Bring It On

legal
management
VoLume 32
The magazine of The associaTion of LegaL adminisTraTors
40 BYOD SeCURItY
anD SUPPORt
training, policy and tools for law firms
navigating new tech management models
June 2013
number 4
•
OM
40
W W W. A L A N E T. O R G
BRING
IT ON
EIGHT
TIPS
FOR TACKLING
BYOD SECURITY
AND SUPPORT
BY MARY K ATE SHERIDAN
When it comes to modern technology, employees may no
longer be asking what your firm can give them but rather
what they can contribute. Welcome to consumerization
and the Bring Your Own Device (BYOD) movement.
With newer, faster, more innovative gadgets constantly
emerging – and no doubt luring your attorneys and staff
with their bells and whistles – your firm is hardly immune
from this phenomenon.
In fact, according to the International Legal Technology
Association’s 2012 Technology Survey – which polled 487
small, mid-sized and large law firms – attorneys at more
than 40 percent of the responding firms are buying their
own devices.
BYOD is more than a passing fad within the legal industry,
with law firms themselves anticipating its significant
future impact. More than a quarter of respondents in
ILTA’s 2012 Legal Technology Survey believe that BYOD/
Consumerization/Mobile Devices “will create significant
change or be a major factor in the legal technology
profession” during the next three to five years.
LEGAL MANAGEMENT J U N E 2 0 13
41
Natalie Lambert, Director of Product Marketing, Citrix Systems
“Enterprise mobility management is all about being able to secure and
manage the mobile device, the mobile applications and the mobile data and
[being] able to do this in a way in which you can ensure ... the flexibility of
users to access all of this content.”
Adopting BYOD isn’t as simple as turning over the
mobile-technology reins to employees, though. Firms
must consider how BYOD affects critical issues like client
confidentiality, privilege, records management and general
security – a challenging task given that the practice is
still evolving. As your firm ventures into the BYOD world,
consider the following tips for developing your security and
support strategies.
1. ESTABLISH A POLICY.
Allowing attorneys and staff to use their own smart
phones, tablets, laptops and other devices may seem
like a technology “Wild West.” That’s precisely why
firms offering BYOD should create a formal policy.
“It’s very important to have a BYOD policy,” said Silas
McCullough, mindSHIFT Technologies General Manager,
Legal Professional Services. McCullough suggests
that firms include five key points in a BYOD policy:
1. device security; 2. device support; 3. who controls
the device; 4. which applications are permissible; and
5. data backup.
A clear policy will give users an understanding of their
responsibilities and potential consequences if things
go awry with the device, as well as delineate the firm’s
expectations and the level of support it will offer. Even
if your firm eschews BYOD as a formal program, you
should still address use of personal devices in the firm
policies, said Kathryn Ossian, Principal at Miller Canfield.
The firm doesn’t want to be unprepared if a defiant
employee uses a personal device for firm matters.
When creating its BYOD policy, a firm should consult
with legal counsel to ensure that its BYOD standards
and procedures (including all of the areas discussed
below) comply with the law and properly protect
employee privacy.
2. PROVIDE BYOD TRAINING.
Thorough training is essential for ensuring that attorneys
and staff understand the firm’s policy and why
42
W W W. A L A N E T. O R G
responsible use of the devices is critical. Firms should
offer in-person training or some type of virtual session
and provide users with an agreement, “so that everyone
understands what the rules are and what the policy
requires and they’re not going to be surprised then
when something happens,” said Ossian.
Central to any training or intranet materials should
be proper security habits and safe computing, said
Shane Swacus, Manager at HBR Consulting. Swacus
recommends that firms train users on the importance of
applying password protection, securing devices correctly
and not using software that isn’t firm approved.
Explaining the significance of such measures and how
missteps may compromise security can encourage users
to think more deeply about their technological actions.
3. EMBRACE ENTERPRISE MOBILITY MANAGEMENT.
Securing and supporting various types, brands and
styles of devices is a daunting task, especially when such
devices are controlled by the users, not the firm. One set
of tools that allows firms to balance firm security and
support with users’ personal experience is enterprise
mobility management (EMM).
EMM encompasses mobile device management (MDM),
mobile application management (MAM), and enterprise
file synchronization and sharing (EFSS). “Enterprise
mobility management is all about being able to secure
and manage the mobile device, the mobile applications
and the mobile data and [being] able to do this in a
way in which you can ensure ... the flexibility of users to
access all of this content,” said Natalie Lambert, Director
of Product Marketing, Citrix Systems.
• M
obile Device Management
MDM provides firms with the capability to secure the
device itself. “At the end of the day, MDM is there to
provide a security line to any device,” said Lambert.
“It gives the administrators the ability to manage and
control all of the different devices and how they act
Silas McCullough, mindSHIFT Technologies General Manager, Legal Professional Services
“You have to think about this as a close partnership between the person
using the device and the firm itself. Be clear and say, ‘If you lose the device,
these are the steps you should take.’”
when they connect to corporate resources.” Among
the security measures possible through MDM are:
• Remotely wiping the device
• Detecting jailbroken devices and restricting
their access
• Restricting access to devices that lack the required
antivirus protection
• Enabling data encryption
• Gaining visibility of the devices connecting.
“A good BYOD policy and, in my opinion, a strong
MDM platform go hand-in-hand,” said Swacus. “It’s a
lot of work up front [and] a lot of money up front, but
the benefits far outweigh that.”
• Mobile Application Management
Firms shouldn’t focus solely on protecting the
physical device, however; they should also strive
to safeguard firm content by managing the
applications on the device. Lambert advises against
blanket prohibitions on applications. Instead, firms
can use MAM to concentrate on the applications
used for firm data, while users maintain control
over their personal applications.
One MAM tool, known as “wrapping,” allows
firms to put an application in a container and
assign rules to it, said Lambert. For example,
firms can designate how applications interact
or can require data encryption within a specific
application. Users will complete work-related
tasks through these firm-controlled applications
but will also have personal-use applications
without such controls.
• Enterprise File Synchronization and Sharing
The final piece of an EMM strategy is to manage firm
data on a device through EFSS. With an EFSS tool, firms
can control how users access and share firm-related
data and also can manage storage of such data.
WHEN BYOD IS
TOO PERSONAL
While some of your attorneys and
staff may be clamoring for the latest
technology and pushing to use their own
high-tech devices, others may be satisfied
with any functional device. In fact, some
may prefer to segregate their work and
personal technology. Or some employees
may not be comfortable exposing their
personal devices to the firm’s security and
support measures, even if those measures
are executed through EMM.
Firms that adopt
a BYOD practice
may still want to
offer firm-owned
devices to those
employees who
prefer not to use
personal devices
for firm matters.
LEGAL MANAGEMENT J U N E 2 0 13
43
Shane Swacus, Manager, HBR Consulting
“A good BYOD policy and, in my opinion, a strong MDM platform go
hand-in-hand. It’s a lot of work up front [and] a lot of money up front,
but the benefits far outweigh that.”
• Beware of Sidesteppers
While firms can limit how firm content is sent,
used and stored on the device through EMM, firms
must also prepare for employees who circumvent
the system (e.g. an employee who sends a firm
document to his or her personal email and then
uses personal applications to complete work).
Even with a well-developed EMM strategy, the
firm’s BYOD policy and training remain critical in
educating users on the importance of security and
their actions.
4. SET SECURITY STANDARDS.
Whatever services and methods the firm employs to
secure and support personal devices, it should establish
basic security standards to protect confidential firm data
and the firm’s network. Some of the security measures
that McCullough and Swacus suggest include:
• Requiring passwords on all devices
• Implementing two-factor verification on the devices,
with a pin and a rotating token
• Encryption
• Ensuring the device can be remotely locked and wiped
• Identifying which applications are permitted for workrelated tasks.
5. P
REPARE FOR MISSING DEVICES.
One downside of portability is that devices may be easily
lost or stolen. Firms should outline the procedure for
missing devices in the BYOD policy and training. “You
have to think about this as a close partnership between
the person using the device and the firm itself,” said
McCullough. “Be clear and say, ‘If you lose the device,
these are the steps you should take.’”
And when it comes to lost or stolen devices, the first
step that firms should require is notification, said Ossian.
Once notified, firms may decide to wipe or lock the
device. Firms using EMM may have the ability to wipe
only the firm-specific data. But wiping the device can be
44
W W W. A L A N E T. O R G
a delicate matter if the firm decides to wipe everything,
including the user’s personal data.
“This is definitely one of those grey areas that firms struggle
with: to what degree do you force on them wiping or
getting that material off the machine?” said McCullough.
6. DON’T FORGET: THIS IS PERSONAL.
Typically, with firm-owned devices, departing employees
turn in the technology on their way out the door. But
with BYOD, those devices will be hitting the exits with
the employees, and firms must determine how to clear
them of all firm-related data: wiping firm-related data,
wiping the entire device, asking the user to clear firm
data, or some other method.
In the end, it all goes back to the firm’s policy: “It’s got
to be addressed in the policy itself and that way there’s
no doubt or question about what’s going to happen,”
said Ossian.
7. MANAGE THE DATA.
One area that is likely at the top of every firm’s
BYOD agenda is records management. McCullough
recommends that firms leverage the records
management tools they already have. As with all aspects
of BYOD, firms should outline how records management
will work in the policy so users understand their
obligations and the extent of the firm’s support.
Intersecting with records management is the issue of
litigation holds. If the firm already controls all firmrelated data through EMM or has an organized records
management system in place, preservation may be
straightforward. But if users control some or all of the
data or if a firm is concerned that data has somehow
been saved outside of its EMM controls, preserving data
may become more cumbersome.
“There has to be an agreement by the employee and
as part of the policy ... that any content that’s on the
phone that relates to firm business is owned by the firm
and that the employee is certainly obligated to take any
direction that the firm imposes ...” said Ossian. “In the
event of a litigation hold, it may mean that they turn
their phone in.”
Of course, firms must be wary of privacy concerns
and any other legal obligations when dealing with
employees’ personal information and should consult
counsel when developing their strategy.
important is the understanding that issues can arise 24
hours a day, said McCullough.
Firms with fewer resources may seek outside help to
ensure appropriate security. “One thing that I think is
effective is that they outsource not only the MDM but
the management,” said McCullough, who urges firms to
“set the right expectations.” g
About the author
8. UNDERSTAND YOUR CAPABILITIES.
When it comes to security, the last thing you want is
to have insufficient resources. Firms that embrace a
BYOD program should assess the security and support
needed not only to successfully manage BYOD but also
to tackle any issues or crises that materialize. Particularly
BREAKING
Mary Kate Sheridan is a writer, editor,
blogger and attorney. She received her
JD from Columbia Law School and her
bachelor’s degree in English from Mary
Washington College. Contact her at
[email protected].
THE GOLDEN RULE
OF SHARING
With all of the interactive offerings that modern devices provide, it’s easy to see why users may
frequently share their devices with others, whether they’re letting their kids play games, asking
someone to take photos, paying for their lattes, scanning their airline boarding passes or showing
a friend the latest headline.
From the firm’s perspective, however, these devices aren’t merely personal toys; they contain
confidential firm data for the user’s eyes only. Firms must consider what guidelines are appropriate
in these circumstances and include such standards in their policy.
Silas McCullough, mindSHIFT Technologies General Manager, Legal Professional Services, has
seen two approaches: one in which firms place the responsibility on the attorney to preserve
confidentiality and another in which the firm specifically restricts device users
to the attorney only.
When placing any restrictions on personal use, however, the firm should consult counsel
to ensure it is in compliance with the law.
LEGAL MANAGEMENT J U N E 2 0 13
45