Legal, Security, and IT Tackle BYOD

Transcription

1 WHITE PAPER: LEGAL, SECURITY, AND IT TACKLE BYOD Legal, Security, and IT Tackle BYOD Who should read this paper CIO, CISO, VP IT operations, mobile architect, mobile program manager, and legal counsel. This paper briefly reviews how the uninhibited and unchecked use of mobile devices for enterprise functions can lead to serious litigation risks. Enterprise mobile management solutions can provide the controls necessary to establish a strong information governance policy that supports BYOD.

2

3 Content Bring your own device BYOD BYOD challenges, risks, and impact Lost devices IP theft data breaches Information governance of mobile devices ediscovery and investigations Corporate discovery of mobile devices Managing BYOD takeaways for corporate stakeholders edj Group

4 Bring your own device BYOD More and more organizations around the globe are permitting employees to bring their own mobile computing devices to work so that employees can access company data from any location at any time with any device. The bring-your-own-device (BYOD) trend started gaining traction around 2007 when executives and board members brought the first personal smartphones, tablets, and ultrabooks into the corporate workspace. The BYOD trend has become a corporate reality, with up to 95 percent of organizations allowing the use of employee-owned devices in some way, shape, or form according to a Cisco survey. 1 With BYOD, IT departments have recognized an average of $300 $1,300 in annual hardware and support savings as employees realized increased productivity, collaboration, and connectivity from personal devices and mobile apps. Although BYOD started by executive fiat, fast forward a few years and many of today's younger corporate employees believe that using their own devices for work and personal use is a right. For example, more than 33 percent of employees age said that they would break any company anti-byod rules to use their personal devices. 2 Unfortunately, this BYOD trend highlights the fact that the rapid pace of evolution in technology often outpaces the development of good internal policies and procedures that can minimize the risks and costs of deploying them. The problem is common because the deployment of technology solutions is typically perceived as a function of the IT department and the business units they support. Little thought is given to the consequences of accessing and managing sensitive corporate data from personal devices when IT's prime mandate is maximizing operational efficiency and profitability. This corporate culture leads to technology being deployed without adequate input from corporate legal departments and other stakeholders. The result is that policies accompanying technology rollouts are commonly nonexistent or sorely inadequate in meeting foreseeable downstream problems related to data security, employee privacy, retention management, and ediscovery requests. The good news is that proactive policies and controls have the potential to mitigate or eliminate the possible risk and costs of these BYOD challenges. The bad news is that 47 percent of survey respondents reported that their IT departments have not discussed mobile/cyber security awareness, 3 and 44 percent reported that their company did not have a mobile device usage policy. This last statistic can be misleading, as other surveys of IT managers have indicated that a majority of companies now have some kind of mobile device usage policy, even if their users are not aware of it. BYOD challenges, risks, and impact Lost t devices Mobile devices are easily lost or stolen most in social settings or while people are traveling. Simple four-digit passcodes can be cracked in less than an hour. Unsecured apps, easy to obtain access credentials, and local files stored directly on devices combine to pose significant data loss and security breach threats. Device upgrades can result in unwiped devices being sold overseas. The loss of personally identifiable information (PII) carries high remediation costs 4 and the risk of enforcement actions from state and federal agencies like the Federal Trade Commission (FTC). 5 High-profile losses of laptops and devices by health provider executives and employees highlight the risks and consequences of lost mobile devices Cisco press release, Cisco Study: Saying Yes To BYOD, May 16, 2012, 2- Ellen Messmer, Young employees say BYOD a right not privilege, Network World, June 12, 2012, 3- Weber, Mike, and Chris Lietz, 2013, BYOD 2013: Employees and Companies Remain Lax with BYOD Security, A Coalfire Perspective, BYOD-2013-Companies-Remain-Lax. 4- Ponemon Institute (benchmark research sponsored by Symantec), 2013 Cost of Data Breach Study: Global Analysis, May 2013, 5- Inside Counsel (sponsored by Symantec), The Federal Trade Commission on Fraud, Deception, & Data Privacy Enforcement Actions, December 12, 2013, 6- ihealthbeat, Health Data Breaches Reported by Providers, Agencies in Three States, December 11, 2013, 1

5 IP theft data t data breaches The mobile workforce requires 24x7 access to critical enterprise systems and confidential data on 2 4 devices at a time. That access from outside the security of the corporate firewall makes mobile devices a prime target for corporate espionage, hackers, and other cyber criminals. The comingling of personal , Web browsing, apps, and third-party connections creates vulnerabilities outside of corporate control without the benefit of mobile device and app management technologies. Every device needs active protection against malware, viruses, and other malicious Web threats. Information governance of mobile devices Policy BYOD and usage policies should be designed to minimize the creation of unique mobile electronically stored information (ESI) without impacting user productivity. As surveys show, too many users are not aware of existing mobile device policies or usage guidelines. All major stakeholders (legal, compliance, security, HR, IT, and users) should participate in policy creation. Policies without the necessary education, acceptance, and enforcement are often worse than having no policies at all. Such practices demonstrate that the company understood acceptable practices and then proceeded to ignore them. Management technology Mobile device management (MDM) systems control basic security access and device settings such as passwords, encryption, remote wipe capabilities, and more. MDM security systems can be considered a foundational protection strategy, but they do not address privacy, retention, or discovery requirements. Another early strategy pioneered by government agencies isolates sensitive , contacts, and other data in an encrypted sandbox container within the device that requires authenticated credential keys to access that information. The relatively rigid sandbox strategy has evolved into more flexible application wrapping methodology that enables organizations to secure approved corporate apps and their content with a mobile application management (MAM) system. Restricting work on employee devices to secured corporate apps automatically identifies and segregates work from personal data where possible. High-publicity lawsuits such as City of Ontario v. Quon 7 demonstrate the need to protect private personal communications in an era where work and personal life is often blurred, thereby creating privacy issues. These MAM systems can restrict corporate data to known devices and apps, and can prevent critical information from being copied or forwarded outside of the company apps, closing a big security gap. Process and people The creation of effective policies and controls requires the establishment of a stakeholder team that has executive backing. The 2013 edj Group survey shows that most respondents have no effective mobile ESI retention policy. The 7- Wikipedia entry, Ontario v. Quon, last modified February 9, 2014, 2

6 stakeholder team s goal should be to balance user enablement and productivity with controls and documented protocols that can achieve effective information governance and compliance. Critical corporate data should not reside solely on user-owned devices. This data should be synchronized with corporate record systems such as enterprise archives to minimize the amount of unique data created and stored on user devices. If all unique records or potential legal evidence lives on enterprise systems, then mobile devices can be excluded from retention and discovery requirements in most cases. ediscovery and investigations Over 60 percent of legal respondents to the edj survey have been required to discover data from mobile devices as part of a legal proceeding. However, only 14.5 percent said that mobile devices were commonly requested, and 46 percent said that mobile devices were requested only in special matters. Moreover, it is difficult or impossible for users to preserve texts, call logs, and other ESI on these devices over the typical 1- to 2-year legal hold period. Another concern for global corporations is meeting the compliance requirements of increasingly stringent European Union (EU) data privacy laws when corporate ESI is comingled with personal , texts, chats, and other private ESI. BYOD blurs the line between work and personal life with serious consequences for the intentional or possibly even inadvertent collection and disclosure of personal data to third parties in legal proceedings. Corporate discovery of mobile devices Preservation and collection Creating an effective, defensible legal hold strategy for mobile devices is especially challenging due to their dynamic storage management. Unlike laptops and network shares, mobile devices delete texts, call logs, and other volatile data automatically. Users under legal hold can refrain from manually deleting app files, but it is almost impossible for a user to preserve volatile, dynamic mobile data when a device is in use. This forces corporations to employ collection or backup technologies to comply with legal holds when that data is potentially relevant. Mobile device collection is still accomplished through a local cable connection and can take hours when performed on 8 GB to 32 GB devices. The mobile data is stored in a specialized container file for later filtering and extraction. Civil 8 9 and criminal 10 sanctions for failure to preserve mobile content 8- Santa Clara Law Digital Commons, Christou v. BeaPort, January 23, 2013, 9- PRWeb, Pradaxa Lawsuit News: Federal Court Imposes Sanctions Against Manufacturer of Pradaxa, notes Schlichter, Bogard & Denton, LLP, December 11, 2013, prweb htm. 10- Kunzelman, Michael, Ex-BP engineer convicted on 1 obstruction charge, AP, December 18, 2013, 3

7 provide a clear mandate for corporate IT and legal departments to minimize unique mobile data and have a preservation plan for legal holds. Processing and the European Compliance Academy (ECA) Once content is collected from mobile devices, it must be made accessible so that a legal review can be performed to determine if the content is responsive, privileged, or nonresponsive to the matter at issue. Most collection software creates one or more forensic container files that must be processed to extract tables and file objects such as photos, s, and more. A very few mainstream ediscovery platforms have built-in connectors that can directly ingest these packages for search and review. The majority of users manually extract selective data from individual mobile devices container files based on data type, date, or other filter criteria such as phone numbers, names, or search terms. If corporate data is not segregated in secured apps, the personal data may need to be filtered out or even held for custodial release in certain countries. Most legal review systems are not optimized for mobile data, and the discovery team should consider all review, filter, and review strategies to prevent escalating costs and having a negative impact on deadlines. Remember that voic , videos, and other audio content cannot be searched by most systems. Mobile Discovery Process Elements Standardized declarations & interrogatory responses Mobile data relevance checklist Custodial questionnaire Preservation process & custodian hold instructions Collection technology & process Processing & review workflow with selected technology or partners Change management process to keep stakeholders updated on rapidly evolving usage & data 4

8 Managing BYOD takeaways for corporate stakeholders BYOD management elements for organizations Mobile device usage policy (see BYOD policy considerations ) End-user guidelines, training, and policy acceptance documentation Mobile device content retention schedule, enforcement tools, and process MDM to control access, settings, and administrative rights MAM, secured apps, or some other protection system for corporate data Procedures for terminated employees and device replacement to protect corporate data Standardized declarations and interrogatory responses Mobile data relevance checklist Custodial questionnaire Preservation process and custodian hold instructions Processing and review workflow with selected technology or partners Change management process to keep stakeholders updated on rapidly evolving usage and data Mobile collection tool(s) local device collections in 2 4 hours to minimize the impact on users Search, process, and ECA tools for mobile collection container files for early relevance and scope management Mobile data extraction and processing capabilities done in house or using preferred provider partners BYOD policy considerations Does the policy address device ownership and privacy interests? Does the policy specify who has the right to access and control information on the device? Can devices be used for personal and business purposes and can that information be partitioned? Does policy specify acceptable devices, apps, and cloud services? Can the device be wiped if it is lost or stolen? What happens when an employee leaves an organization? Does the policy cover device access and discovery rights? For better or worse, BYOD has penetrated most enterprise environments despite the lack of a mature mobile information governance infrastructure to support stakeholder requirements. These critical downstream security, compliance, and discovery requirements can be leveraged to obtain the executive mandate and budget needed to acquire and implement a mature mobile management lifecycle. This report has explored the challenges, risks, and proactive solution strategy elements needed to manage the increasing number of remote workers as they conduct business on their personal devices. The benefits in user productivity, collaboration, and accessibility can be lost without a balanced solution that addresses both employee privacy and data security. Reactive discovery of mobile devices exponentially increases the cost as well as the risk of inadvertently losing relevant data that is under legal hold. Bring your key stakeholders together and bring mobile devices into your information governance lifecycle with the right policies and technologies. 5

9 edj Group About the edj Group Inc. The edj Group Inc. offers expert perspective, unbiased information, and pragmatic advice on ediscovery and information governance products, companies, technologies, and best practices. edj Group consultants have over 20 years of professional experience in forensics, litigation, corporate governance, software design, and many more related fields. About the Author Greg Buckles is an independent ediscovery consultant specializing in enterprise technology and workflow solutions, who has over 25 years of experience in discovery and consulting. His career spans law enforcement, legal service provider, corporate legal, law firm, and legal software development. This deep and diverse background, combined with his exposure to the discovery challenges of Fortune 500 clients, provide a unique industry perspective. Disclaimer: EDJ Group is not a law firm. All expressed opinions and content are provided for general educational purposes only and are not specific legal advice, even if the author is a practicing attorney. Neither edj Group Inc. nor the information contained herein should be used as a substitute for competent legal advice from a licensed professional attorney in your state. EDJ Group believes reasonable efforts have been made to ensure the accuracy of all edj Group Inc. original content. Content may include inaccuracies or typographical errors and may be changed or updated without notice. All edj Group original content is provided AS IS and while we endeavor to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the fitness for a particular purpose, completeness, accuracy, reliability, suitability, or availability with respect to the information, products, services, or related graphics for any specific purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will EDJ Group or any of its contributors be liable for any direct, indirect, punitive, incidental, special, or consequential damages or damages for loss of profits, revenue, data, down time, or use, arising out of or in any way connected with the use of the document or performance of any services, whether based on contract, tort, negligence, strict liability or otherwise. 2014, EDJ Group, Inc. All rights reserved. Customers that bought this report may make one attributed copy or slide of each figure contained herein. Licensed for reproduction by Symantec, additional reproduction is strictly prohibited. Information is based on best available resources. Opinions herein reflect judgment at the time of testing and are subject to change. Report illegal copies of this report to info@edjgroupinc.com to receive a free copy plus another research report of your choice. 6

10

11 About Symantec Symantec protects the world s information, and is a global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment from the smallest mobile device, to the enterprise data center, to cloud-based systems. Our worldrenowned expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at or by connecting with Symantec at go.symantec.com/socialmedia. For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Copyright 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 2/