BYOD - Bringing Technology to work | Sending Data Everywhere

1

BYOD Bringing Technology to Work

Sending Data Everywhere

SPEAKER

Jim Brashear is a member of the Bar of the United States Supreme Court, the California Bar Association and the State Bar of Texas. He frequently appears as a public speaker on corporate governance, data security and information technology legal topics.

He currently serves as Programs Co-Chair and Cloud/SaaS Co-Chair for the Association of Corporate Counsel’s Information Technology, Privacy & Electronic Commerce Committee.

He received a Juris Doctorate degree, magna cum laude, from the University of San Diego School of Law, and a Bachelor of Arts degree in political science from the University of California at San Diego.

James F. BrashearGeneral CounselZix Corporation

@jfbrashear

This program is for educational purposes only. The content does not constitute legal advice. No attorney-client relationship is created by your participation.

2

A Leader in Email Data Protection

Committed to innovative, easy-to-use email security

Recognized by Gartner Research as the industry leader in email encryption

Email-specific DLP solution Innovative BYOD solution

3

Zix Corporation

4

AGENDA

• Background• Data (in)Security• Legal Risks• Ethics• Policy Approaches• Technology

Solutions

5

Background

BYOD is part of a larger phenomenon

Individual IT Empowerment6

Devices

Connectivity

Cloud

Social

BIG DATA

CIOs Look for Ways to Marry Social Data with Big Data

Wall Street Journal (July 26, 2013)

CONFLUENCE

8

Mobile Devices are an Essential Part of Modern LifePeople are emotionally attached to their devices

They take them everywhere

Enable work whenever and wherever they go

Work Phone

Personal Phone

It is common for employees to use company-provided devices plus personally-owned devices

This is BYOD

Multiple DevicesAverage U.S. user carries 3 mobile devices

Sophos survey

10

o Improved employee productivity

o Adopting technology at the speed of consumer markets

o Enhanced employee morale

o Attract and retain staff.

o Potential cost savings

o Offloading the management of non-strategic devices from IT

Why BYOD?

Source: Gartner, BYOD The Facts and The Future

Challenges to IT Departments

• Consumerization of IT = Decentralization

• Flood of new devices• Hundreds of thousands of

apps• News ways of sharing data

– Hundreds of social media sites

– Many file sharing websites

12

Data (in)Security

13

“There’s nothing hotter for consumers than tablets and smartphones.

There’s also nothing more terrifying for IT than tablets and smartphones.”

- Mark Fidelman, Forbes Contributor

14

It’s Easy to Understand WhyIT Departments Are Nervous

of employees already use personal devices at work81%

Source: Harris Interactive

of tablet users have disabled auto-lock security91%

of smartphone users have75%

BYOT = Unsecured Data Bridge

In addition to device security, BYOD solutions must address data security, secure connectivity & controlled access

17

Legal Risks

Law Lags Technology

didn’t contemplate

today’s technology

Privacy laws

Going Too Fast?

Supreme Court mired in 19th century communication modes

“Court hasn't really 'gotten to' email”Justice Elena Kagan

19

Challenge for CourtsSupreme Court’s real challenge for the next 50 years will be identifying the fundamental principle underlying constitutional protection and applying it to new issues and new technology Chief Justice John Roberts

Employee Personal Data

Employee consent to remote wipe

• Private photos• Personal documents• Financial information• Medical facts• Accounts and Passwords• Application metadata• Location data

Containerization and mixed use of company-provided apps

Employee Privacy

Rulings differ based on employer policies and practices• Clear notice to employees• Coordinate with workers’ councils

• U.S. federal and state laws

• Non-U.S. laws

Reasonable expectation of privacy?

Employer-provided

City of Ontario v. QuonLazette v. Kulmatycki

BYOD may result in greater expectations of privacy

Social Media Password Laws

Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah, Washington• Some include email• Proposed federal law: Social

Networking Online Protection Act of 2012

11 states limit employer access to social media usernames and passwords

Employer monitoring?

23

Discrimination

• Protected categories• Criminal history• Employee non-work

behavior

Graham-Leach-BlileySafeguards Rule• Article 9 of the UCC is, in practice, requiring lenders to

obtain a copy of each client's driver's license before making a loan secured by personal property

• Loan officers sometimes photograph the driver's license with their smartphone and send it by email or SMS to their office

HIPAA Privacy and Security

#1 HIPAA violation is unencrypted data on lost or stolen devices

• $1.5M lost laptop fine• $1.7M lost USB drive fine

PwC Health Research Institute

• Increase in healthcare BYOT• Mobile security one of the top 10 issues hospitals will face

in 2013

Investigations and Legal Holds

FRCP Rule 37(e)failure to preserve • Triggering events• Preservation issues

FRCP Rule 26(b)(1)proportionality• Possession, custody

or control

Stored Communications Act• Restricts access to email and other

communications in electronic storage– Warrant needed to access communication in

electronic storage for 180 days or less

Split of authority on “storage”• Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)• Jennings v. Broome et al., No. 27177, 2012 S.C. LEXIS 204 (S.C. Oct. 10, 2012)• Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010)

Calls to revise 1986 Electronic Communications Privacy Act

Not clear how it applies to today’s electronic communications

Smartphone not a “facility” under SCA• Garcia v. City of Laredo, No. 11-41118 (5th Cir. Dec. 12, 2012)

Key to Protecting Trade Secrets

Take reasonable steps to protect information from improper and unauthorized access or exposure

• Identify and classify confidential information and trade secrets

• Physical and electronic security protocols for limiting access to confidential information

• System to prevent disclosure of confidential information by insiders

Obligations under Non-Disclosure Agreements• Developing standard of care for BYOD data security

Traders allegedly emailed to personal accounts computer code containing employer’s secret high-frequency trading algorithms• One shared the files through Dropbox

BYOT and Trade Secrets

BYOT and Trade Secrets

Employee uploaded source code used to execute high frequency trades and offered it to competitors• NSPA does not criminalize

theft of intangible property

• No economic espionage because code was not a product

United States v. Aleynikov

Employee uploaded files containing step-by-step instructions for assembling medical equipment 

– Employer detected him forwarding trade secrets from his work email account to a personal email account

United States v. Agrawal

Email is a major source of data leakage• Cloud file transfer services too

31

Ethics Issues

Lawyers are Targets

“Already making chump-meat of the most sophisticated of computer defenses, hackers are unleashing a new wave of malware on unsuspecting law firms. And among the newest targets are mobile phones and similar portable devices.”

Security

New hacker technology threatens lawyers’ mobile devices Posted Sep 1, 2013 3:10 AM CDTBy Joe Dysart

“We fear that we will have to suffer more very public data breaches before law firms collectively agree to batten down the hatches and put security first.”

Sharon D. Nelson, Sensei Enterprises

Ethics: CompetenceModel Rule 1.1A lawyer shall provide competent representation to a client

A lawyer should keep abreast of the risks associated with

technology

Ethics: Client Confidences

Model Rule 1.6(c)A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client

Law Firm Cybersecurity Audits

“Since mobile electronic devices are a likely weak area, one issue is whether confidential information sent to them is encrypted.”

Business of Law

Bank’s new cybersecurity audits catch law firms flat-footedPosted Jun 13, 2013 4:10 PM CDTBy Martha Neil

Under pressure from federal regulators, who are concerned about lax cybersecurity at law firms, the Bank of America Merrill Lynch has begun conducting audits on the law firms it does business with, to verify what they are doing to protect sensitive information.

When to Encrypt

Mandatory Data Protection Law or regulations require encryption or provide a safe

harbor from data breach requirements if data is encrypted

36

Heightened Risk of Interception Lawyers should not use unencrypted communications where there is a

particularly high risk that it may be accessed by unauthorized third parties

Responding to Encrypted Communication Lawyers should reply using equivalent security, because prior emails

often are appended to replies

Highly Sensitive Information Lawyers should not send highly sensitive client

communications unencrypted

37

Policy Approaches

Companies Lack BYOT Policies

of companies have not trained employees on BYOT risks, practices and policies

of businesses that permitted BYOD had no specific security or support policies

71%

80%

Source: ITIC, 2012

Unworkable Policies

Banning BYOT is unrealistic and unworkable

• Only 12% of companies say they have no plans to allow BYOD

Information Week – 2013 State of Mobile Security

Top 10 Banned Apps

Android• Dropbox

• Facebook

• Netflix

• Google+

• Angry Birds

• Google Play Movies & TV

• Google Play Books

• Sugarsync

• Google Play Music

• Google+ Hangouts

iOS• Dropbox

• SugarSync

• BoxNet

• Facebook

• Google Drive

• Pandora

• SkyDrive

• Angry Birds

• HOCCER

• Netflix

#1

Non-Compliance

Employees with high potential for harm are among the most likely to violate security policies

CEB Information Risk Executive Council End-User Awareness Survey, 2009–2012

Policy and training exceptions for senior executives increase risks

of employees admit violating policies designed to prevent breaches and noncompliance

93%

Non-ComplianceProxy work-around for workplace web site ban

Credit: www.labnol.org

43

WHAT THEY DON’T WANT IS:

Company monitoring of their personal activities or restricting the apps they use

Interruption of their calendar, contacts, phone and texting functions

Invasion or deletion of their personal data

Users want flexibility

Companies want safe dataWHAT THEY DON’T WANT IS:

Corporate data distributed on thousands of devices and web sites

Users resorting to personal solutions and other insecure means of maintaining productivity

2/3 of employees don't trust employers with their mobile data and privacy

MobileIron survey

Must Balance Competing Wants

Employers #1 concern is securing corporate data on personal devices

Information Week: 2013 State of Mobile Security Employee Privacy

EnterpriseControl and Security

IndividualEmpowerment and Privacy

45

The Right Balance

Solution should support both perspectives Companies get security,

productive employees and improved morale

Employees get flexibility and privacy

BYOD Guidelines

• NIST Special Publication 800-124Guidelines for Managing the Security of Mobile Devices in the Enterprise

• NIST recommends mitigation measures– Adopt Strong General Policies– Incorporate Mobile Devices In Existing System Threat Models– Develop Multiple Security Strategies– Pre-Production of Security Solutions– Install Secure Baseline Configurations for Company-Issued

Devices– Maintenance and Assessment

47

Technology Solutions

Complete Solutions?

Strategy

Policies

TechnologyTraining

Monitoring

No system can anticipate and control every possible use of new technologies or every form of non-compliance

Trust May Trump Controls• Detailed and strictly

enforced policies may cause employees to “work to rule”

• Describe objectives and give general guidance

Data Loss Prevention

Intercept Outbound Data

Analyze Content

Apply Policies

Notification

Archive

Spectrum of BYOD Solutions

Mobile Device ManagementMobile App ManagementMobile File ManagementSeparate InterfacesContainerizationApp WrappingDesktop VirtualizationApp Virtualization

Enterprise Control

Employee Empowerment

51

Most BYOD approachesare missing the point

MDM & Containerization Assume Data is on the Device

Too Complex Too Expensive Too Invasive For Users Too Difficult To Implement Problem Getting Worse

MDM

The Holy Grail

The holy grail remains full mobile virtualization

– It’s probably a better bet to just keep persistent data off the device in the first place

Information Week: 3 Ways To Virtualize Mobile Devices — And Why You Should Do So

55

o EMAIL NEVER RESIDES ON THE DEVICE

o USERS RETAIN COMPLETE CONTROL

o No monitoring, restrictions or risk of data loss

o FIREWALLING OF PERSONAL DATA

o Limits company liability

o SEAMLESS INTEGRATION WITH NATIVE FUNCTIONS AND UI

o Contacts can be used for phoning and texting

o COMPLIANCE REPORTING

o Because each email is only on the phone while viewed, the number of messages at risk is almost nothing

Email App Virtualization

56

Inside View

TLS

Customer Exchange

Server

TLS

Exchange Web Services

PresentationProtocol

Mobile Device

Hosted serviceor on-site gateway

ZIXONE demo on Apple’s App Store and Google Play

RAM Only

58

Questions