to make sure that you're covered even when it's on a mobile device -- whether that's in a customer's hands or employee's hands.
BYOD and operational devices will carry significantly more customer identification and billing details. When we were at FedEx we talked quite a bit about what we were already doing as well as what we wanted to do. (I'm always going to be a FedEx-er, so I say, "We.") It's one of those things where we wanted to equip the couriers with even more information to interact with the customers, teaching them to be a 150,000 person strong sales force. That kind of information is important to put in the hands of those individuals. But like I said in the slides before, since that's also putting that information out to those endpoints, it needs to be protected. BYOD and operational devices are going to be carrying a lot more information than they ever did before.
Continuing on with regulation and legal reboot, here are some other concerns you want to make sure you're aware of. The content retention, forensics and discovery processes are going to be more than you've ever had before, so if you don't already have policies and procedures for that, you're going to need to get on to that with your info set teams.
In particular, [there is now] legal precedence in place that countermands the traditional protections of the enterprise where the content was much more controllable and easier to control by InfoSec policies than it is now. Email, documents, spreadsheets and content repositories are all fairly easy to control inside the firewall, but now with these devices out there and more information out there, you need to be able to get to that information. But even when you're talking about a personal device in a BYOD initiative, there are going to be instances occurring very soon, if they have not already, where employees are going to be terminated for a variety of reasons and companies are going to need to subpoena that device in order to get access to information that they never thought they would before.
We're talking about new forms of communication. We all know that mobile devices are meant for communications with text and phone calls, so you really want to be able to promote this and make sure that your employees have access to be able to communicate to their fellow team members in order to get their jobs done. But there is some content that you're going to have to protect.
There are court cases changing these rules right now about being able to get to this information. The courts are actually demanding that you change and implement retention policies for things that you never had before.
For example, litigation hold orders are requiring all content to be retained, regardless of the ownership of the device or content type. You might have to actually subpoena a personal device in order to deliver the information as part of a litigation hold. These are things that are not just speculation; these are actual court cases right now.
Employee status: A major BYOD concern
There is an extreme number of court cases being filed on a daily basis [regarding] employees that are using their personal devices or other corporately provided devices outside of their work hours. There's lots of regulation and other legislation that you need to be aware of to protect yourself from that.
You need to make sure that your devices are accessible when they're supposed to be, but not when they're not -- to put it mildly. If the employee has a device, they're going to carry it with them 24 hours a day even when they're not on the job. Should they have access to email at that time? No. If they're a part-time, you need to make sure that you have the technologies and techniques in place to make sure that they're not getting that information. That should protect you from many of the court cases that are being filed, and they're happening all of the time.