“Bring Your Own Device:” Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013
Mar 29, 2015
“Bring Your Own Device:”Challenges faced by the Consumerization of IT
Therese P. Miller, Esq., CIPPShook, Hardy & Bacon LLPApril 18, 2013
Bring Your Own Deviceor
BYOD
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 3
Consumerization of IT• Why organizations are adopting BYOD:
– Cost – Convenience – Inevitability – Support – Recruiting, Retention, Diversity
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 4
Challenges related to BYOD• Data-related
– InfoSec– RIM– Privacy– E-Discovery– Protection of Trade Secrets– Employment Issues (temp workers)
• Behavior-related– Performance– EEOC/Wage & hour– Training– Procedures
4/18/2013
Why BYOD?Courtesy of iStockphoto®
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 64/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Top Mobile Activities
74/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 84/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Mobile Social Networking
Source: enisa94/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Mobile Devices and RIM• Definition of mobile device:
– an application of wireless communication technologies to process, transmit and exchange data
– this includes laptop computers, personal digital assistants (PDAs), mobile phones and smart phones
• Records can be created, processed, transferred, stored, disseminated, shared, used, and disposed in and by mobile devices
104/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Enterprise Deployment Models• Company-issued and paid-for accounts• Personal accounts, company
reimbursements• Personal accounts, access to work
resources
114/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
The line between what is work and what is personal is blurring
Courtesy of iStockphoto®
124/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Strategy for RIM• Centralization
– Synchronization procedures – push vs. pull– Asset management strategies (Mobile Device Management)
• Storage– off-line and off-site data storage retention policies– instructions for how and where users can store data– backup and recovery procedures
• Function over form– Form of ESI does not matter– FRCP “stored in any medium”
134/18/2013
Image by Frederic Poirot
Data Security
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Types of Attacks• Hacking/Malware (APTs)• Insider Abuse• Laptop/Mobile Device Theft• Phishing• Denial of Service (DoS)• Password Sniffing• Exploit of Wireless Network
154/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 16
Data Breach• Federal Requirements• State Data Breach Laws
– 47 States, D.C., P.R. and the U.S. Virgin Islands enacted such laws beginning with California in 2003
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 17
Mass. 201 CMR 17 (2010)• Minimum standards to “safeguard…personal information in both
paper and electronic records:”– Designate an individual who is responsible for data security;– Anticipate risks to personal information and take appropriate steps to
mitigate such risks;– Develop security program rules;– Impose penalties for violations of the program rules; – Prevent access to personal information by former employees; – Contractually obligate third-party service providers to maintain similar
procedures; – Restrict physical access to records containing personal information;
monitor the effectiveness of the security program; and – Document responses to incidents.
• Technical mandates:– User authentication, access controls, encryption, monitoring, portable
devices, firewall protection, updates and training. 4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Concern About Potential Conduits For Exposure
18
Source: Proofpoint - Osterman
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Enisa 10 Smartphone RisksNo. Title Risk1 Data leakage resulting from device loss or theft High2 Unintentional disclosure of data High3 Attacks on decommissioned smartphones High4 Phishing attacks Medium5 Spyware attacks Medium6 Network Spoofing Attacks Medium7 Surveillance attacks Medium8 Diallerware attacks Medium9 Financial malware attacks Medium10 Network congestion Low
19
4/18/2013
“While we acknowledge the growth of mobile computing and the increasing attractiveness of the platform to potential threats, we also must acknowledge that again this year we have no representation of smartphones or tablets as the source of a data breach.”
Source: 2011 Data Breach Investigations Report by Verizon and the United States Secret Service
20
Securing mobile devices continues to pose a challenge to businesses with 62 percent of respondents identifying this as challenge…. Mobility continues to empower and enable workforces to accomplish more than ever, and this trend is only increasing.
“Smart phones will most likely cause an increase in criminal research and development efforts due to their ubiquity and functionality.”
But Compare
Source: 2011 Underground Economies Report by McAfee and SAIC
21
Image by EJP Photo
Data Privacy
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 23
Federal Data Privacy Laws• FTC Consent Decrees• Consumer Financial Protection Bureau• “Gramm-Leach-Bliley” or GLBA• FCRA• FACTA, • Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010• Red Flags Rule • HIPAA/ HITECH • FTC Act• COPPA, CAN-SPAM, ECPA, FISA, USA-Patriot Act• Export Controls
– DoC Export Administration Regulations (EAR),– DoS International Traffic in Arms Regulations (ITAR)
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Privacy Laws• Privacy Laws
– Regulates the use & transfer of personally identifiable information (PII)
• Data & Identity Theft – Criminalizes unauthorized access to information systems and
the use of stolen information for fraudulent, criminal, or other unlawful purposes
• Data Breach Notification– Requires notice to individuals and/or police authorities when
information security has been breached compromised resulting in risk/exposure of confidentiality, integrity, and/or security of the PII
244/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Why Do We Care?• Devices typically allow 3rd parties to access personal
information, such as:– Phone numbers, current location, often the owner's real name—
even a unique ID number that can never be changed or turned off
– Contact lists– Pictures– Browsing history
• Third parties, like ad networks, usually must use “cookies” to track users on the web, they often get access to unique (and permanent) device identifiers in the mobile space
254/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Mobile Apps• Wallstreet Journal Investigation:
– Examined 101 popular smartphone "apps“ in Dec. 2010
• 56 transmitted phone's unique device ID to others w/o users' awareness or consent
• 47 apps transmitted the phone's location in some way
• 5 sent age, gender and other personal details to outsiders
264/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
What Does Your Phone Know About You?• Forensics program for investigating iPhones
and iPads e.g.– 14,000 text messages, 1,350 words in personal
dictionary, 1,450 Facebook contacts, tens of thousands of locations pings, every website ever visited, what locations mapped, emails going back a month, photos with geolocation data attached and how many times checked my email on any given day
274/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 28
INTERNATIONAL DATA PROTECTION
4/18/2013
Image by Vincenzo Cosenza
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 29
GO
VERNM
ENT IN
TRUSIO
N
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
US Laws Governing Access• USA PATRIOT Act
– Surveillance of customer data by the National Security Administration
• ECPA (SCA)– Warrantless searches under the exceptions provided under the SCA– Electronic Communication Privacy Act (18 U.S.C. § 2510)
• Statute controls what can be disclosed to law enforcement
• CFAA– Criminalizes unauthorized access to computers– CFAA generally require an unauthorized access—either an “access
without authorization” or an act that “exceed[s] authorized access.”
304/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
ECPA (SCA)• Electronic Communications Privacy Act• Prohibits disclosure of contents of electronically stored
communications• Depends on distinctions, such as:
– Electronic communication service (ECS)/remote computing service (RCS)– Content/records/basic info– Subpoena/2703(d) order/search warrant– Less than/more than 180 days
• Exceptions– Communications “to” intended recipient– With consent of originator– As necessary to provide service– Law enforcement for various reasons
314/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
So What Can the Government Get?
• Subpoena needed only– Basic subscriber info– Name, Address, service start date and the types of
services you use, phone records, Internet records such as the times you signed on and off of the service, the length of each session, and the IP address that the ISP assigned to you for each session, information on how you pay your bill, including any credit card or bank account number the ISP or phone company has on file.
324/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
So What Can The Government Get?
• Court order required– Email addresses of people you send emails to and
receive emails from, sent and received time, and size
– IP addresses of other computers on the Internet that you communicate with, when you communicated with them, and how much data was exchanged
– Web addresses of web pages that you visit– Cell site location data for your mobile device
334/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
So What Can The Government Get?
• Emails, voicemails, and other communications content stored by your communications providers receive stronger protection
344/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Provider Retention Periods
• ACLU of NC • FOIA request • Memo from the DOJ –
Aug 2010• Source: Wired.com
354/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 364/18/2013
Trends in the New Media
Image by EJP Photo
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Mobile Payments
384/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Location-based Apps• Increasingly, the shared information is location-
specific on social media• Photos taken on mobile devices have geotagging• Social media apps
– Facebook Places– Fourquare– Yelp– Twitter– Google Maps
394/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Mythbusters Host Is Geobusted
• Adam Savage, of “MythBusters,” took a photo of his vehicle using his smartphone
• Posted the photo to his Twitter account including the phrase “off to work”
• Photo was taken by his smartphone• Image contained metadata revealing the exact
geographical location the photo was taken• So by simply taking and posting a photo, Savage
revealed the exact location of his home, the vehicle he drives and the time he leaves for work
404/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Geotagging• Process of adding geographical identification
to photographs, video, websites and SMS messages
• Geotags are automatically embedded in pictures taken with smartphones
• Flickr – 5.0 million things geotagged this month
414/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
iPhone And Smartphone “Tracking”
424/18/2013
Policies
Courtesy of iStockphoto®
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
RIM Policy Language• Information flows through the organization in the
form of paper and electronic records such as word processing documents, spreadsheets, email, graphical images, and voice or data transmissions.– This is includes the use of mobile devices,
smartphones and PDAs.
• Define what is a record?– Recorded information regardless of medium or
characteristics made or received by the Company as required by legal or regulatory obligation or in the transaction of business
444/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Employer Monitoring
• Employers generally have a right to monitor employee use– Reserve the right to monitor employee use of
mobile devices by systems administrators– If work-issued equipment remind employees
use is primarily for business purposes and not for personal purposes
– Employees generally have no privacy rights in emails/text messages sent over work-issued equipment
454/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Work-Issued Devices vs. Personal Devices• Depending on company deployment, if
those devices contain electronic information that is duplicative of information that is already being preserved on your laptop or desktop computers, you are not required to retain
• Enforce usage policies to create a demarcation of what is acceptable
464/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 47
BYOD Employee Agreements
• Participation in the BYOD programs is voluntary.
• This agreement is between you and Company. It describes the conditions under which you may use your own handheld devices to access the Company network and Company data, and perform Company work.
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 48
1. Eligibility• To be eligible to use your device under the BYOD
programs, you must:– Be a regular Company employee (not a contingent or contract
worker);– Register your device;– Agree to and comply with the terms of this agreement;– Be in a business group that allows participation in the program;
and– Receive permission from your manager.– If you breach any of the terms of this agreement, you will
become ineligible to participate in the BYOD programs, and you may be subject to disciplinary action.
4/18/2013
Company Policies Still Apply When Enrolled in the BYOD Program
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 50
Policies• Company Code of Conduct;• Company E mail Policies;‐• Company Computer Use Policies;• Company Information Security Policies and Procedures;• Company Employment Agreement and Policies;• Company Software Licensing Policy;• Company Social Media Policy;• Company Privacy Policies and Procedures; and• All other applicable Company policies and procedures.
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 51
Data Storage and Backup• If your device does not allow automatic partitioning of
Company owned information from non Company ‐ ‐information, you should manually separate the information when possible.
• For the Tablet program, Company will provide you with login credentials which will allow you to access a suite of Company provided applications and data in the virtualized environment.
• You should back up any non Company data you care about ‐that is stored on your device. You should use a method that does not also capture Company data for storage.
• You must not access, view or store Company information labeled “Trade Secret” on your device.
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 52
Data and Device Management
• Your device is subject to standard Company data management policies and procedures including, but not limited to, a remote “wipe” that will remove all stored content. A remote “wipe” can be performed at any time as deemed necessary by Company. Examples of when a remote “wipe” might be necessary include (but are not limited to): – employee termination, malicious code infection, lost or
stolen device, or prolonged absence from Company. Company is not responsible for any non Company data ‐lost as the result of a remote wipe.
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 53
Legal Event Hold Notice• If you are, or become, subject to a Legal Hold, you must
follow all Legal Hold instructions, take affirmative steps to preserve relevant information as instructed by Company Legal, and seek permission from Company Legal before removing any information from your device. You must notify Company if you leave the HH or Tablet programs, or your employment with Company is terminated. Appropriate contact information will be supplied to you with any Legal Hold notifications. It is your responsibility to understand what services you are allowed to access on your device when subject to a Legal Hold.
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Mobile Device Data
Unique ESI Source
Duplicative Data
544/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Minimum Security Controls
• Implement security controls:– Strong passwords/history– Password expiration– Lockout after several failed attempts– Encryption– Inactivity timeout– Remote wiping for lost/stolen devices– Before using them for company business, employees should
make devices available to IT for implementation of security settings
• Mobile devices that cannot be provisioned to support the policy should not be allowed to connect to the organization’s email system
554/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Personal Smartphone Use
• Only allow devices that can be provisioned to meet appropriate security standards
• Set expectations for the end-user regarding smartphones that may be lost or stolen– Reporting the loss of a device is KEY!
564/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Enisa Recommendations• Consumers:
– Automatic locking– Check reputation before installing or using new smartphone
apps or services– Scrutinize permission requests– Reset and wipe: before disposal
• Employees: – Decommissioning: memory wipe processes. – App installation: define and enforce an app whitelist– Confidentiality: use memory encryption for the smartphone
memory and removable media
574/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Mobile Device Management1. Different employees require different kinds of
mobile support from IT2. IT should query users to understand staff needs,
preferences3. Create one clear policy for corporate- and
employee-owned mobile devices4. Know mobile platforms' limitations, prioritize
support for those that need it most5. No one-size-fits-all-platforms MDM solution
584/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP
Mobile Device Management5. Encourage IT suppliers to offer app stores that suite
the enterprise6. Employ virtualization for access to windows apps on
non-windows devices7. Support employee-owned devices but set strict
usage guidelines8. Make it clear to users which mobile services are
approved9. Reimbursement for employ-device service costs can
serve as incentives
594/18/2013
• Infrastructure/Security• Ownership of data• Limitation of damages• Data control • Breach remedies• Trust but verify (puffery?)• Service levels (and what
they mean) • Termination or
suspension of service• Retention and Access to
Data following termination
• Representations and warranties
• Indemnification• Confidentiality• Choice of law• Notification obligations• Migration of data issues• Data Processing &
Storage• Subcontractors • Cross-Border Transfer
Contractual Terms
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP60
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 61
E-DISCOVERY
4/18/2013
Image by MayaEvening
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 62
Challenges1. Preservation2. Search & retrieval3. Encryption of data4. Lack of visibility on disaster recovery media
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 63
Jurisdiction• Maintaining information systems in the US
raises concerns that sufficient “minimum contacts” will be found
• Foreign corporations could be found subject to US jurisdiction, if so, may implicate:– Corporate structure– Tax– Export control
4/18/2013
©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 64
Possession, Custody or Control
• A court cannot order production of documents from a party that does not have “possession, custody or control” or the “practical ability” to obtain those documents
• Interconnected data systems (such as cloud) potentially exposes the documents of a foreign affiliate to production in a US court
4/18/2013
Thérèse P. Miller, Esq., [email protected]
Of CounselShook, Hardy & Bacon LLPOne Montgomery Tower, Suite 2700San Francisco, CA 94104(415) 544-1900
654/18/2013©2013 Thérèse P. Miller - Shook, Hardy &
Bacon LLP