Part 1 of this series discussed how the proliferation of mobile devices at home and in the workplace results in new risks that today’s modern inside counsel must understand and address. The following explains those legal and financial risks in more detail as well as some of the consequences of not proactively guarding against those risks.
It is no secret that mobile devices are easily lost or stolen. The risk to an organization is severe considering the potential for identity theft, loss of intellectual property or even valuable customer or financial information. In March 2012, Symantec revealed the results of its Smartphone Honey Stick Project in North America, where 50 mobile phones were left in five different cities to examine the behavior of the individuals who found the devices. Would they make an attempt to return them to their owners… or even worse, would they try to access the information?
The results are telling. Only half of the people who found one of the phones made an attempt to return it, and 96 percent of the lost smartphones were accessed by their finders in an attempt to view the data on them.
Lost and stolen mobile devices present obvious risks in today’s mobile world, but the day-to-day risks lurking in cyberspace are less obvious. Since mobile devices are used outside the corporate firewall, they are a prime target for remote data theft by cyber criminals. Bad guys can plant malware, and orchestrate other sophisticated attacks by accessing unprotected or poorly protected web browsers, email systems and applications (apps) on mobile devices. In fact, in the recent Internet Security Threat Report: 2014, researchers found that each malware family had 57 variants in 2013, up from 38 in 2012. Not only can data residing on a mobile device be accessed, communications between devices can be intercepted while information is in transit. This means devices can serve as a gateway into the corporate network, where would-be thieves can find a treasure trove of confidential company and consumer information that could be stolen and exploited for years.
The fact that nearly a million different apps have been developed in recent years only exacerbates the risk of data loss. With the app explosion comes a proliferation of greyware; even legitimate apps that consumers frequently use can overstep their bounds, collecting device data — some of it sensitive — without enterprise permission or user awareness. That means any unscreened or unprotected app downloaded to a mobile device could become a vehicle for criminals to steal sensitive information from both employees and employers.
E-discovery & investigations
Another challenge for in-house counsel is the fact that data stored on mobile devices may be discoverable. For example, in In re Pradaxa Product Liability Litigation, the Southern District of Illinois recently fined defendants $931,000 to encourage them “to respect this court and comply with its orders.” Central to the order was defendants’ failure to preserve text messages on employees’ mobile phones.
In re Pradaxa illustrates that mobile devices are becoming a high priority target during discovery because employees rely on mobile devices more and more to conduct business. If electronically stored information (ESI) such as emails, voicemails, photos and other information is not centrally available on company servers, then judges may require the preservation and discovery of that information directly from devices. The challenge is that collecting data from mobile devices is difficult, time consuming and expensive. Many organizations already feel like they are forced to settle cases due the high costs of e-discovery rather than trying cases on the merits. Adding mobile discovery to the mix only compounds the problem.
General privacy concerns
Further complicating matters are the potential privacy implications of collecting or deleting data from mobile devices used by employees for both business and personal use. For example, collecting data from an employee’s smart phone for e-discovery purposes could conflict with the employee’s privacy rights. So too could wiping (deleting) data from a departing employee’s device or from an employee’s lost or stolen device without the employee’s consent. Whether or not the employee has a reasonable expectation of privacy with respect to the data on the device often turns on a number of factors including, but not limited to: who owns the device; privacy laws of the controlling jurisdiction; employee/employer agreements; and whether or not the device is used for both personal and business purposes.
The consequences of data breaches resulting from lost, stolen or otherwise compromised mobile devices can cause big headaches for in-house counsel. For example, 47 states have enacted statutes requiring organizations to notify customers when data is lost or stolen, yet all these statutes are not uniform. Additionally, reporting the loss or theft of data not only rattles consumer confidence and damages brands, it could lead to downstream lawsuits by customers whose data was lost. These costs are in addition to the time and expense associated with working with internal and external stakeholders to investigate and remediate the loss. The expense is far from trivial considering a recent study by the Ponemon Institute estimated that the average cost of a data breach in the United States is $5.4 million.
Making matters worse, federal agencies and the Federal Trade Commission (FTC) in particular have stepped up data enforcement actions significantly over the past few years on behalf of consumers (See InsideCounsel webinar titled: “The Federal Trade Commission on Fraud, Deception & Data Privacy Enforcement Actions”). In fact, the FTC has even relied on Section 5 of the Federal Trade Commission Act to bring enforcement actions against companies that did not actually lose consumer data, but that merely jeopardized consumer data.
Combine increased federal scrutiny with a hodgepodge of international, federal and state data privacy legislation, and in house counsel is often left feeling like data privacy compliance is a moving target. The good news is that proactive steps can be taken to minimize the risk of mobile device deployment despite this climate of uncertainty within the legal community. In Part 3 of this series, I will discuss the policies and technologies in-house counsel should consider as part of their organization’s mobile policy.