Bring Your Own Device: Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013.

“Bring Your Own Device:”Challenges faced by the Consumerization of IT

Therese P. Miller, Esq., CIPPShook, Hardy & Bacon LLPApril 18, 2013

Bring Your Own Deviceor

BYOD

©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 3

Consumerization of IT• Why organizations are adopting BYOD:

– Cost – Convenience – Inevitability – Support – Recruiting, Retention, Diversity

4/18/2013


Challenges related to BYOD• Data-related

– InfoSec– RIM– Privacy– E-Discovery– Protection of Trade Secrets– Employment Issues (temp workers)

• Behavior-related– Performance– EEOC/Wage & hour– Training– Procedures

4/18/2013

Why BYOD?Courtesy of iStockphoto®

©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 64/18/2013

©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

Top Mobile Activities

74/18/2013



Mobile Social Networking

Source: enisa94/18/2013


Mobile Devices and RIM• Definition of mobile device:

– an application of wireless communication technologies to process, transmit and exchange data

– this includes laptop computers, personal digital assistants (PDAs), mobile phones and smart phones

• Records can be created, processed, transferred, stored, disseminated, shared, used, and disposed in and by mobile devices

104/18/2013


Enterprise Deployment Models• Company-issued and paid-for accounts• Personal accounts, company

reimbursements• Personal accounts, access to work

resources

114/18/2013


The line between what is work and what is personal is blurring

Courtesy of iStockphoto®

124/18/2013


Strategy for RIM• Centralization

– Synchronization procedures – push vs. pull– Asset management strategies (Mobile Device Management)

• Storage– off-line and off-site data storage retention policies– instructions for how and where users can store data– backup and recovery procedures

• Function over form– Form of ESI does not matter– FRCP “stored in any medium”

134/18/2013

Image by Frederic Poirot

Data Security


Types of Attacks• Hacking/Malware (APTs)• Insider Abuse• Laptop/Mobile Device Theft• Phishing• Denial of Service (DoS)• Password Sniffing• Exploit of Wireless Network

154/18/2013


Data Breach• Federal Requirements• State Data Breach Laws

– 47 States, D.C., P.R. and the U.S. Virgin Islands enacted such laws beginning with California in 2003

4/18/2013


Mass. 201 CMR 17 (2010)• Minimum standards to “safeguard…personal information in both

paper and electronic records:”– Designate an individual who is responsible for data security;– Anticipate risks to personal information and take appropriate steps to

mitigate such risks;– Develop security program rules;– Impose penalties for violations of the program rules; – Prevent access to personal information by former employees; – Contractually obligate third-party service providers to maintain similar

procedures; – Restrict physical access to records containing personal information;

monitor the effectiveness of the security program; and – Document responses to incidents.

• Technical mandates:– User authentication, access controls, encryption, monitoring, portable

devices, firewall protection, updates and training. 4/18/2013


Concern About Potential Conduits For Exposure

18

Source: Proofpoint - Osterman

4/18/2013


Enisa 10 Smartphone RisksNo. Title Risk1 Data leakage resulting from device loss or theft High2 Unintentional disclosure of data High3 Attacks on decommissioned smartphones High4 Phishing attacks Medium5 Spyware attacks Medium6 Network Spoofing Attacks Medium7 Surveillance attacks Medium8 Diallerware attacks Medium9 Financial malware attacks Medium10 Network congestion Low

19

4/18/2013

“While we acknowledge the growth of mobile computing and the increasing attractiveness of the platform to potential threats, we also must acknowledge that again this year we have no representation of smartphones or tablets as the source of a data breach.”

Source: 2011 Data Breach Investigations Report by Verizon and the United States Secret Service

20

Securing mobile devices continues to pose a challenge to businesses with 62 percent of respondents identifying this as challenge…. Mobility continues to empower and enable workforces to accomplish more than ever, and this trend is only increasing.

“Smart phones will most likely cause an increase in criminal research and development efforts due to their ubiquity and functionality.”

But Compare

Source: 2011 Underground Economies Report by McAfee and SAIC

21

Image by EJP Photo

Data Privacy


Federal Data Privacy Laws• FTC Consent Decrees• Consumer Financial Protection Bureau• “Gramm-Leach-Bliley” or GLBA• FCRA• FACTA, • Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010• Red Flags Rule • HIPAA/ HITECH • FTC Act• COPPA, CAN-SPAM, ECPA, FISA, USA-Patriot Act• Export Controls

– DoC Export Administration Regulations (EAR),– DoS International Traffic in Arms Regulations (ITAR)

4/18/2013


Privacy Laws• Privacy Laws

– Regulates the use & transfer of personally identifiable information (PII)

• Data & Identity Theft – Criminalizes unauthorized access to information systems and

the use of stolen information for fraudulent, criminal, or other unlawful purposes

• Data Breach Notification– Requires notice to individuals and/or police authorities when

information security has been breached compromised resulting in risk/exposure of confidentiality, integrity, and/or security of the PII

244/18/2013


Why Do We Care?• Devices typically allow 3rd parties to access personal

information, such as:– Phone numbers, current location, often the owner's real name—

even a unique ID number that can never be changed or turned off

– Contact lists– Pictures– Browsing history

• Third parties, like ad networks, usually must use “cookies” to track users on the web, they often get access to unique (and permanent) device identifiers in the mobile space

254/18/2013


Mobile Apps• Wallstreet Journal Investigation:

– Examined 101 popular smartphone "apps“ in Dec. 2010

• 56 transmitted phone's unique device ID to others w/o users' awareness or consent

• 47 apps transmitted the phone's location in some way

• 5 sent age, gender and other personal details to outsiders

264/18/2013


What Does Your Phone Know About You?• Forensics program for investigating iPhones

and iPads e.g.– 14,000 text messages, 1,350 words in personal

dictionary, 1,450 Facebook contacts, tens of thousands of locations pings, every website ever visited, what locations mapped, emails going back a month, photos with geolocation data attached and how many times checked my email on any given day

274/18/2013


INTERNATIONAL DATA PROTECTION

4/18/2013

Image by Vincenzo Cosenza


GO

VERNM

ENT IN

TRUSIO

N

4/18/2013


US Laws Governing Access• USA PATRIOT Act

– Surveillance of customer data by the National Security Administration

• ECPA (SCA)– Warrantless searches under the exceptions provided under the SCA– Electronic Communication Privacy Act (18 U.S.C. § 2510)

• Statute controls what can be disclosed to law enforcement

• CFAA– Criminalizes unauthorized access to computers– CFAA generally require an unauthorized access—either an “access

without authorization” or an act that “exceed[s] authorized access.”

304/18/2013


ECPA (SCA)• Electronic Communications Privacy Act• Prohibits disclosure of contents of electronically stored

communications• Depends on distinctions, such as:

– Electronic communication service (ECS)/remote computing service (RCS)– Content/records/basic info– Subpoena/2703(d) order/search warrant– Less than/more than 180 days

• Exceptions– Communications “to” intended recipient– With consent of originator– As necessary to provide service– Law enforcement for various reasons

314/18/2013


So What Can the Government Get?

• Subpoena needed only– Basic subscriber info– Name, Address, service start date and the types of

services you use, phone records, Internet records such as the times you signed on and off of the service, the length of each session, and the IP address that the ISP assigned to you for each session, information on how you pay your bill, including any credit card or bank account number the ISP or phone company has on file.

324/18/2013


So What Can The Government Get?

• Court order required– Email addresses of people you send emails to and

receive emails from, sent and received time, and size

– IP addresses of other computers on the Internet that you communicate with, when you communicated with them, and how much data was exchanged

– Web addresses of web pages that you visit– Cell site location data for your mobile device

334/18/2013


So What Can The Government Get?

• Emails, voicemails, and other communications content stored by your communications providers receive stronger protection

344/18/2013


Provider Retention Periods

• ACLU of NC • FOIA request • Memo from the DOJ –

Aug 2010• Source: Wired.com

354/18/2013


Trends in the New Media

Image by EJP Photo


Mobile Payments

384/18/2013


Location-based Apps• Increasingly, the shared information is location-

specific on social media• Photos taken on mobile devices have geotagging• Social media apps

– Facebook Places– Fourquare– Yelp– Twitter– Google Maps

394/18/2013


Mythbusters Host Is Geobusted

• Adam Savage, of “MythBusters,” took a photo of his vehicle using his smartphone

• Posted the photo to his Twitter account including the phrase “off to work”

• Photo was taken by his smartphone• Image contained metadata revealing the exact

geographical location the photo was taken• So by simply taking and posting a photo, Savage

revealed the exact location of his home, the vehicle he drives and the time he leaves for work

404/18/2013


Geotagging• Process of adding geographical identification

to photographs, video, websites and SMS messages

• Geotags are automatically embedded in pictures taken with smartphones

• Flickr – 5.0 million things geotagged this month

414/18/2013


iPhone And Smartphone “Tracking”

424/18/2013

Policies

Courtesy of iStockphoto®


RIM Policy Language• Information flows through the organization in the

form of paper and electronic records such as word processing documents, spreadsheets, email, graphical images, and voice or data transmissions.– This is includes the use of mobile devices,

smartphones and PDAs.

• Define what is a record?– Recorded information regardless of medium or

characteristics made or received by the Company as required by legal or regulatory obligation or in the transaction of business

444/18/2013


Employer Monitoring

• Employers generally have a right to monitor employee use– Reserve the right to monitor employee use of

mobile devices by systems administrators– If work-issued equipment remind employees

use is primarily for business purposes and not for personal purposes

– Employees generally have no privacy rights in emails/text messages sent over work-issued equipment

454/18/2013


Work-Issued Devices vs. Personal Devices• Depending on company deployment, if

those devices contain electronic information that is duplicative of information that is already being preserved on your laptop or desktop computers, you are not required to retain

• Enforce usage policies to create a demarcation of what is acceptable

464/18/2013


BYOD Employee Agreements

• Participation in the BYOD programs is voluntary.

• This agreement is between you and Company. It describes the conditions under which you may use your own handheld devices to access the Company network and Company data, and perform Company work.

4/18/2013


1. Eligibility• To be eligible to use your device under the BYOD

programs, you must:– Be a regular Company employee (not a contingent or contract

worker);– Register your device;– Agree to and comply with the terms of this agreement;– Be in a business group that allows participation in the program;

and– Receive permission from your manager.– If you breach any of the terms of this agreement, you will

become ineligible to participate in the BYOD programs, and you may be subject to disciplinary action.

4/18/2013

Company Policies Still Apply When Enrolled in the BYOD Program


Policies• Company Code of Conduct;• Company E mail Policies;‐• Company Computer Use Policies;• Company Information Security Policies and Procedures;• Company Employment Agreement and Policies;• Company Software Licensing Policy;• Company Social Media Policy;• Company Privacy Policies and Procedures; and• All other applicable Company policies and procedures.

4/18/2013


Data Storage and Backup• If your device does not allow automatic partitioning of

Company owned information from non Company ‐ ‐information, you should manually separate the information when possible.

• For the Tablet program, Company will provide you with login credentials which will allow you to access a suite of Company provided applications and data in the virtualized environment.

• You should back up any non Company data you care about ‐that is stored on your device. You should use a method that does not also capture Company data for storage.

• You must not access, view or store Company information labeled “Trade Secret” on your device.

4/18/2013


Data and Device Management

• Your device is subject to standard Company data management policies and procedures including, but not limited to, a remote “wipe” that will remove all stored content. A remote “wipe” can be performed at any time as deemed necessary by Company. Examples of when a remote “wipe” might be necessary include (but are not limited to): – employee termination, malicious code infection, lost or

stolen device, or prolonged absence from Company. Company is not responsible for any non Company data ‐lost as the result of a remote wipe.

4/18/2013


Legal Event Hold Notice• If you are, or become, subject to a Legal Hold, you must

follow all Legal Hold instructions, take affirmative steps to preserve relevant information as instructed by Company Legal, and seek permission from Company Legal before removing any information from your device. You must notify Company if you leave the HH or Tablet programs, or your employment with Company is terminated. Appropriate contact information will be supplied to you with any Legal Hold notifications. It is your responsibility to understand what services you are allowed to access on your device when subject to a Legal Hold.

4/18/2013


Mobile Device Data

Unique ESI Source

Duplicative Data

544/18/2013


Minimum Security Controls

• Implement security controls:– Strong passwords/history– Password expiration– Lockout after several failed attempts– Encryption– Inactivity timeout– Remote wiping for lost/stolen devices– Before using them for company business, employees should

make devices available to IT for implementation of security settings

• Mobile devices that cannot be provisioned to support the policy should not be allowed to connect to the organization’s email system

554/18/2013


Personal Smartphone Use

• Only allow devices that can be provisioned to meet appropriate security standards

• Set expectations for the end-user regarding smartphones that may be lost or stolen– Reporting the loss of a device is KEY!

564/18/2013


Enisa Recommendations• Consumers:

– Automatic locking– Check reputation before installing or using new smartphone

apps or services– Scrutinize permission requests– Reset and wipe: before disposal

• Employees: – Decommissioning: memory wipe processes. – App installation: define and enforce an app whitelist– Confidentiality: use memory encryption for the smartphone

memory and removable media

574/18/2013


Mobile Device Management1. Different employees require different kinds of

mobile support from IT2. IT should query users to understand staff needs,

preferences3. Create one clear policy for corporate- and

employee-owned mobile devices4. Know mobile platforms' limitations, prioritize

support for those that need it most5. No one-size-fits-all-platforms MDM solution

584/18/2013


Mobile Device Management5. Encourage IT suppliers to offer app stores that suite

the enterprise6. Employ virtualization for access to windows apps on

non-windows devices7. Support employee-owned devices but set strict

usage guidelines8. Make it clear to users which mobile services are

approved9. Reimbursement for employ-device service costs can

serve as incentives

594/18/2013

• Infrastructure/Security• Ownership of data• Limitation of damages• Data control • Breach remedies• Trust but verify (puffery?)• Service levels (and what

they mean) • Termination or

suspension of service• Retention and Access to

Data following termination

• Representations and warranties

• Indemnification• Confidentiality• Choice of law• Notification obligations• Migration of data issues• Data Processing &

Storage• Subcontractors • Cross-Border Transfer

Contractual Terms

©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP60


E-DISCOVERY

4/18/2013

Image by MayaEvening


Challenges1. Preservation2. Search & retrieval3. Encryption of data4. Lack of visibility on disaster recovery media

4/18/2013


Jurisdiction• Maintaining information systems in the US

raises concerns that sufficient “minimum contacts” will be found

• Foreign corporations could be found subject to US jurisdiction, if so, may implicate:– Corporate structure– Tax– Export control

4/18/2013


Possession, Custody or Control

• A court cannot order production of documents from a party that does not have “possession, custody or control” or the “practical ability” to obtain those documents

• Interconnected data systems (such as cloud) potentially exposes the documents of a foreign affiliate to production in a US court

4/18/2013

Thérèse P. Miller, Esq., [email protected]

Of CounselShook, Hardy & Bacon LLPOne Montgomery Tower, Suite 2700San Francisco, CA 94104(415) 544-1900

654/18/2013©2013 Thérèse P. Miller - Shook, Hardy &

Bacon LLP

mailto:[email protected]

mailto:[email protected]

Bring Your Own Device: Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013.

Documents

hardy bacon llp slide

miller shook

byod slide

courtesy of istockphoto

cipp shook

ejp photo data privacy

data backup

data leakage