Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bring Your Own Device: Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013.

Similar presentations


Presentation on theme: "Bring Your Own Device: Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013."— Presentation transcript:

1 Bring Your Own Device: Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013

2 Bring Your Own Device or BYOD

3 Consumerization of IT Why organizations are adopting BYOD: – Cost – Convenience – Inevitability – Support – Recruiting, Retention, Diversity 4/18/2013 3 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

4 Challenges related to BYOD Data-related – InfoSec – RIM – Privacy – E-Discovery – Protection of Trade Secrets – Employment Issues (temp workers) Behavior-related – Performance – EEOC/Wage & hour – Training – Procedures 4/18/2013 4 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

5 Why BYOD? Courtesy of iStockphoto®

6 64/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

7 Top Mobile Activities 7 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

8 4/18/2013 8 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

9 Mobile Social Networking Source: enisa 9 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

10 Mobile Devices and RIM Definition of mobile device: –an application of wireless communication technologies to process, transmit and exchange data –this includes laptop computers, personal digital assistants (PDAs), mobile phones and smart phones Records can be created, processed, transferred, stored, disseminated, shared, used, and disposed in and by mobile devices 104/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

11 Enterprise Deployment Models Company-issued and paid-for accounts Personal accounts, company reimbursements Personal accounts, access to work resources 114/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

12 The line between what is work and what is personal is blurring Courtesy of iStockphoto® 124/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

13 Strategy for RIM Centralization – Synchronization procedures – push vs. pull – Asset management strategies (Mobile Device Management) Storage – off-line and off-site data storage retention policies – instructions for how and where users can store data – backup and recovery procedures Function over form – Form of ESI does not matter – FRCP stored in any medium 134/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

14 Image by Frederic Poirot Data Security

15 Types of Attacks Hacking/Malware (APTs) Insider Abuse Laptop/Mobile Device Theft Phishing Denial of Service (DoS) Password Sniffing Exploit of Wireless Network 15 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

16 Data Breach Federal Requirements State Data Breach Laws – 47 States, D.C., P.R. and the U.S. Virgin Islands enacted such laws beginning with California in 2003 16 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

17 Mass. 201 CMR 17 (2010) Minimum standards to safeguard…personal information in both paper and electronic records: – Designate an individual who is responsible for data security; – Anticipate risks to personal information and take appropriate steps to mitigate such risks; – Develop security program rules; – Impose penalties for violations of the program rules; – Prevent access to personal information by former employees; – Contractually obligate third-party service providers to maintain similar procedures; – Restrict physical access to records containing personal information; monitor the effectiveness of the security program; and – Document responses to incidents. Technical mandates: – User authentication, access controls, encryption, monitoring, portable devices, firewall protection, updates and training. 17 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

18 Concern About Potential Conduits For Exposure 18 Source: Proofpoint - Osterman 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

19 Enisa 10 Smartphone Risks No.TitleRisk 1Data leakage resulting from device loss or theftHigh 2Unintentional disclosure of dataHigh 3Attacks on decommissioned smartphonesHigh 4Phishing attacksMedium 5Spyware attacksMedium 6Network Spoofing AttacksMedium 7Surveillance attacksMedium 8Diallerware attacksMedium 9Financial malware attacksMedium 10Network congestionLow 19 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

20 While we acknowledge the growth of mobile computing and the increasing attractiveness of the platform to potential threats, we also must acknowledge that again this year we have no representation of smartphones or tablets as the source of a data breach. Source: 2011 Data Breach Investigations Report by Verizon and the United States Secret Service 20

21 Securing mobile devices continues to pose a challenge to businesses with 62 percent of respondents identifying this as challenge…. Mobility continues to empower and enable workforces to accomplish more than ever, and this trend is only increasing. Smart phones will most likely cause an increase in criminal research and development efforts due to their ubiquity and functionality. But Compare Source: 2011 Underground Economies Report by McAfee and SAIC 21

22 Image by EJP Photo Data Privacy

23 Federal Data Privacy Laws FTC Consent Decrees Consumer Financial Protection Bureau Gramm-Leach-Bliley or GLBA FCRA FACTA, Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 Red Flags Rule HIPAA/ HITECH FTC Act COPPA, CAN-SPAM, ECPA, FISA, USA-Patriot Act Export Controls – DoC Export Administration Regulations (EAR), – DoS International Traffic in Arms Regulations (ITAR) 23 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

24 Privacy Laws – Regulates the use & transfer of personally identifiable information (PII) Data & Identity Theft – Criminalizes unauthorized access to information systems and the use of stolen information for fraudulent, criminal, or other unlawful purposes Data Breach Notification – Requires notice to individuals and/or police authorities when information security has been breached compromised resulting in risk/exposure of confidentiality, integrity, and/or security of the PII 244/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

25 Why Do We Care? Devices typically allow 3rd parties to access personal information, such as: – Phone numbers, current location, often the owner's real nameeven a unique ID number that can never be changed or turned off – Contact lists – Pictures – Browsing history Third parties, like ad networks, usually must use cookies to track users on the web, they often get access to unique (and permanent) device identifiers in the mobile space 254/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

26 Mobile Apps Wallstreet Journal Investigation: – Examined 101 popular smartphone "apps in Dec. 2010 56 transmitted phone's unique device ID to others w/o users' awareness or consent 47 apps transmitted the phone's location in some way 5 sent age, gender and other personal details to outsiders 264/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

27 What Does Your Phone Know About You? Forensics program for investigating iPhones and iPads e.g. – 14,000 text messages, 1,350 words in personal dictionary, 1,450 Facebook contacts, tens of thousands of locations pings, every website ever visited, what locations mapped, emails going back a month, photos with geolocation data attached and how many times checked my email on any given day 274/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

28 INTERNATIONAL DATA PROTECTION 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 28 Image by Vincenzo Cosenza

29 GOVERNMENT INTRUSION ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 29 4/18/2013

30 US Laws Governing Access USA PATRIOT Act – Surveillance of customer data by the National Security Administration ECPA (SCA) – Warrantless searches under the exceptions provided under the SCA – Electronic Communication Privacy Act (18 U.S.C. § 2510) Statute controls what can be disclosed to law enforcement CFAA – Criminalizes unauthorized access to computers – CFAA generally require an unauthorized accesseither an access without authorization or an act that exceed[s] authorized access. 304/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

31 ECPA (SCA) Electronic Communications Privacy Act Prohibits disclosure of contents of electronically stored communications Depends on distinctions, such as: – Electronic communication service (ECS)/remote computing service (RCS) – Content/records/basic info – Subpoena/2703(d) order/search warrant – Less than/more than 180 days Exceptions – Communications to intended recipient – With consent of originator – As necessary to provide service – Law enforcement for various reasons 314/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

32 So What Can the Government Get? Subpoena needed only – Basic subscriber info – Name, Address, service start date and the types of services you use, phone records, Internet records such as the times you signed on and off of the service, the length of each session, and the IP address that the ISP assigned to you for each session, information on how you pay your bill, including any credit card or bank account number the ISP or phone company has on file. 324/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

33 So What Can The Government Get? Court order required – Email addresses of people you send emails to and receive emails from, sent and received time, and size – IP addresses of other computers on the Internet that you communicate with, when you communicated with them, and how much data was exchanged – Web addresses of web pages that you visit – Cell site location data for your mobile device 334/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

34 So What Can The Government Get? Emails, voicemails, and other communications content stored by your communications providers receive stronger protection 344/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

35 Provider Retention Periods ACLU of NC FOIA request Memo from the DOJ – Aug 2010 Source: Wired.com 35 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

36 364/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

37 Trends in the New Media Image by EJP Photo

38 Mobile Payments 38 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

39 Location-based Apps Increasingly, the shared information is location- specific on social media Photos taken on mobile devices have geotagging Social media apps – Facebook Places – Fourquare – Yelp – Twitter – Google Maps 39 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

40 Mythbusters Host Is Geobusted Adam Savage, of MythBusters, took a photo of his vehicle using his smartphone Posted the photo to his Twitter account including the phrase off to work Photo was taken by his smartphone Image contained metadata revealing the exact geographical location the photo was taken So by simply taking and posting a photo, Savage revealed the exact location of his home, the vehicle he drives and the time he leaves for work 404/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

41 Geotagging Process of adding geographical identification to photographs, video, websites and SMS messages Geotags are automatically embedded in pictures taken with smartphones Flickr – 5.0 million things geotagged this month 414/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

42 iPhone And Smartphone Tracking 424/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

43 Policies Courtesy of iStockphoto®

44 RIM Policy Language Information flows through the organization in the form of paper and electronic records such as word processing documents, spreadsheets, email, graphical images, and voice or data transmissions. –This is includes the use of mobile devices, smartphones and PDAs. Define what is a record? –Recorded information regardless of medium or characteristics made or received by the Company as required by legal or regulatory obligation or in the transaction of business 444/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

45 Employer Monitoring Employers generally have a right to monitor employee use –Reserve the right to monitor employee use of mobile devices by systems administrators –If work-issued equipment remind employees use is primarily for business purposes and not for personal purposes –Employees generally have no privacy rights in emails/text messages sent over work-issued equipment 454/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

46 Work-Issued Devices vs. Personal Devices Depending on company deployment, if those devices contain electronic information that is duplicative of information that is already being preserved on your laptop or desktop computers, you are not required to retain Enforce usage policies to create a demarcation of what is acceptable 464/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

47 BYOD Employee Agreements Participation in the BYOD programs is voluntary. This agreement is between you and Company. It describes the conditions under which you may use your own handheld devices to access the Company network and Company data, and perform Company work. 4/18/2013 47 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

48 1. Eligibility To be eligible to use your device under the BYOD programs, you must: – Be a regular Company employee (not a contingent or contract worker); – Register your device; – Agree to and comply with the terms of this agreement; – Be in a business group that allows participation in the program; and – Receive permission from your manager. – If you breach any of the terms of this agreement, you will become ineligible to participate in the BYOD programs, and you may be subject to disciplinary action. 4/18/2013 48 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

49 Company Policies Still Apply When Enrolled in the BYOD Program

50 Policies Company Code of Conduct; Company Email Policies; Company Computer Use Policies; Company Information Security Policies and Procedures; Company Employment Agreement and Policies; Company Software Licensing Policy; Company Social Media Policy; Company Privacy Policies and Procedures; and All other applicable Company policies and procedures. 4/18/2013 50 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

51 Data Storage and Backup If your device does not allow automatic partitioning of Companyowned information from nonCompany information, you should manually separate the information when possible. For the Tablet program, Company will provide you with login credentials which will allow you to access a suite of Company provided applications and data in the virtualized environment. You should back up any nonCompany data you care about that is stored on your device. You should use a method that does not also capture Company data for storage. You must not access, view or store Company information labeled Trade Secret on your device. 4/18/2013 51 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

52 Data and Device Management Your device is subject to standard Company data management policies and procedures including, but not limited to, a remote wipe that will remove all stored content. A remote wipe can be performed at any time as deemed necessary by Company. Examples of when a remote wipe might be necessary include (but are not limited to): – employee termination, malicious code infection, lost or stolen device, or prolonged absence from Company. Company is not responsible for any nonCompany data lost as the result of a remote wipe. 4/18/2013 52 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

53 Legal Event Hold Notice If you are, or become, subject to a Legal Hold, you must follow all Legal Hold instructions, take affirmative steps to preserve relevant information as instructed by Company Legal, and seek permission from Company Legal before removing any information from your device. You must notify Company if you leave the HH or Tablet programs, or your employment with Company is terminated. Appropriate contact information will be supplied to you with any Legal Hold notifications. It is your responsibility to understand what services you are allowed to access on your device when subject to a Legal Hold. 4/18/2013 53 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

54 Mobile Device Data 54 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

55 Minimum Security Controls Implement security controls: –Strong passwords/history –Password expiration –Lockout after several failed attempts –Encryption –Inactivity timeout –Remote wiping for lost/stolen devices –Before using them for company business, employees should make devices available to IT for implementation of security settings Mobile devices that cannot be provisioned to support the policy should not be allowed to connect to the organizations email system 554/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

56 Personal Smartphone Use Only allow devices that can be provisioned to meet appropriate security standards Set expectations for the end-user regarding smartphones that may be lost or stolen –Reporting the loss of a device is KEY! 564/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

57 Enisa Recommendations Consumers: – Automatic locking – Check reputation before installing or using new smartphone apps or services – Scrutinize permission requests – Reset and wipe: before disposal Employees: – Decommissioning: memory wipe processes. – App installation: define and enforce an app whitelist – Confidentiality: use memory encryption for the smartphone memory and removable media 574/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

58 Mobile Device Management 1.Different employees require different kinds of mobile support from IT 2.IT should query users to understand staff needs, preferences 3.Create one clear policy for corporate- and employee-owned mobile devices 4.Know mobile platforms' limitations, prioritize support for those that need it most 5.No one-size-fits-all-platforms MDM solution 584/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

59 Mobile Device Management 5.Encourage IT suppliers to offer app stores that suite the enterprise 6.Employ virtualization for access to windows apps on non-windows devices 7.Support employee-owned devices but set strict usage guidelines 8.Make it clear to users which mobile services are approved 9.Reimbursement for employ-device service costs can serve as incentives 594/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

60 Infrastructure/Security Ownership of data Limitation of damages Data control Breach remedies Trust but verify (puffery?) Service levels (and what they mean) Termination or suspension of service Retention and Access to Data following termination Representations and warranties Indemnification Confidentiality Choice of law Notification obligations Migration of data issues Data Processing & Storage Subcontractors Cross-Border Transfer Contractual Terms ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP 60

61 E-DISCOVERY 4/18/2013 61 Image by MayaEvening ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

62 Challenges 1.Preservation 2.Search & retrieval 3.Encryption of data 4.Lack of visibility on disaster recovery media 4/18/2013 62 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

63 Jurisdiction Maintaining information systems in the US raises concerns that sufficient minimum contacts will be found Foreign corporations could be found subject to US jurisdiction, if so, may implicate: – Corporate structure – Tax – Export control 4/18/2013 63 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

64 Possession, Custody or Control A court cannot order production of documents from a party that does not have possession, custody or control or the practical ability to obtain those documents Interconnected data systems (such as cloud) potentially exposes the documents of a foreign affiliate to production in a US court 4/18/2013 64 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP

65 Thérèse P. Miller, Esq., CIPP tpmiller@shb.com Of Counsel Shook, Hardy & Bacon LLP One Montgomery Tower, Suite 2700 San Francisco, CA 94104 (415) 544-1900 65 4/18/2013 ©2013 Thérèse P. Miller - Shook, Hardy & Bacon LLP


Download ppt "Bring Your Own Device: Challenges faced by the Consumerization of IT Therese P. Miller, Esq., CIPP Shook, Hardy & Bacon LLP April 18, 2013."

Similar presentations


Ads by Google