You are here


In-house Counsel Should Take BYOD Risks Seriously

Posted by Accellion Team
Lawyer reading a book

In many organizations, decisions about mobile technology are made primarily or exclusively by the IT and IT security departments working together.

All too often, there’s one department that’s left out of these discussions:  the organization’s own legal team, and In-house Counsel. This omission is unfortunate. Legal counsel is familiar with laws, including the latest rulings about electronic discovery and data privacy, and others issues pertaining to liability and risks. Enterprises would be wise to consult in-house counsel when establishing employee policies about data confidentiality, BYOD, and use of mobile devices. There’s another reason, too, for consulting in-house counsel when mobile security policies are being formulated. In the unfortunate case that mobile technology leads to a data breach or regulatory violation, in-house counsel will likely end up spearheading the response. If the company’s legal team has the opportunity to offer guidance before a possible breach or violation occurs, then the opportunity for legal surprises is minimized.

In a series of articles for InsideCounsel Magazine (here and here), attorney and legal security expert Matt Nelson explains why inside counsel should be involved in mobile security decisions from the start. He makes the following points about legal issues and a mobile workforce:

  • Whether a company adopts a BYOD policy and allows employees to use personal devices for work or rejects BYOD requests and issues all employees company-sanctioned mobile devices, the legal liability is roughly the same. Employees are going to mix personal data and business data on their mobile devices regardless. Enterprise IT organizations should plan accordingly and deploy security solutions that protect business data, regardless of who owns the device.
  • Data stored on mobile devices may be discoverable (that is, required by a court to be presented as evidence by a specific deadline). The IT organization may need to have technology for tracking and retrieving material information stored on mobile devices, including devices owned by employees. Nelson cites a recent case from Illinois: For example, in In re Pradaxa Product Liability Litigation, the Southern District of Illinois recently fined defendants $931,000 to encourage them “to respect this court and comply with its orders.” Central to the order was defendants’ failure to preserve text messages on employees’ mobile phones.
  • Data on mobile devices is at risk. Mobile malware is proliferating, and lost devices usually compromised. Nelson describes an experiment in which Symantec left 50 mobile phones in public locations in 5 different cities to see how the phones would fare when discovered by strangers. In 96% of the cases, people who found phones tried to access their data. Only half of the people who found the phones attempted to return them. The experiment demonstrated that enterprises cannot assume that lost devices will be returned or left untampered with. On the contrary, a lost device is likely going to result in a data breach, even if it’s only a minor one.

Nelson’s advice for enterprises? IT teams should bring their In-house Counsel and legal teams to the table when defining security policies. Also any mobile security solutions should provide IT administrators and legal counsel with the ability to monitor, track, and retrieve data on mobile devices. In addition, mobile security solutions should guard against mobile malware and protect data on devices that are lost or stolen.

In my judgment, Nelson makes a solid case.