The use of mobile devices in the workplace, including cell phones, tablets, and other devices, has generated significant risks for employers, both in terms of data security and of litigation strategy. Access to these devices is an expected and important aspect of modern business where fast communication is highly valued. Mobile device ownership, either individually or through an employer, is the norm. As of October 2014, 64% of Americans owned a smartphone, each being one of many different varieties and operating systems.1 A recent study found that over 80% of organizations’ employees use mobile devices for work matters on a regular basis2 and over 30% of work-related documents are created through mobile devices.3
A company’s ability to manage the influx of devices used for work purposes can require a significant investment in asset management or security infrastructure to protect the organization from potential financial risks resulting from legal sanctions or data breaches. The following considerations are some of many that an employer must consider when addressing mobile devices.
Perform an Initial Assessment
Employers should first conduct an initial assessment of the state of their security systems, policies, and device policies (or lack thereof). To perform this assessment, gather together members of company management, IT, Human Resources, Physical Security, Legal and any required external vendors to flesh out the organization’s mobile device management status and requirements. First review goals and then review current capabilities. As corporations better understand their capabilities, they may begin to see immediate risks, such as data loss from a departing custodian. These immediate risks can become action items that must be addressed before a complete long-term strategy can be enumerated.
Device Policy: COPE and BYOD
Developing a general mobile device policy framework is an integral step. The two most common frameworks are Bring Your Own Device (“BYOD”) policies and Corporate Owned-Personnel Enabled (“COPE”) policies. BYOD policies are currently more popular than COPE policies with 75% of employers allowing employees to BYOD to work or planning to do so within the next 12 months.4
In the BYOD model, a company does not provide the actual device but will subsidize or reimburse an employee for his or her usage of the device for work matters. The user/employee obtains the device directly through the retailer of their choice5 and then seeks reimbursement from the organization for any work-related usage on the device. In the recent case of Cochran v. Schwan's Home Service, 228 Cal.App.4th 1137 (Ca. 2014), the court found that an employer must reimburse the employee for a reasonable percentage of the cell phone bill if the employee is required to use his or her personal cell phone to make work-related calls. BYOD policies allow the employee flexibility in type of device and replacement schedule. For employers, the significant benefit is the resulting lower technology costs required to purchase, replace, upgrade or maintain the devices. BYOD policies should clearly spell out all parties’ expectations as to employer and employee privacy and access to confidential information. Without controls, BYOD policies for mobile devices add a greater chance of data spoliation and of inadvertent or intended internal theft of company data.
COPE differs from the antiquated process of simply assigning company-issued phones and devices to employees, and instead allows employees to select devices best suited to their needs from those devices available through their organization’s mobile device policy. COPE can encourage more collaboration between IT, legal and compliance departments to ensure proper control of the data that lies within employee devices. For example, it is easier for IT to implement mobile device management software and other security measures to help with data security and data breach risks. COPE can result in increased technology costs for organizations as they become responsible for the purchase of both the devices and their services along with their continued maintenance, replacement and storage.
Mobile Device and Use Policies
Whether you utilize a BYOD or COPE policy, it is also important to institute a corresponding Mobile Device Policy, which may include use of a Mobile Device Management (“MDM”) tool. MDM can include software that restricts use or allows remote deletion. Initiating the use of mobile device management software should be done with explicit explanation of the features, informed consent, and a retained written acknowledgement by the employee. Companies should consider limiting access to company data to employees who agree to the policy and should remove company data from devices out of compliance. A company should be able to identify the location of any potentially relevant data and preserve a method of accessing it.
Importantly, if a company removes data from devices that are out of compliance, it should be through documented and defensible processes, specifically with an eye towards potential future litigation. Such a process would be an ideal component to an overall asset management playbook.
Other, more general, computer use policies should not be overlooked. Organizations should consider general computer use policies to establish proper use and security practices for all company-owned devices, as well as other devices that are allowed access to company information and data. Active written acknowledgment of said policies and procedures, as well as renewed trainings and repeated communications about approved use, will help reinforce these policies.
Employ Robust Security Practices
When drafting any policy, it is important to employ (and practice) robust security. Established and enumerated policies around personal information security can help mitigate potential breaches. These policies should meet the established requirements found in federal and state statutes.
Through a third-party mobile device management tool, organizations should implement required features such as remote wipe and remote lock requirements, allowing the organization to wipe or lock down a phone if it is lost or stolen. MDM tools can also allow for a jailbreak alert that notifies IT and Legal if an employee attempts to override an operating system to access restricted data. Malware detection is also important for mobile devices. Additional features should include a required physical passcode on the device and encrypted backups that prevent the imaging of the device without an administrative password. A company should consider if it will allow access to company information from unsecured networks. Enumeration of expectations when an employee wishes to upgrade a device should also be in place.
Protection of sensitive business information should be contemplated as well. Though protection of all information should be enumerated, it may be prudent to single out sensitive information for protected treatment during the life of the device and destruction upon the end of the employment relationship or termination of the device. Such information can include client information, financial information, health care information, legal information, or confidential business information and trade secrets.6
Security policies should range based on geographic location. Additional restrictions may need to be placed on employees traveling to less secure areas from a data perspective, such as China.
Employees should understand these policies, acknowledge their application in writing, and appreciate their importance.
Weigh Privacy Concerns
While focusing on security of company data and ability to review employee use, companies should also be mindful of employee privacy and restrictions on the review of employee personal information. The Computer Fraud and Abuse Act and the Stored Communications Act may prohibit employers from accessing (or exceeding their authorized access to) employee’s private information on their privately owned device.7
Companies are best served by limiting their review of personal information, even if they preserve their right to access it. Though courts have been skeptical of over-reach, some review in certain jurisdictions has been permitted. Courts continue to refine where the line of personal and company begins and ends, and it is important to consult counsel before establishing an employer review policy or reviewing employee use of company or personal devices.
Additionally, companies that require usage of devices, either provided or owned by the employee, should ensure that they are not in violation of the Fair Labor Standards Act or the Wage and Hour Act by allowing off-hours work access.
The applicable rules and regulations concerning employee rights and privacy can vary greatly by geographic location.
Develop Data Breach Protocol
Post-data breach is not the time to develop a response plan. Plan ahead and develop a plan with your response team, which should include IT, Legal, Human Resources, outside vendors, crisis response management, and public relations. Become familiar with relevant data security and data breach notification and remedy law applicable to your business. Almost every state has some statute or regulation addressing notification in the event of a breach.8 In almost all circumstances, time is of the essence. Employees should be aware of a duty to notify their employer of a loss or theft of a device. Failure to enforce security policies may be cited to by plaintiffs or the Government in the event of a breach. Finally, secure data breach insurance.
Plan for Employee Departures
An employee departure strategy should include a detailed data interview that lists all potential locations of company data, a written procedure on the defensible deletion of data from personal devices once it has been properly preserved, and the protocol for how to dispose of or retain the original source device (i.e., keeping a forensic copy of the data off of a mobile device before wiping and reissuing the device for further use) after an employee has departed. Finally, make sure employees know what they must do before disposing of a device that has access to company data and email. Ensure that the plan addresses upgrades to phones and contains a destruction plan for the old device or at least provides the employer with access to the device to delete any confidential information before the phone is sold or repurposed. Include data security and review as part of the exit interview process when an employee leaves an organization.
Data and Litigation
The prevalence of mobile devices has not only complicated a company’s data security protocol, it has also added complexity to the discovery process if a company finds itself in litigation. Mobile devices have increased the number and variety of locations from which a litigant must collect information. Companies must now also incorporate mobile devices into their data retention plans.
Under the Federal Rules of Civil Procedure, and in many states, Rule 34 requires the production of information and materials in the litigant’s “possession, custody, or control.” Some circuits, including the 9th circuit, require litigants to produce information it has the right to demand.9 Other circuits impose a higher burden and require a party to produce material it can demand as well as the “right, authority or practical ability” to obtain from a non-party.10 Finally, some jurisdictions go a step further and require the litigant to notify an adverse party of additional information that may be in the hands of a third party.11
Depending on an employer or employee’s location, an employer’s access to data may be limited by interpretation of various federal or international regulations, including the Computer Fraud and Abuse Act that prohibits unauthorized access to protected devices, the Stored Communications Act that protects the privacy of certain stored communications such as on servers, or state regulations. It is important to consult counsel in the development of a computer and device use policy to set forth an employer’s permitted access to devices used by employees and employer expectations as to employees’ use.
Plan for other issues involving data and litigation. Review in detail how legal holds will be implemented and what expectations employees should have once included as part of a legal hold. Develop a defensible deletion policy so that the organization is not required to maintain all potential data.
1http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/.
3Osteman Research, http://www.ostermanresearch.com/whitepapers/orwp_0213.pdf; http://www.slideshare.net/informationsecurity/byod-mobile-security-report.
4http://www.techproresearch.com/downloads/wearables-byod-and-iot-current-and-future-plans-in-the-enterprise/.
5Occasionally employers will establish preferred carrier relationships in order to offer employees lower cost devices and lower cost service options. These are not mandatory providers and thus the choice still remains with the employee.
8See e.g. N.C. Gen. Stat. § 75-65.
9See “The ‘Bring Your Own Device’ to Work Movement: Engineering Practical Employment and Labor Law Compliance Solutions,” at 19, The Littler Report, May 2012; see also Gerling Int'l Ins. Co. v. C.I.R., 839 F.2d 131, 140 (3d Cir. 1988).
10Id.; see also Goodman v. Praxair Servs., Inc., 632 F. Supp. 2d 494, 515 (D. Md. 2009).
11Id.; see also Victor Stanley, Inc. v. Creative Pipe, Inc., 269 F.R.D. 497, 523 (D. Md. 2010).
