'Bring Your Own Device' Issues Require Clear Company Policies

We live — and work — in an age of mobile technology. Most of us do not think twice about taking our cell phone or tablet with us to the office, and some of us may use it to access documents on the server or other company information. Most employers still don’t think twice about those devices being on the premises, and being used by employees for both personal and business uses.

That may be changing, however, as high-profile data breaches and other scandals continue to take center stage – and courts work to sift through different issues surrounding them, including how devices play a role in compromising security.

Dustin Sachs, CFE, CCE, ENCE, provided plenty of food for thought on the subject in his Monday afternoon session, “Bring Your Own Device: Keeping Your Investigation From Becoming DOA” (4G). Sachs described how the landscape has changed and continues to change in regards to mobile devices that have increasingly advanced memory, storage and transfer capabilities.

The reality is stark: personal devices can cause harm in a myriad of different ways. They can (accidentally or deliberately) introduce a virus into a business network. They can be used to copy or alter electronic documents and other files, which can then be shared outside of the network to parties unknown. When used in a social media capacity, they can become the medium through which proprietary or confidential information is shared with the masses, sometimes at just the click of a button.

According to Sachs, the issue becomes thorniest when such devices are knowingly used for business as well as personal use. When a company does not have a clear “bring your own device” (BYOD) policy, companies face opening a “pandora’s box” in addressing e-discovery for those devices. Courts have often ruled in favor of privacy in cases where employees have not been made aware that their personal devices are subject to discovery, even in situations where the devices clearly had been used for business purposes.

Right now, many companies don’t even know where the risks are.

“You have to know the entry points… the company has to know these devices exist (at their workplace),” Sachs said. Right now, business leaders are still asking themselves, “should I even care about the device?” Not only should they care, Sachs said, but they should have a clear policy outlining the company’s right to examine any devices that do connect to the network, as well as a framework for conducting such examination in the case of discovery for investigation or litigation purposes.

Sachs discussed Target and other breaches as examples, and he also provided a look at case law that is, in many instances, still very fresh – including a judgment from just a few months ago. It is clear that staying abreast of the latest developments in the courtroom will be key in trying to stay out of legal trouble when it comes to discovery in the BYOD realm.

Sachs provided standards to follow and stressed that, while the emerging landscape poses challenges, those companies that institute well-documented BYOD policies, and clearly communicate them to all employees on a frequent basis, need not fear the technological trend… and, rather, can embrace it.

For even more conference coverage, visit FraudConference.com.