BYOD And The Consumerization Of IT In Corporate America

Monday, August 25, 2014 - 12:53

The Editor interviews Judith Branham, a Vice President in the Minneapolis office of Stroz Friedberg, an investigations, intelligence and risk management company, where she directs digital forensic investigations, assists clients in responding to cyber crime and data breach incidents, and manages a portfolio of end-to-end e-discovery engagements. 

Editor: Please tell us about your professional background.

Branham: I spent eight years at a Fortune 500 company where I developed their e-discovery program; from there I went to Faegre Baker Daniels where I practiced law in the area of electronic discovery. I now manage a variety of matters involving digital forensics, e-discovery and incident response for Stroz Friedberg. I find the growing use of mobile devices and other technologies within corporations fascinating. I have been involved in cases where the recovery of data, including deleted data, has been crucial to the outcome of matters. It’s been a fun ride, and I think that the challenges are just going to continue to grow.

Editor: Please explain how the proliferation of technology among consumers is challenging businesses today. 

Branham: Over the past several years, there has been a growing “consumerization of IT,” where individuals, rather than organizations, have become the primary consumers and drivers of technology. In the past, the technology an employee used at home was often much less advanced than the technology an employee used at work. Today, technology is a bigger part of our lives outside of work, and as a result, employees are demanding that same technology within the workplace for their productivity. The challenge to organizations is that as IT departments follow employee demand, business technology is no longer necessarily being selected based on criteria that reduces risks for the company as the first priority. Consumers tend to adopt technologies faster than organizations do. Employees who want the latest and greatest offerings to keep their companies on the cutting edge are pushing corporations to adopt untested technologies that they might not be prepared for from a security and data discovery standpoint.

Editor: There was a time when everyone had a company-issued Blackberry. Now that everyone uses different platforms, carriers and devices, it must be incredibly difficult for IT departments to stay on top of it.

Branham: That’s exactly right. Instead of managing just one trusted device with which the IT support system has experience and an understanding of the related data and security issues, now companies have a number of different devices that they have to deal with. And it’s not only mobile phones but also tablets and other technologies, such as cloud services, that employees are demanding.

Editor: In fact, BYOD came about as a result of employee demand. How have BYOD policies been impacted by the increasing use of text messaging in professional environments?

Branham: Companies are dealing with how to craft an effective BYOD policy in a way that meets employee demands but conforms to privacy expectations. This is especially true in cases where the employee is using the device for both personal and business use. For instance, I know of one situation where a company implemented the use of personal devices and developed a BYOD policy. As part of this policy, they enabled locations to track that device should it be lost. There was a huge amount of employee pushback because of privacy implications – many employees didn’t like the idea of the company being able to trace their exact whereabouts. This is just one type of conflict that may arise when a personal device is used for business purposes. So it’s not just IT that should be in charge of crafting these policies – it really takes several different divisions putting their heads together to determine the best policies and the implications of each of those policies.

Editor: Who should be involved in crafting that policy?

Branham: Legal needs to be involved to ensure compliance with any applicable laws and address legal implications relating to implementation of the policy, including discovery of data from the device for litigation. The privacy officer should be involved to ensure compliance to privacy policies and laws. IT security is a key player in identifying security risks and adopting language to address those risks. IT needs to be able to support the tools and execute the tasks that need to be performed to comply with the new policy. HR also needs to be involved to understand the impact on employees and to help with distribution and implementation. Finally, many companies involve outside counsel or consultants with experience crafting BYOD policies. My best advice is that corporations develop a BYOD policy that is clear enough to encourage compliance, but is also broad enough to consider the advancement of new technologies.

Editor: In terms of tomorrow’s technology, what are some things companies should be thinking about when they’re revising their BYOD policies? What other ways can they manage that risk?

Branham: Surprisingly, a vast number of companies still don’t have a BYOD policy. But when a company does put one in place, it needs to be done with enough forethought that it will continue to be relevant and valuable as technology evolves. Next, companies need to consider enforcement of that policy, and the key part of that is employee education. You want to make sure that employees understand the risks to the corporation when they use their personal devices for business, and that as a result, there are some limitations on their privacy when they do so. The BYOD policy should make it clear that intertwining business and personal communication on one device creates a risk of personal information being exposed when parties are involved in litigation, and that even a personal mobile phone could be subject to discovery if used for business. A BYOD policy should also state that the employer has the right and capability to wipe, or erase, data remotely from any device being used for business purposes – and that means it’s wiped entirely, including personal photos and contacts.

Mobile device management (MDM) tools can wall off some personal information from business communication, but the tool must comply with the policy. There are still instances where information of a personal nature is viewable, and MDM tools don’t prevent personal information from being wiped when circumstances necessitate that.

Corporations can go a long way in controlling risk by 1) ensuring that employees are adhering to strong passcodes and are using the same security rules that are company policy for other applications; 2) having an “acceptable use” policy that ensures that employees are not sharing their device with, for example, a significant other; prevents viewing inappropriate material; and controls what applications are installed; and 3) encrypting any corporate-owned data that might reside on the phone.

Editor: What added challenges do text messages create for e-discovery?

Branham: There are a number. Text messaging in a professional setting is one of the riskier things that is happening in business communications and with which litigators are dealing. The use of acronyms and shorthand, for instance, is very common in text messaging. That often results in miscommunication or misunderstanding that can be potentially damaging. Another issue is that most corporations are ill equipped to deal with the recovery and preservation of data from text messages generated on such a wide variety of devices. Wireless carriers typically don’t keep that data; it’s usually pushed to the individual’s phone, so recovering the text messages becomes an issue. Companies can work with digital forensics examiners for imaging and extracting active and deleted text messages from a phone, but they really need to think about how employees use text messages and what data might come to life in discovery that may significantly impact litigation.

Editor: Is there any relevant case law addressing discovery from mobile devices?

Branham: There are a number of cases that are emerging where the courts are making it clear that text messages and information from mobile devices are relevant and considered discoverable information just as email is. The challenge in court is that parties are often unfamiliar with the types of information you can get from a phone and unaware that information recovery is variable depending on the phone. Typically, text messages are most important to litigation, but there are also photos and videos, calendar entries and contacts that may be relevant. In the cases that we’re seeing, it’s clear that if employees are using text messages for business communication, that information is likely to be considered relevant and under the control of the corporation, and therefore subject to discovery. Corporations need to communicate clearly to their employees about the use of text messaging and incorporate it into a BYOD policy, if there is one.

Editor: What lessons can be learned from early e-discovery development?

Branham: You want to be proactive rather than reactive in these types of environments. If you are aware of new technologies on the rise, you can incorporate them into your policies, which will reduce your company’s risk and oftentimes save you money. We also know that courts are going to take a broad look at what is discoverable, and this may create conflicts between what employees consider private information and what’s actually subject to discovery. Corporations really need to think about how they’re going to handle that conflict and make sure they’re educating their employees in advance about those issues.

Employees are going to use what’s convenient to them, and they’re not always going to think about the impact on the corporation. Companies need to ask their employees how they are using technology to figure out the types of risks it creates and how they can control those risks. I think that if they ask the right questions, the majority of companies will be very surprised to learn the extent to which employees are using text messages in business today.

Editor: What about other technologies that are gaining popularity in the workplace like wearable technology, the cloud, and ephemeral messaging apps that purport to delete data upon receipt?

Branham: Employers need to be ready for new technology. Employees are not going to wait for their employer to develop a policy before they bring new technology into the office. They’re going to challenge the existing policies; for example, they’re going to come in wearing Google Glass because they bought it, they think it’s neat, and they want to use it at work. If the corporation hasn’t thought about how to handle new technologies as they arrive, there may be repercussions, like an employee inadvertently sharing trade secrets or employee or customer information. All new and evolving technologies that could enter the workplace need to be considered in BYOD and security policies.

Please email the interviewee at jbranham@strozfriedberg.com with questions about this interview.