Bring Your Own Device BYOD

Transcription

1 Bring Your Own Device BYOD Elizabeth L. Lewis Randy V. Sabett Shane McGee October 25, :30 2:00 p.m attorney advertisement Copyright Cooley LLP, 3175 Hanover Street, Palo Alto, CA The content of this packet is an introduction to Cooley LLP s capabilities and is not intended, by itself, to provide legal advice or create an attorney-client relationship. Prior results do not guarantee future outcome.

2 Presenters Elizabeth Lewis Partner Cooley LLP Randy Sabett Special Counsel Cooley LLP Shane McGee Former Chief Privacy Officer FireEye

3 Overview

4 BYOD Why Are We Here? BYOD is increasingly common at work It is popular with employees and reduces employer expense But it raises security, loss or spoliation of data, compliance and intellectual property concerns

5 BYOD Today s Agenda This program concerns BYOD and the proactive strategies you can implement to address them including: policy development firewalls and security software monitoring employees documentation of work e-discovery and litigation holds

6 BYOD Why Allow It? Very popular with employees, particularly younger workers May improve efficiency and productivity Employee is carrying and checking one device, not two Employee more likely to review and respond

7 BYOD What Are the Risks? Loss or misuse of company data, confidential information and trade secrets Potential use and integration of intellectual property of a former employer Data breach Exposure to viruses and malware Failure to maintain information subject to a litigation hold or a discovery request Limited ability to monitor employee activity

8 BYOD Policy and Management

9 BYOD How to Manage? Policy Development Begin by understanding that employers do not have unfettered freedom to monitor employees in their at-home work environment Particularly when the employees are using their own personal computer and telephone equipment These devices may also contain personal information and be used for personal business

10 BYOD How to Manage? Policy Development Be sure employees have reasonable methods of getting work done without the use of personal devices Develop and distribute a written monitoring policy to both office-based employees and telecommuters that clearly establishes the right to monitor without notice and under what conditions Limit monitoring to business-related materials and phone calls Obtain employee s written acknowledgement of the employer s monitoring practice

11 BYOD How to Manage? Employee Access to and Other Databases From Their Own Personal Device Begin with understanding that privacy concerns are heightened with personally owned devices Have appropriate security precautions been put into place? Can the device be monitored? Wiped? If wiped, total device or sandboxed portion? Do you have a policy that addresses this issue?

12 BYOD How to Manage? Employee Access to and Other Databases From Their Own Personal Device Do you need to consider industry-specific issues? (e.g., health, financial, government contractor) Address concerns by type of information (e.g., personnel file information, customer bank account information) How do you deal with these devices if a legal hold is put in place? Explain what to do if device is lost or stolen (who gets notified and how) Address downloading of company documents

13 BYOD How to Manage? External (USB) Devices Problem: external data, viruses and malware imported into the company s systems by use of a device that has been used before Possible solutions: Best practice is to issue and require use of a new, clean company device each time Record each company device by serial number and scrub after each use If the employee brings a non-company device require that it be produced and scanned before connected to your system Inform employees that the company monitors USB device usage

14 BYOD How to Manage? Cloud and Web Storage Require employees to identify any webmail or cloud storage accounts (e.g., Dropbox, icloud) that might contain either company information or former employer information Prohibit further use if necessary If you allow, understand the ownership agreement and date limitations on storage that are associated with these storage solutions Remove or copy company data to a secure location as soon as possible; frequently if you allow ongoing use

15 BYOD How to Manage? Documenting Development Status Regularly document current state of technology to establish a baseline for comparison Regularly document current customer/potential customer information Require employees to regularly document their development efforts

16 BYOD case study: at the border

17 Border Cases As far as searches of computers are concerned, borders are different than interstate travel Why do you think this is?

18 Border Cases (cont d) Border searches, from before the Fourth Amendment, have been considered to be 'reasonable' by the single fact that the person or item in question had entered into our country from outside. U.S. v. Ramsay, 431 U.S. 606 (1977). According to the Supreme Court: routine border searches are unlike most other searches of homes, persons, things or vehicles (regardless of whether of persons or property) routine border searches require no probable cause, reasonable suspicion, or warrant reasonable expectation of privacy is diminished at the border U.S. v. Montoya de Hernandez, 478 U.S. 531 (1985) Authority derives from the nation's sovereign and inherent authority to protect, and [its] paramount interest in protecting, its territorial authority. U.S. v. Flores-Montano, 541 U.S. 149 (2004).

19 Customs Actual Authority Defined by CBP Directive No (8/20/09) and ICE Directive No (8/18/09)

20 4 th Amendment Law The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Case law has developed around whether various searches were constitutional or not Early cases involved things like autos, phone booths, hotel rooms, pen registers, etc.

21 Cases involving laptops U.S. circuit courts U.S. v. Arnold and U.S. v. Ickes have held that searches involving laptops: do not require reasonable suspicion or probable cause are similar to warrantless, suspicionless searches of property allowed by the Supreme Court (e.g., searches of travelers suitcases, briefcases, pockets, papers and films)

22 Cases involving laptops (cont d) Arguments rejected that laptop searches are different, whether because of the massive amount of data they hold, the First Amendment implications of searching expressive material or the purported invasiveness of the searches In Arnold: amount of storage capacity would not make an otherwise routine search particularly offensive rejected analogy between a laptop and a home, humorously(?) commenting that one cannot live in a laptop.

23 Current procedures Definition of electronic media : Policy:

24 Current procedures (cont d) Detention for further review:

25 Current procedures (cont d) and almost an entire page on what constitutes reasonable time for review:

26 Current procedures (cont d) Oh, by the way, here s the rest

27 Wrap up

28 BYOD Takeaways Firm-Provided Devices & Plans Can reduce risk of monitoring issues via a comprehensive firm-owned mobile device program Can reduce but does not eliminate BYOD may not reduce costs when carrier contracts are properly negotiated Device availability and lag can cause employee satisfaction issues May increase accounting burden

29 BYOD Takeaways (cont d) If BYOD not yet implemented, consider sticking to a firm-provided plan When not possible and BYOD is a reality, then ensure that technology controls are in-line with legal restrictions Increase frequency of AUP awareness/sign-off

30 BYOD QUESTIONS?

31 Bios Elizabeth Lewis Elizabeth "Betsy" Lewis' practice focuses on labor and employment law, civil rights law and litigation. In her employment practice, she works with clients to find cost-effective business solutions to employment problems. She works on a broad spectrum of employment issues, including advising clients on compliance with employment laws (including FLSA, Title VII, ADEA, ADA, FMLA, WARN, OSHA, NLRA, FCRA), managing difficult employees, developing and implementing personnel practices and procedures, due diligence for IPOs, mergers and acquisitions, structuring executive and incentive compensation, drafting employment and noncompete agreements, handling discrimination complaints before administrative agencies, preparing affirmative action plans and handling OFCCP and other DOL audits, including glass ceiling audits. Randy Sabett, JD, CISSP Randy V. Sabett, JD, CISSP, is vice chair of Cooley s privacy & data protection (PDP) practice group. He counsels clients on a wide range of cutting-edge cybersecurity, privacy, IT licensing and intellectual property issues. Randy helps clients develop strategies to protect their information, including advising companies on developing and maintaining appropriate internal controls to meet privacy and cybersecurity requirements. He also drafts and negotiates a wide variety of technology transaction agreements. Having previously served as an in-house counsel to a Silicon Valley startup, Randy employs a pragmatic approach when structuring and negotiating such agreements. He has also counseled numerous clients on a variety of data breach scenarios, including running incident response for major commercial retailers, large financial institutions, on-line service providers, and health care organizations. Shane McGee, JD, CISSP Until recently, Shane was Chief Privacy Officer and VP of Policy at FireEye where he built a worldwide privacy program to ensure appropriate use of customer data and engaged with policymakers around the world to promote policy change in an effort to protect against cyber-criminals and state-sponsored attackers. Shane was Mandiant s General Counsel prior to FireEye s acquisition of Mandiant in late 2013, and before that co-chaired the Privacy and Security group at SNR Denton with Randy Sabett. Shane will be starting at PhishMe late this month as their new General Counsel.