44 SC Lawyer

Making Sure BYODDoes Not Stand for “Breach Your

Organization’s Data”By Allyson Haynes Stuart

It is the modern employer’s dilem-ma: do you allow employees tobring their personal smartphones,laptops and tablets to work forbusiness purposes? Do you pur-chase work devices for them,duplicating what they have? Or doyou simply ban use of any personaldevice for work purposes?

Approximately 80 percent offull-time U.S. workers have asmartphone with Internet access,87 percent have a laptop or desktopcomputer and 49 percent have atablet computer.1 In all, 96 percentof full-time American employeessay they use at least one of thesetypes of devices.2 In addition, moreand more employees are workingfrom outside the office, which oftenincreases productivity.3 Outrightbans on use of personal devices forwork may be impractical or, worse,

not followed. And it is economicallybeneficial for employers not tohave to duplicate these devices. Forthese reasons, many employers areincorporating employee-owneddevices into their policies.Reportedly, more than half of NorthAmerican and European companiesare developing a bring-your-own-device (BYOD) policy.4 But with thebenefits of BYOD come many chal-lenges. This article explores therisks associated with BYOD andoffers practical solutions foremployers seeking to maintain asecure corporate network.

The risks of BYODFirst, what are the risks of

allowing employees to use theirown devices for work? Obviously,risks vary greatly depending on thetype of employer. There will bePH

OTO

BY

GEO

RGE

FULT

ON

March 2016 45

46 SC Lawyer

more risk for employees who dealwith confidential information, suchas in the health care or legal sec-tors. One recent survey found that72 percent of consumers text forwork purposes, and that 25 percentof those messages contain confi-dential information.5 But somerisks apply even to non-confiden-tial communications.

Loss of control over employer dataMany employers are required

as part of compliance obligationsto retain certain data or communi-cations. If that data resides on adevice over which the employerhas no control, the employer mayface regulatory or other problems.

Compliance and confidentialityIn the financial services indus-

try, a variety of federal regulationsrequire broker-dealers, investmentadvisers and investment compa-nies to retain copies of all commu-nications relating to their businessand to produce such records uponrequest.6 E-mails, text messages

and instant messages are “commu-nications” and brokerage firms,therefore, have to retain suchrecords related to their businessand be able to produce thempromptly at the request of theSecurities and ExchangeCommission (SEC). In 2013, the topsource of fines by the FinancialIndustry Regulatory Authority(FINRA) was noncompliance withelectronic messaging laws.7

Barclays Capital Inc. was fined$3.75 million for systemic failuresto properly preserve electronicrecords and certain e-mails andinstant messages.8 Audio commu-nications, a key component ofsmartphones, are also increasinglycritical, as the volume of audiodata recorded and analyzed bybanks multiplies.9

In the health care sector, theHealth Insurance Portability andAccountability Act (HIPAA), asamended by the Health InformationTechnology for Economic andClinical Health (HITECH) Act,requires health care providers and

other covered entities to safeguardthe privacy of patient informationand protect its security.10 TheFreedom of Information Act andsimilar state open records lawsrequire government agencies tomaintain and disclose informationrequested by the public.11

Finally, law firms are a primerepository of confidential informa-tion—and unfortunately a frequenttarget for cybercriminals.12 Lawyersare the stewards of their clients’files and are required to do a rea-sonable job of securing data. Rule1.1 of the Model Rules ofProfessional Conduct requires alawyer to provide competent repre-sentation, which includes keepingtrack of “the benefits and risksassociated with relevant technolo-gy.”13 Model Rule 1.6 requires attor-neys to maintain the confidentiali-ty of information relating to therepresentation of a client, includ-ing “reasonable efforts to preventthe inadvertent or unauthorizeddisclosure of, or unauthorizedaccess to, information relating to

LLaannddeexx RReesseeaarrcchh,, IInncc.. PROBATE RESEARCH

Missing and Unknown Heirs Located

No Expense to Estate

Domestic and International Service for:

Courts

Lawyers

Trust Officers

Administrators/Executors

1345 Wiley Road, Suite 121, Schaumburg, IL 60173

Phone: 847-519-3600 Fax: 800-946-6990

Toll-free: 800-844-6778

wwwwww..llaannddeexxrreesseeaarrcchh..ccoomm

March 2016 47

the representation of a client.”14

Ethics opinions in Arizona, NewJersey, Nevada and Virginia empha-size that law firms must take com-petent and reasonable steps to pro-tect client data from hackers andviruses, and to assure that theclient’s electronic information isnot lost or destroyed.15

In addition to ethical require-ments, attorneys also face com-mon law duties of confidentiality,breach of which can result in amalpractice action, as well as vari-ous state and federal statutes andregulations that require protectionof defined categories of personalinformation.16

Litigation holdThere are instances in which

an employer may need access tocommunications or data on anemployee’s device whether or notthose communications can belabeled “confidential.” When anentity reasonably anticipates litiga-tion, it must identify and preserveelectronically stored information(ESI) in addition to other evidencelikely to be relevant to the litiga-tion.17 Courts have imposed sanc-tions from the minor to the severefor spoliation, or failure to preserveESI. For example, in Qualcomm Inc.v. Broadcom Corp., a district court inCalifornia awarded Broadcomattorneys fees and costs in theamount of $8.5 million, andreferred six outside counsel to thestate bar, after finding Qualcommhad hidden over 46 thousand e-mails.18 More recently, courts havefined parties and their counsel fordeletion of social media postings.19

Importantly, the law does not dif-ferentiate among types of media—a litigation hold should includepotentially relevant information inthe form of instant messages,Skype chats, social media and textmessages in addition to the now-familiar e-mail.

These relevant communica-tions may exist on an employee-owned device. Employers need toknow ahead of time what kinds ofESI are created and retained on thedevice, and ensure that business-

related information is subject to adocument retention policy. Theyshould have mechanisms in placeto ensure that, if a litigation hold isentered, employees understandtheir obligations to maintain andnot delete such data. In addition,employers can use software solu-tions discussed later to controlthat information themselves.

The risk of data breachData breaches are seemingly

ubiquitous these days. According toPwC, there were 42.8 million cyberincidents in 2014.20 One-third of in-house counsel report having expe-rienced a corporate data breach.21

There are many sources of legalobligations that require employersto use reasonable security meas-ures to try to prevent data breach,including state law,22 federal lawwith Federal Trade Commission(FTC) enforcement,23 public disclo-sures and contractual obligations.How does BYOD affect the securityof the employer network?

One issue is simply the mobili-ty of the device itself. Paul Ihme,Senior Security Consultant forSoteria, a cybersecurity firm inCharleston, says one of the great-est vulnerabilities comes fromemployees’ use of an outside net-work, where they may pick up mal-ware or other intrusive softwarethat may not be able to penetratethe security controls protecting acompany’s infrastructure. Thatmalware can then be transferred tothe company’s network when theemployee comes back to work. Thevulnerable network could be any-thing from a public WiFi hotspot toa home network, neither of whichtypically has the security infra-structure in place to prevent any-thing but the most basic attacks.

Another risk is in the intermin-gling of data on the device, some-times leaving sensitive businessinformation at risk of loss. Despiteheadline-grabbing hacker-relatedincidents, the most common reasonfor a data breach is “employeeerror”24—where the breachoccurred as the result of a mistakethe employee made, such as acci-

dentally sending an e-mail withsensitive information to someoneoutside the company. Informationleaks committed using mobiledevices—intentionally or acciden-tally—constitute one of the maininternal threats that companies areconcerned about for the future.25

In addition to unintended dis-closure and hacking, other com-mon sources of data breach arespam, phishing, malware, and alost, discarded or stolen device.26

Again, employee-owned mobiledevices increase the possibility ofthese risks.

How can companies controlthese risks?

Technological risk controlOne solution that Soteria rec-

ommends is the use of mobiledevice management (MDM). MDMis a type of security software usedby an organization to monitor,manage and secure employees’mobile devices.27 Brad Warneck, co-founder of Soteria and President ofConsulting Services, says thatMDM allows the employer a certainamount of control over theemployee’s device, including basicadministration and policy enforce-ment, such as control over thedownloading of applications. MDMcan also be very helpful where thecompany handles sensitive infor-mation, because some MDM solu-tions act as an encrypted sandboxwhere that information is unableto be read by other processes resi-dent on the device. Finally, MDMcan allow the employer to remotelywipe a device should it get in thewrong hands.

Use of such software onemployee-owned devices is chal-lenging because those devices usu-ally include personal photos, mes-sages and other data. For reasonslike the privacy concerns discussedin a later section, employees maynot want their personal text mes-sages, calls, e-mails and photosaccessed, archived or remotelywiped along with corporate infor-mation. To address these chal-

48 SC Lawyer

lenges, organizations are increas-ingly selecting secure mobile appsthat are integrated with MDM plat-forms that use a “persona” archi-tecture, which separates businessand personal calls and data. 28 KRoyal, Vice President and AssistantGeneral Counsel of CellTrustCorporation, notes: “This designenables organizations to applypolicies—such as data erasure andarchiving—that impact the busi-ness persona only. This greatlyincreases the likelihood that moreemployees will feel comfortableusing their personal device atwork, which means the businesswill benefit more from BYOD as aresult of increased participation.”29

In addition to MDM, these aregeneral recommendations forensuring security of corporate dataon BYOD devices:• Require strong passwords. A

recent survey30 found that 2015’smost commonly used passwordwas “123456”—that is notacceptable! Also problematic isthe use of pet or children’snames that are readily availableon social media.

• Use multiple factors of identifica-tion, like a text-message pass-code in addition to a password.

• Encrypt data or individual foldersin the device, or encrypt thedevice itself.31

• Limit access to confidentialinformation, including screeningindividuals who can access cer-tain data, or segregation of sen-sitive data.32

• Screen outside vendors andensure they undergo periodicsecurity audits.

• Remote control: Enable remotewiping of a device should it get inthe wrong hands, find-my-devicefeatures that track its location,and remote backup of informa-tion on the device.

Data breach response planThe second primary way for an

organization to protect itselfagainst BYOD challenges is toestablish, maintain and practice adata breach response plan. Despitethe obvious risks, many U.S. com-

panies do not have a written cyberbreach response plan, and fewerstill actually practice them. In fact,according to data recently reportedby the Ponemon Institute, nearlyhalf of the companies with abreach response plan have eithernever practiced the plan, or regu-larly wait more than two years topractice the plan. 33 Having such aplan can help not only in limitingdata loss but also in limiting liabili-ty: the number one question askedby regulators after a data breach iswhether the target company hasan established breach responseplan, and, if so, whether the planwas ever practiced in advance ofthe breach.34

A data breach response planshould address immediateresponses—who should be notifiedinternally if any suspicious activityis discovered, who should be on theresponse team, and what initialsteps they should take. It shouldcover notification of others, includ-ing the board, inside or outsidecounsel, insurance carriers, lawenforcement or regulators, andcustomers (keeping in mind anyapplicable breach notificationlaws). Finally, the plan shouldaddress documentation of actionsand how to maintain confidentiali-ty and privilege, and it shouldaddress the implementation of alitigation hold if litigation is rea-sonably anticipated.

Once the plan is in place, theorganization should test it—by afull simulation, or simple table topexercise. Testing the plan is criticalto ensuring the appropriate peopletake ownership and are welltrained; to identifying and correct-ing any errors or deficiencies in theplan; and to updating the plan toensure it stays effective as threatsand vulnerabilities evolve.35

Communication with employees andrespect for their privacy

A final aspect of BYOD that anemployer should keep in mind isthe employee’s right to privacy. Arecent survey found that a majori-ty of mobile workers trust theiremployer to keep personal infor-

mation private on their mobiledevices.36 Whether or not thatexpectation is reasonable, employ-ers need to be careful with theirmonitoring of employee communi-cations and with their tracking ofthe location of employee devices toensure employers do not infringeon employee privacy. The SupremeCourt has assumed, without decid-ing, that a government employeecan have a reasonable expectationof privacy in personal communica-tions exchanged on an employer-pro-vided device (and privacy wouldarguably be higher on the employ-ee’s own device).37 And some statelaws require that employers giveprior notice to employees of anyelectronic monitoring.38

Because the question of rea-sonable expectation of privacy willturn on the specific facts, employ-ers need to make very clear in theirpolicies and communications toemployees what information is notprivate, and what is acceptable useof business data and networks.What data may employees accesson their devices, and are there spe-cific applications they should orshould not use? Can the employeraccess e-mail, Word files, socialmedia, personal photos or applica-tions on the employee-owneddevice? Does the employer intendto track the device? Clarity andconsistency in the employer’s poli-cy are key to maintaining appropri-ate parameters.

Best practices include the fol-lowing:• Establish transparent, easily-

understood policies on BYOD, pri-vacy, document retention andacceptable use, and follow them;

• Delineate the personal from thebusiness uses of the device, andset parameters on monitoring,tracking, archiving and remotewiping;

• Share those policies with employ-ees as early as possible, havingeach employee sign a statementstating that they have receivedand understand the policy; and

• Train employees on how to main-tain privacy on the device, onsecurity best practices and on

We ask you to join us as a Foundation supporter

To donate, contact the Foundation: Phone: 803-765-0517 Email: foundation@scbar.org Website: www.scbarfoundation.org

io che wosht tsuj

waog tinkrowe SC Bh, tpleur hoyf Ae odglee PTh

ketogt. T Togd iroffffon aao c

ue frs thig tinkad mrwan aiotadunor Fae SC B

es wlosce cnaileglf A

e ike an mae c, werr, whetlinorah Ctuol Slr aoe f foaes cetnrats gd inn aice ftsujs “droe whh tties w

en.ppat ht os, nizenta cilin

ue intnn coah ti” W W.. llr aoice f fo

wwe: w wwtbsie W Weadunol: f foia Em

e: 803-765-0517noh Pactn, coetano doTTo do

grn.oiotadunofforabc.sww.sgr.orabcn@siota

e: 803-765-0517n: iotadunoe Fht tac

March 2016 51

data breach response.

ConclusionBYOD does not have to be a

death knell to an organization’sdata maintenance and security.With the right policies, precautionsand communications with employ-ees, organizations can control therisks associated with outside net-works. Implementation of a databreach response plan, as well astesting and training for the plan,will both lessen likely data loss aswell as protect against regulatoryfines and litigation. The organiza-tion and its employees can all ben-efit from BYOD’s upside: increasedflexibility and productivity, betterclient services and cost efficiencies.

Allyson Haynes Stuart practices with Crystal & Giannoni-Crystal LLCin Charleston.

Endnotes1 Jim Harter, Sangeeta Agrawal, and Susan

Sorenson, Most U.S. Workers See Upside toStaying Connected to Work, Gallup (Apr.30,2014), www.gallup.com/poll/168794/workers-upside-staying-connected-work.aspx#!mn-world.

2 Id.3 Regular work at home, among the non-

self-employed population, has grown by103% since 2005 and 6.5% in 2014. SeeGlobal Workplace Analytics, LatestTelecommuting Statistics (Sep. 29,2015),http://globalworkplaceanalytics.com/telecommuting-statistics.

4 K. Royal, Balancing Security and Privacy inBYOD, TelecomReseller (Dec. 14, 2015),http://telecomreseller.com/2015/12/14/balancing-security-and-privacy-in-byod.

5 Kristin Tinsley, Survey Reveals Most EmployeesText Using Unsecure Channels, TigerText (Feb.12, 2015), www.tigertext.com/survey-reveals-employees-text-using-unsecure-channels.

6 See Gramm-Leach-Bliley Act of 1999 §§12U.S.C. 6801-6809 (2012).; SEC Rule 17a-4(b)(4), 17 C.F.R. 240.17a-4(b)(4); see JonEisenberg, K&L Gates 2014 SEC and FINRAEnforcement Actions Against Broker-Dealersand Investment Advisers.

7 Ken Anderson, 2013 FINRA DisciplinaryActions from Electronic CommunicationsTransgressions, Smarsh (Feb. 27, 2014),www.smarsh.com/blog/2013-finra-disciplinary-actions-electronic-communications-transgressions.

8 FINRA Fines Barclays $3.75 Millions forSystemic Record and Email Retention Failure,FINRA (Dec. 26, 2013), www.finra.org/newsroom/2013/finra-fines-barclays-375-million-systemic-record-and-email-reten-tion-failures

9 See Royal supra note 4, (“We have seen a 100percent increase in the volume of audiodata recorded and analyzed by banks,”quoting Brandon Daniels, Clutch Group).

10 See Health Insurance Portability andAccountability Act (HIPPA) of 1996, 42U.S.C. §201 (2012); Health InformationTechnology for Economic and ClinicalHealth (HITECH) Act of 2009, 42 U.S.C.§201 (2012).

11 See 5 U.S.C. § 552 (2012); See also state lawstatutes include Florida, Fla. Stat. § 119.01– 119.15 (1995); Georgia, O.C.G.A. §§ 50-18-70 – 50-18-77 (2007); North Carolina,N.C.G.S. §§ 132-1 – 132-10 (2014); NewYork, N.Y. Pub. Off. Law § 84 – 90 (Supp.2009); and South Carolina, S.C. Code Ann.§§ 30-4-10 – 30-4-165 (1976).

12 Cybersecurity firm Mandiant says at least80 of the 100 biggest firms in the country,by revenue, have been hacked since 2011.Susan Hansen, Cyber Attacks UpendAttorney-Client Privilege, BloombergBusinessweek (Mar. 19, 2015),www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security.

13 ABA Model Rule 1.1 comment 8 (2012).14 ABA Model Rule 1.6 (c).15 See State Bar of Ariz. Op. No. 05-04, July

2005; Ariz. Bar Op. No. 09-04, Dec. 2009;N.J. Comm. on Prof. Ethics Op. 701 (Apr. 24,2006), Nev. Standing Comm. on Ethics andProf. Resp. Formal Op. 33 (Feb. 9, 2006) andVa. Standing Comm. on Legal Ethics Op.1818 (Sept. 3, 2005).

16 David G. Ries, Safeguarding ConfidentialData: Your Ethical and Legal Obligations, ABA Law Practice (July/Aug. 2010),www.americanbar.org/publications/law_practice_home/law_practice_archive/lpm_magazine_articles_v36_is4_pg49.html.

17 See generally Zubulake v. UBS Warburg LLC,229 F.R.D. 422 (S.D.N.Y. 2004).

18 Qualcomm Inc. v. Broadcom Corp., 2010 WL1336937 (S.D. Cal.). The new F.R.C.P. 37(e)requires that courts find “intent to depriveanother party of the information’s use inthe litigation” before ordering an adverseinference instruction or other severesanction, while lesser sanctions willdepend upon prejudice to the other party.Fed. R. Civ. P. 37(e).

19 See Painter v. Atwood, No. 2:12-CV-01215-JCM, 2014 WL 1089694, at (D. Nev. Mar. 18,2014); Lester v. Allied Concrete Co., Nos. CL08-150, CL09-223 (Va. Cir. Ct. Sept. 1, 2011).

20 Daniel L. Farris, The Preparedness Gap: Why You Should Treat Data Security andCyber Readiness Like a Fire Drill, LawTechnology Today (Dec. 14, 2015),www.lawtechnologytoday.org/2015/12/preparedness-gap-treat-cyber-readiness-like-fire-drill.

21 One-Third of In-house Counsel Have Experienceda Corporate Data Breach, ACC Foundation: TheState of Cybersecurity Report Finds,Association of Corporate Counsel (Dec. 9,2015), www.acc.com/aboutacc/newsroom/pressreleases/accfoundationstateofcyberse-curityreportrelease.cfm.

22 Companies experiencing data breacheshave been sued for negligence, breach of

contract based on company privacy poli-cies, and breach of state consumer pro-tection and data security or breach notifi-cation statutes. See In re Heartland PaymentSys., Inc. Customer Data Sec. Breach Litig.,834 F. Supp. 2d 566 (S.D. Tex. 2011). ; Doe v.Avid Life Media, No. Case 2:15-cv-06405(C.D. Ca. Aug. 21, 2015).

23 The Federal Trade Commission (“FTC”) Actprohibits “unfair or deceptive acts or prac-tices in or affecting commerce.” 15 U.S.C. §45(a). The FTC brings actions against com-promised entities for failure to use “readi-ly available security measures.” The FTC“Red Flags Rule” requires banks and finan-cial services companies to establish anidentity theft prevention program andrequires action by covered entities thatexperience a “red flag”, which is “a pat-tern, practice, or specific activity thatindicates the possible existence of identitytheft.” 16 CFR 681.1.

24 See supra note 21. 25 Kaspersky Labs Global Corporate IT Security

Risks: 2013, Kaspersky lab,(May2013)26 See Jonathan I. Ezor, Privacy and Data

Protection in Business: Laws and Practices260 (2012).

27 Vangie Beal, MDM-Mobile Device Management,Webopedia.com www.webopedia.com/TERM/M/mobile_device_management.html(last visited Feb. 10, 2016).

28 See supra note 4.29 Id.30 Morgan, Announcing Our Worst Passwords

of 2015, TeamsID (Jan. 19, 2016),www.teamsid.com/worst-passwords-2015.

31 See Andrew Cunningham, Phone and laptopencryption guide: Protect your stuff and your-self, ars technica (Aug. 23.2015 1:00pm),http://arstechnica.com/gadgets/2015/08/phone-and-laptop-encryption-guide-protect-your-stuff-and-yourself.

32 This tip is even more important in light ofthe recent decision by the Second Circuit,where the court found that an employeecould only be held liable under theComputer Fraud and Abuse Act for theftand other misuse of company data if thatemployee lacked authorization ANDbypassed a technological barrier to accessthe information. United States v. Valle, 807F.3d 508 (2d Cir. 2015).

33 Supra note 18.34 Id.35 Supra note 4. 36 61% of Mobile Workers Trust Their Employer to

Keep Personal Information Private on TheirMobile Devices, MobileIron (July 15, 2015),www.mobileiron.com/en/company/press-room/press-releases/trust-gap-2015.

37 City of Ontario v. Quon, 130 S. Ct. 2619 (2011).38 See Conn. Gen. Stat. Ann. § 31-48d; 19 Del.

C. § 705 (2008). Similar legislation is pend-ing in Massachusetts, Pennsylvania andNew York. See Mark W. Robertson andAnthony DiLello, O’Melveny, & Meyers LLP,State By State Employee Monitoring Laws,Law360 (2008), www.omm.com/files/upload/Employee%20Monitoring%20Laws.pdf.