Transcription
Corporate Policies on MobileDevices: A Legal PerspectiveJonathan RubensJavid Rubens LLPChair, American Bar Association Cyberspace LawCommittee, Business Law SectionJAVID RUBENS LLP
Mobile DevicesPortable, handhelddevices that allow peopleto access data,applications andinformation from whereever they are.o Wirelesso Voice/text/email/Internet capable PDAsLaptopsTabletsSmart phonesStorage disksPagersNavigational devicesJAVID RUBENS LLP
Mobile Devices – We LoveThem! ProductivityPersonal ChoiceCostGenerational ShiftDual UsePortability/BYODJAVID RUBENS LLP
Mobile Devices Not Typically Covered in Existing“Electronic Use” Policies Company property (hardware, software,phones and devices) Company provided service and access(voice and e-mail, wireless, remote andInternet access) Provided to enable employees toperform dutiesJAVID RUBENS LLP
Mobile Devices Not Typically Covered in Existing“Electronic Use” PoliciesTherefore .– Company owns all records or data– Employee has no expectation of privacy– Company has right to access and view data andcommunications created, stored, received at any time;with or without notice business-related or personal disclose to law enforcement or government officials or toother third partiesJAVID RUBENS LLP
Electronic Use Policies - OutdatedOften not even a recognition ofemployee accessing personal webbased password protected accountsfrom work equipment or device.JAVID RUBENS LLP
Need a Policy for Mobile Device Use inthe Workplace Needs to Be a Collaborative Effort– IT– HR– LegalJAVID RUBENS LLP
Need a Policy for Mobile Device Use inthe Workplace Cost and Resources– Permitted and supported devices, manufacturers,models, operating systems, platforms, mobile networks,etc.– Company or employee-devices or a combination– Allowance or stipend for employee purchase ofdevice or service.JAVID RUBENS LLP
Need a Policy for Mobile Device Use inthe WorkplacePolicy Decisions Fair Labor StandardsAct (FLSA) Affects Device andAccess Eligibility Agui v. T-Mobile Inc. Rulli v. Richard Ellis, Inc. Oprah - non-exemptemployee’s time sheet 800 hours in 17 weeks - 32,000 inovertime pay.JAVID RUBENS LLP
Policy also needs to address what happens whendevice is lost . 17,500 USB sticks left in pockets ofclothes at 500 UK cleaners*-- 4X more in 2010 than 2009 Thousands of handheld devices leftin the taxis, hotel bars, rooms andlobbies, malls.**Information from surveysby Credant TechnologiesJAVID RUBENS LLP
Or stolen . 48 NASA notebooks and mobile devices stolenbetween April 2009 and April 2011. One stolen in 2011 was unencrypted. Containedcommand & control codes for the InternationalSpace Station.JAVID RUBENS LLP
How to Obtain Acceptance? Electronic Use Policy – use of equipment isacceptance of terms. Mobile Device Policy– Employee wants to connect device to network– Important to authenticate device– Require log-in with click-thru agreementwhereby employee accepts policy– Don’t just allow access if have login andpasswordJAVID RUBENS LLP
Loss/Theft Vulnerabilities Loss of Confidential Data Loss of Work Product/Productivity Negative PR Reporting reluctance– Fear loss of personal data– Fear disciplinary actionJAVID RUBENS LLP
Loss/Theft Vulnerabilities Massachusetts 201 CMR 17.00Mandates encryption of all “personal information” stored on devices California provisions – data breach reporting obligations extend tounencrypted personal data Costs of Data breach reporting are high and only getting higher!average costs of a data breach 210 per record – Ponemon Institute 2010Annual StudyJAVID RUBENS LLP
California – recommended practices“5. Pay particular attention to protecting notice-triggeringpersonal information on laptops and other portablecomputers and storage devices. Restrict the number of people who are permitted to carrysuch information on portable devices. Consider procedures such as cabling PCs to desks orprohibiting the downloading of higher-risk personalinformation from servers onto PCs or laptops. Use encryption to protect personal information on portablecomputers and devices.- source: CA Office of Privacy Protection –JAVID RUBENS LLP
CA- State Recommendations “10. Wherever feasible, use data encryption,in combination with host protection andaccess control, to protect higher-risk personal information. Data encryption should meet the NationalInstitute of Standards and Technology’sAdvanced Encryption Standard.” (standard forUS Govt agencies.)JAVID RUBENS LLP
CA – Office of Privacy Protection Note: State of CA requires State agencies toencrypt confidential, senstive and personalinformation on portable computing devicesand portable storage media. See State Administrative Manual § 5345.2,www.infosecurity.ca.gov.JAVID RUBENS LLP
Cases Shaping PoliciesCity of Ontario, Cal. v. Quon,130 S. Ct. 2619U.S. Supreme Court2010– Employer owned pager andservice– Personal messages togirlfriend– Written policy allowedmonitoring’ and prohibitedpersonal use– Supervisor allowedbehavior that differed frompolicy– Employee terminated forexcessive, highly personaltexts– Termination upheldbecause of policy, tailoredmonitoringJAVID RUBENS LLP
Mobile Device Policy – SummaryWritten Policy Tailored to specifics Give notice to employee Condition access to acceptance of policy Monitor only to protect interests (scope andduration) Consider type of behavior and communication(illegal, productivity, privileged etc.) Require encryptionJAVID RUBENS LLP
Mobile Device Policies at Work Policy Alone Often Insufficient– Compliance– Reporting Reluctance Mobile Device Management–––––Initial and Ongoing AuthenticationBlack/White App ListSelective Remote WipePush UpdatesActive Monitoring and SecurityJAVID RUBENS LLP
Consider Use Outside the U.S. Need to comply withU.S. export lawsregarding physical or Check device andelectronicreview policy withtransmission ofemployees prior tocontrolled dataoverseas travel.outside the UnitedStates.JAVID RUBENS LLP
Consider Use Outside the U.S.Other jurisdictions may have different rules onmobility, e.g., privacy of personal information;required authorization to monitor, access orremote wipe.JAVID RUBENS LLP
Allow for Changing Technology Allow for amendments and updates to reflectchanging technology, models and devices. Allow for IT, HR and legal and MDM vendor toissue periodic updates/alerts for security andchanges, etc.JAVID RUBENS LLP
Questions?Jonathan RubensJavid Rubens LLPjon@jrlegalgroup.com415-967-0178Acknowledgments to:Kathleen Porter, Robinson & Cole LLPkporter@rc.comJAVID RUBENS LLP
Mandates encryption of all "personal information" stored on devices California provisions - data breach reporting obligations extend to unencrypted personal data Costs of Data breach reporting are high and only getting higher! average costs of a data breach 210 per record - Ponemon Institute 2010 Annual Study JAVID RUBENS LLP
