Managing an Enterprise Mobile Device Program

Risk Analysis and Management

Risk analysis is the first key element of a mobile device program. No company can decide what safeguards to put into place for a mobile device program until it understands the risks it faces. Counsel plays a crucial role in analyzing the nature of legal risks; considering legal risks and issues arising from non-legal threats; making judgments concerning the priority of safeguards; identifying risk-mitigating steps; and providing advice on shifting risk through insurance and indemnities.

A company's risk analysis should comprise:

• Analyzing the kinds of data and records held by the company, the equipment and cloud service accounts used to store and process data, and the sensitivity and valuable nature of the data and records. For example, your company may have trade secrets, sensitive customer information and material nonpublic information under securities laws.
• Determining the universe of possible threats to the information technology assets of the company, such as loss of the device. Also, consider legal threats, such as compliance risk, liability and e-Discovery sanctions.
• Determining the vulnerability of the company to the threats analyzed. How likely are the threats? If they occur, what kinds of damage or losses would they cause?

Once the company has analyzed its risk, it can decide whether to accept BYOD and what kinds of controls to put into place to manage the risks associated with the program. In developing priorities to handle risks, the company should begin by addressing high risks that could lead to significant damages at relatively modest cost and effort. The company can then prioritize lower risks and safeguards that would require more time and resources to implement. At some point on the priorities list, the company will determine that certain risks are low enough to accept and should also consider the possibility of network risk insurance coverage to shift risks to an insurer.

BYOD or Company-Issued Devices?

The most fundamental question is whether BYOD is appropriate for the company. Traditionally, companies issued their own devices and in many cases prohibited, by policy, the use of personal devices for company work and information. The traditional approach permitted the company to exercise greater control over mobile devices to protect and monitor information such as narrowing the range of devices it would need to support, providing greater ability to obtain the device in the event of a dispute with an employee and facilitating evidence collection and preservation from an e-Discovery perspective. The traditional approach requires the employer to pay the entire cost of the devices. Moreover, as noted above, employees and executives are beginning to demand their own devices for reasons of productivity and the ability to use the latest technology on their favorite devices.

As noted above, the BYOD approach permits companies to accommodate workers' and executives' desire to use the latest technology. Furthermore, companies have the option of not paying 100% of the cost of the devices, but may pay all, some or none.

Nonetheless, a BYOD policy will create challenges for the company due to diminished control over the devices, including potential reduced security, more difficulty in retrieving a device after employee termination, and more difficulty in collecting and preserving data from an e-Discovery perspective.

BYOD is not for every organization. Some companies will decide that the risk is simply too great to permit BYOD. Or they may decide that some kinds of workers must use only company-issued devices. BYOD may be too risky for workers handling very sensitive information in highly regulated industries or government agencies.

However, companies insisting on issuing their own devices should be aware of the “shadow IT” phenomenon. Some workers are using their own devices, online accounts, and other information technology resources without their employers' knowledge, and outside the regular employer-established controls, resulting in the company having BYOD without even knowing it. Making a policy decision and establishing controls to either embrace and control BYOD or eliminate “shadow IT” can address this risk.

Counsel's role is to weigh the pros and cons, advise decision-makers on compliance, liability, e-Discovery, and other legal risks, and ultimately help judge whether BYOD is right for the company.

Policy Documentation Updates

Every company should have information governance policies that cover the areas of data security, privacy, document retention, the acceptable use of information technology resources, and employment practices. Your company may create a new policy or incorporate mobile considerations into existing policies. In any case, you should reexamine your policies in each of these areas to determine the impact of mobile devices.

Mobile-specific questions that you may want to answer in updating policy documents include:

• Which employees or classes of employees should be allowed to participate in the mobile device program?
• What devices or range of devices will the company issue or support?
• What kinds of applications and data will the company permit or prohibit on the device?
• Regarding the cost of mobile devices, will the company pay all of it, part of it, or none of it?
• Should employees be permitted to use cameras, social media mobile apps, Bluetooth, and other mobile-specific device features?
• Should employees be allowed to modify or “jailbreak” their devices to gain control of their devices and the kinds of applications they can install beyond the limits imposed by device manufacturers and phone carriers?
• Should employees be allowed to lend their devices to others, such as family members?
• What happens to the device when an employee is promoted or demoted, changes job assignments or leaves the company?
• What technology should the company use to control and secure the device, such as mobile device management software and encryption?
• How much accessibility should workers using mobile devices have regarding company networks, applications and data? Should company networks enforce policies to reduce such accessibility?
• Should the company use technology to copy information from mobile devices so that the company is able to access information from the device in case the employee loses or refuses to return the device?
• Regarding the company's ability to wipe information off the device remotely, under what circumstances will the company use the remote wiping feature, how will it use the feature, how much information will be wiped and who will do the wiping? Do employees have any expectation that the company will try to avoid wiping personal information when wiping is necessary?
• Should IT support all applications on the device, or just business applications?
• Will the company monitor use of the device, the communications made using it, and any geo-location information from the device? What happens when the company has access to personal information and data? Do employees have any expectation of privacy concerning the devices?

Counsel's role will be to help business team members understand the legal risks addressed by policies, help make the judgment calls needed to address specific issues, and draft and edit portions of the policy documents.

Standards, Procedures, Guidelines, Training Materials and Agreements

Companies should support their BYOD policy with documentation. First, they need technical standards that acceptable mobile device must meet, both for the devices themselves, as well as network software and hardware managing mobile devices. Second, companies should assemble documents to capture procedures and guidelines for implementing a mobile device program. For instance, a company should have procedures in place when hiring a new employee and providing a mobile device for that employee. Third, the company should develop training materials to support a mobile device program. Training and education address the human element, which is critical in minimizing risk.

Finally, the company will need to develop an agreement with employees communicating key policy elements and setting expectations. This agreement can be integrated with other agreements with employees, such as agreements covering confidentiality, acceptable use and the company's employment handbook. Alternatively, some companies may wish to use a standalone agreement for their mobile device program. In either case, agreements enable your company to obtain employees' consent to the key policy elements in your program.

Counsel will draft these agreements and oversee the process of obtaining signed copies from employees. At the same time, counsel can help draft and edit the other supporting documentation while providing advice on minimizing legal risk.

Procuring Technology to Support the Program

Let's say your company completed a risk analysis, determined whether to issue devices or allow employees to bring their own devices, updated policies and finalized supporting documentation. The next step is to procure the technology the company will need to implement the program. This step involves negotiating contracts with technology providers to obtain the technology needed to manage the risks identified in the company's risk analysis. Counsel can take the lead in negotiating the appropriate procurement agreements.

Implementing the Mobile Device Program

Having completed these key steps in the mobile device program, the company can now implement the program by purchasing, provisioning and registering the devices. It can roll out the policies and subordinate documentation, train employees on the policies and secure mobile device usage, and obtain signatures on their employee agreements.

Counsel can provide critical assistance to a company developing and implementing a mobile device program. Legal advice on risk analysis and management, determining whether BYOD is appropriate for the company, reviewing and commenting on policies and supporting documentation, drafting the employee agreement and negotiating agreements with technology vendors plays a key role in a successful mobile device program. With counsel's assistance, the company can gain the benefits of new mobile technology while effectively managing its risk.

Stephen S. Wu is a partner with the Silicon Valley-based law firm Cooke Kobrick & Wu LLP. Mr. Wu advises clients on information technology matters in areas including information security, data breach response, computer fraud, privacy, and secure e-commerce. He can be reached at [email protected] or 650-917-8045.

This morning, your general counsel walked into your office and announced that your company is considering implementing a “bring your own device” (BYOD) program. She tells you a BYOD program would allow employees to use personal mobile devices of their choice to perform business work. She says that you are in charge of the program's legal aspects and making sure everything is in place. What do you do now?

The popularity of BYOD is part of a mobile revolution otherwise known as the “consumerization of information technology.” Drivers for consumerization include employees' desire to use top-selling smart phones, tablets and other smart devices with the latest technology, including more capabilities, features and greater productivity. This allows workers to access all of their work information anytime, anywhere and with any device. Moreover, the mobile revolution is not simply a bottoms-up demand for technology from front-line employees. Executives are now demanding mobile technology as well for the same reasons.

Once you have made the decision to roll out a BYOD policy, it is critical to begin drafting a plan for your company's BYOD program. Your plan is likely to have five key elements: 1) risk analysis and management; 2) confirming that BYOD is appropriate for your company; 3) setting policies and rolling out policy documents; 4) creating and maintaining supporting documentation, such as technical standards, guidelines, training materials and signed employee agreements; and 5) procuring technology and technical controls to support
mobile devices.

Risk Analysis and Management

Risk analysis is the first key element of a mobile device program. No company can decide what safeguards to put into place for a mobile device program until it understands the risks it faces. Counsel plays a crucial role in analyzing the nature of legal risks; considering legal risks and issues arising from non-legal threats; making judgments concerning the priority of safeguards; identifying risk-mitigating steps; and providing advice on shifting risk through insurance and indemnities.

A company's risk analysis should comprise:

• Analyzing the kinds of data and records held by the company, the equipment and cloud service accounts used to store and process data, and the sensitivity and valuable nature of the data and records. For example, your company may have trade secrets, sensitive customer information and material nonpublic information under securities laws.
• Determining the universe of possible threats to the information technology assets of the company, such as loss of the device. Also, consider legal threats, such as compliance risk, liability and e-Discovery sanctions.
• Determining the vulnerability of the company to the threats analyzed. How likely are the threats? If they occur, what kinds of damage or losses would they cause?

Once the company has analyzed its risk, it can decide whether to accept BYOD and what kinds of controls to put into place to manage the risks associated with the program. In developing priorities to handle risks, the company should begin by addressing high risks that could lead to significant damages at relatively modest cost and effort. The company can then prioritize lower risks and safeguards that would require more time and resources to implement. At some point on the priorities list, the company will determine that certain risks are low enough to accept and should also consider the possibility of network risk insurance coverage to shift risks to an insurer.

BYOD or Company-Issued Devices?

The most fundamental question is whether BYOD is appropriate for the company. Traditionally, companies issued their own devices and in many cases prohibited, by policy, the use of personal devices for company work and information. The traditional approach permitted the company to exercise greater control over mobile devices to protect and monitor information such as narrowing the range of devices it would need to support, providing greater ability to obtain the device in the event of a dispute with an employee and facilitating evidence collection and preservation from an e-Discovery perspective. The traditional approach requires the employer to pay the entire cost of the devices. Moreover, as noted above, employees and executives are beginning to demand their own devices for reasons of productivity and the ability to use the latest technology on their favorite devices.

As noted above, the BYOD approach permits companies to accommodate workers' and executives' desire to use the latest technology. Furthermore, companies have the option of not paying 100% of the cost of the devices, but may pay all, some or none.

Nonetheless, a BYOD policy will create challenges for the company due to diminished control over the devices, including potential reduced security, more difficulty in retrieving a device after employee termination, and more difficulty in collecting and preserving data from an e-Discovery perspective.

BYOD is not for every organization. Some companies will decide that the risk is simply too great to permit BYOD. Or they may decide that some kinds of workers must use only company-issued devices. BYOD may be too risky for workers handling very sensitive information in highly regulated industries or government agencies.

However, companies insisting on issuing their own devices should be aware of the “shadow IT” phenomenon. Some workers are using their own devices, online accounts, and other information technology resources without their employers' knowledge, and outside the regular employer-established controls, resulting in the company having BYOD without even knowing it. Making a policy decision and establishing controls to either embrace and control BYOD or eliminate “shadow IT” can address this risk.

Counsel's role is to weigh the pros and cons, advise decision-makers on compliance, liability, e-Discovery, and other legal risks, and ultimately help judge whether BYOD is right for the company.

Policy Documentation Updates

Every company should have information governance policies that cover the areas of data security, privacy, document retention, the acceptable use of information technology resources, and employment practices. Your company may create a new policy or incorporate mobile considerations into existing policies. In any case, you should reexamine your policies in each of these areas to determine the impact of mobile devices.

Mobile-specific questions that you may want to answer in updating policy documents include:

• Which employees or classes of employees should be allowed to participate in the mobile device program?
• What devices or range of devices will the company issue or support?
• What kinds of applications and data will the company permit or prohibit on the device?
• Regarding the cost of mobile devices, will the company pay all of it, part of it, or none of it?
• Should employees be permitted to use cameras, social media mobile apps, Bluetooth, and other mobile-specific device features?
• Should employees be allowed to modify or “jailbreak” their devices to gain control of their devices and the kinds of applications they can install beyond the limits imposed by device manufacturers and phone carriers?
• Should employees be allowed to lend their devices to others, such as family members?
• What happens to the device when an employee is promoted or demoted, changes job assignments or leaves the company?
• What technology should the company use to control and secure the device, such as mobile device management software and encryption?
• How much accessibility should workers using mobile devices have regarding company networks, applications and data? Should company networks enforce policies to reduce such accessibility?
• Should the company use technology to copy information from mobile devices so that the company is able to access information from the device in case the employee loses or refuses to return the device?
• Regarding the company's ability to wipe information off the device remotely, under what circumstances will the company use the remote wiping feature, how will it use the feature, how much information will be wiped and who will do the wiping? Do employees have any expectation that the company will try to avoid wiping personal information when wiping is necessary?
• Should IT support all applications on the device, or just business applications?
• Will the company monitor use of the device, the communications made using it, and any geo-location information from the device? What happens when the company has access to personal information and data? Do employees have any expectation of privacy concerning the devices?

Counsel's role will be to help business team members understand the legal risks addressed by policies, help make the judgment calls needed to address specific issues, and draft and edit portions of the policy documents.

Standards, Procedures, Guidelines, Training Materials and Agreements

Companies should support their BYOD policy with documentation. First, they need technical standards that acceptable mobile device must meet, both for the devices themselves, as well as network software and hardware managing mobile devices. Second, companies should assemble documents to capture procedures and guidelines for implementing a mobile device program. For instance, a company should have procedures in place when hiring a new employee and providing a mobile device for that employee. Third, the company should develop training materials to support a mobile device program. Training and education address the human element, which is critical in minimizing risk.

Finally, the company will need to develop an agreement with employees communicating key policy elements and setting expectations. This agreement can be integrated with other agreements with employees, such as agreements covering confidentiality, acceptable use and the company's employment handbook. Alternatively, some companies may wish to use a standalone agreement for their mobile device program. In either case, agreements enable your company to obtain employees' consent to the key policy elements in your program.

Counsel will draft these agreements and oversee the process of obtaining signed copies from employees. At the same time, counsel can help draft and edit the other supporting documentation while providing advice on minimizing legal risk.

Procuring Technology to Support the Program

Let's say your company completed a risk analysis, determined whether to issue devices or allow employees to bring their own devices, updated policies and finalized supporting documentation. The next step is to procure the technology the company will need to implement the program. This step involves negotiating contracts with technology providers to obtain the technology needed to manage the risks identified in the company's risk analysis. Counsel can take the lead in negotiating the appropriate procurement agreements.

Implementing the Mobile Device Program

Having completed these key steps in the mobile device program, the company can now implement the program by purchasing, provisioning and registering the devices. It can roll out the policies and subordinate documentation, train employees on the policies and secure mobile device usage, and obtain signatures on their employee agreements.

Counsel can provide critical assistance to a company developing and implementing a mobile device program. Legal advice on risk analysis and management, determining whether BYOD is appropriate for the company, reviewing and commenting on policies and supporting documentation, drafting the employee agreement and negotiating agreements with technology vendors plays a key role in a successful mobile device program. With counsel's assistance, the company can gain the benefits of new mobile technology while effectively managing its risk.

Stephen S. Wu is a partner with the Silicon Valley-based law firm Cooke Kobrick & Wu LLP. Mr. Wu advises clients on information technology matters in areas including information security, data breach response, computer fraud, privacy, and secure e-commerce. He can be reached at [email protected] or 650-917-8045.