Today’s BYOD news roundup takes a look at some of the legal wrinkles that come up when an organization lets its employees bring their own devices for work, some ways to simplify your BYOD security policy, and the fact that when people bring their own devices, they bring along with them their own cloud app accounts, something that many IT departments have ignored.
BYOD and the law
The recently-held Enterprise Connect Orlando 2014 conference featured a session titled Assessing the Legal Issues Around BYOD, which looked at the sort of legal exposure that companies with BYOD programs could face. Among the risks and potential liabilities covered in the session were:
- Lost or stolen devices. The top concern in InformationWeek’s 2013 State of Mobile Security Survey and IT directors everywhere, a misplaced smartphone or tablet can give a malicious party the “keys to the kingdom”, either in the form of sensitive data or unauthorized access to corporate resources. The former can be dealt with through virtualization technologies that keep sensitive data in the cloud and off the device, while access control technologies such as mandatory passcodes can help prevent the latter.
- Mis-wipes. Many companies rely on Microsoft Exchange ActiveSync or IBM Notes Traveler for the ability to remotely wipe employee devices, but they’re blunt tools that completely wipe the device clean of all data, both corporate and personal. A number of EMM and containerization solutions make it possible to limit the wipe to just the corporate data, preserving personal information, including irreplaceable stuff such as personal photos (I’ve seen a number of people whose only copy of their recordings of their child’s first steps or words live on their smartphone). Still, there’s always a chance that a remote wipe may be done in error or extend to include personal data, which may provide grounds for a suit. Users need to be educated about such possibilities and the importance of regular backups.
- Surrender for ediscovery. Employees have to be informed that they will be required to surrender their mobile devices if they are required for electronic discovery — the process of identifying and collecting and producing electronically-stored data in the course of an investigation or lawsuit. Some organizations provide employees who have surrendered their devices for ediscovery with a “courtesy device”.
- “Texting while driving”. An employee who gets into a car accident while using a mobile device for work — a business call, text message, or other use of the device — may end up making the employer liable, as it happened on company time and the employer is the involved party with the deepest pockets. The damage awards have been in the millions. Everyone on the session panel recommended an outright ban on mobile device use while driving, but as the article puts it: “About the best we can do in the mobility policy is include guidance regarding the safest ways to avoid all distractions while driving, point out which situations are most potentially hazardous, and suggest techniques for avoiding them.”
Other points made in the session:
- Privacy. MDM helps mitigate a number of problems with BYOD, including legal ones, but many users resist it out of fear that it will let IT view personal information. Employers should make clear what IT can and can’t see on employee devices with MDM software, a topic we’ve covered earlier.
- Penalties. Mobile policies are just words if the penalty provisions in them aren’t enforced, and in court, advertised but unenforced penalties will work against you.
- Policy, buy-in, and knowing the limits. Your best defense against all sorts of BYOD trouble, legal and technical, is a combination of policy input and buy-in from various departments (legal, HR, security, line of business managers), and recognize the limits of enterprise mobility management technology.
Mobile technology as we know it is still a relatively new field — less than a decade old — as is the law surrounding their use. There aren’t many precedents yet, but with good planning, clear communication of policy, and judicious use of management technologies, you can avoid setting one of them.
5 ways to simplify your BYOD security policy
Business News Daily reports on PJ Gupta’s (CEO of Amtel, a mobile security solutions firm) five tips for success with BYOD security:
- Protect enterprise data and apps. This is the primary goal of workplace BYOD management, and requires both security policies and technologies.
- Secure the device. Mobile devices use for work are both stores of valuable corporate data and access to even more online. You need to be able to manage access to the device as well as data both on the devices and accessible via the device, and be able to disable the device if necessary.
- Ensure personal privacy. While control of BYOD devices is important, the device, along with some of the data and use cases, is the employee’s. Limit location tracking to case where the device is misplaced or stolen, avoid rigid policies in blacklisting and blocking apps, and ensure that personal data is not wiped from the device without employee consent and only when absolutely necessary.
- Use enterprise mobility management solutions. A good cloud-based EMM solution makes enrollment easy, protects against all manner of threats, and stays out of the user’s way.
- Monitor and take action. Device management works best with vigilance: real-time monitoring of data access and audit trails, automatic alerts, and analytics can reveal threats that can be acted upon before the situation becomes much worse.
Another recent conference, the Cloud Innovation Forum in Saratoga, California, a panel discussion covered what its panelists felt was a new challenge: BYOC — Bring Your Own Cloud. As people have been bringing their own devices for work, they’ve also been using their own accounts with cloud-based applications and services. While IT departments have focused on the devices, the applications on them, as well as the cloud-based computing and storage resources those apps that they use also create their own issues, and they need to be reckoned with.
The article concludes with this paragraph:
When it comes to security, this means moving more of our resources out to applications rather than on physical infrastructure as “a lot of applications are in the cloud and it’s hard to manage security on the device in this BYOD world,” according to [panelist] Rai.