A minefield of legal risks come with “bring your own device” policies
From: The Washington Post
By Catherine Ho
If there’s one buzz word Reed Smith attorney Tim Nagle hears a lot, it’s “BYOD.”
The acronym stands for “bring your own device,” the term businesses use when they have their employees use personal cellphones and tablets to access work-related e-mails, servers and data rather than using company-issued mobile devices.
It sounds simple, but BYOD comes with a minefield of legal questions and risks: How do we prevent trade secrets and client lists from getting leaked if an employee loses his or her phone? How do we keep personal information about workers — bank accounts, Social Security numbers, spending habits — secure? What happens if a personal cellphone infected with a virus gets integrated into the company network? To what degree can a company monitor the searches and personal contacts of their employees?
It is that maze of legal do’s and don’ts that Nagle helps companies navigate. Nagle joined the Washington office of Reed Smith two months ago from Bank of America, where he was the first lawyer hired by the bank to focus specifically on data security. That was in 2006. Since then, the demand for legal services for data privacy and security issues has skyrocketed, as the workforce increasingly moves toward a more mobile, “anytime, anywhere” work ethic.
“BYOD is a reflection of a larger movement … of the ubiquity of the devices and the ubiquity of data,” said Nagle, who at the time he left Bank of America was the institution’s assistant general counsel. “If you lose your wallet, you call the credit card company and they hold the account. Your cellphone may just become a fatter wallet with more information on it.”
Data privacy and security — once thought to be a concern primarily for health care and financial services providers that collect sensitive data — has become an issue that companies across all industries are grappling with, in part because of the rise in personal smartphone use on the job.
“A decade ago, people had BlackBerrys and were accessing e-mail, but not accessing files or doing a lot of work [on their phones],” said Mary Ellen Callahan, who chairs the newly formed privacy and data protection group at Jenner & Block. “Now with the bandwidth and the ability of PDAs, people are able to work remotely and they’ve become so comfortable with their own smartphone, they’d rather work off of that than the company-provided PDA. It complicates the landscape.”
Law firms are responding to accommodate the demand. Firms such as Venable, Hogan Lovells and Covington & Burling, which have long had data privacy and security practices, are growing. Callahan said she’ll be adding attorneys to Jenner & Block’s privacy group over the next two to five years.
Eric Bosset, a privacy lawyer and co-chairman of Covington’s employment practice, said businesses are increasingly turning to lawyers to help create policies for what exactly employers and employees must do if they use their own smartphone for work. Bosset, who represents large and mid-size financial institutions and software companies, said he gets calls from clients asking whether they should require employees to install software that would allow the company to wipe out data remotely if they lose their phone.
“BYOD seems to be the trend in the sense that employees like the convenience and employers think it’ll save them money, but there are real legal risks and privacy concerns on both sides,” Bosset said. “It falls on the employer to come up with ways to have policies to address them proactively.”
New regulations and legislation
Privacy attorneys will likely be tapped to advise companies on how to comply with new security standards and regulations. In July, the National Institute of Standards and Technology, a unit of the Commerce Department, issued draft guidelines for how federal agencies should secure smartphones and tablets used by government employees. Although those standards apply to government workers, the private sector will look to them for guidance, Nagle said.
And lawmakers led by Joseph I. Lieberman (I-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee, are pressing the White House to issue an executive order on cybersecurity to establish standards for information-sharing between companies, and between companies and the government. Cybersecurity legislation co-sponsored by Lieberman was blocked by Senate Republicans in August.
“If that comes about, there will be a lot of questions from a legal perspective,” said Callahan, who joined Jenner & Block from the Department of Homeland Security, where she was the agency’s chief privacy officer. “Can I share this, should I share it? The idea is to jump-start information-sharing so the federal government gets a sense of what the vulnerabilities are on critical infrastructure [systems]. That is something that could affect how [companies] deal with their own cybersecurity.”
Nagle predicts privacy issues in the energy sector will be the next growth area for law firms. Energy utility companies store consumers’ payment information and Smart Grid tracks patterns of energy usage that could reveal information about customers’ daily schedules, and privacy matters are starting to pick up in that area, he said.
The Federal Energy Regulatory Commission last month created a new office to identify and protect against cybersecurity risks to energy facilities.
“It used to be telecom, financial services and health care where there was the most focus [on privacy],” Nagle said. “Energy is the logical next step.”