The proliferation of an ever-expanding array of mobile devices promises greater employee productivity while introducing greater risk for corporate compliance and e-discovery efforts. Is your enterprise up to the task?
It’s no secret that corporate compliance programs continue to evolve as the corporate infrastructure, once tethered and isolated by wire, continues to change. The IT framework of yesterday’s enterprise bears little resemblance to the typical modern corporation – one which increasingly reflects our insatiable desire to stay connected.
Mobile device use continues to grow exponentially, accelerated by the corresponding explosion in social media, the nearly instantaneous news cycle made possible by the Internet, and mobile entertainment. Many experts predict that smartphone use alone will double in the next few years and data sharing will likewise increase at a comparable rate. Cisco predicts that mobile data traffic will double each year until 2014 – a reflection not only of increased consumer use of mobile devices, but also the significant increase in the use of mobile enterprise applications.
With so much information being accessed and shared via smartphones, iPads, PDAs, notebooks, laptops and other devices, the potential impact on enterprises and compliance initiatives is great. A recent survey by Ovum, titled, “Corporate mobile device use and security,” found that seventy percent of respondents reported using corporate devices for personal activities and nearly 50 percent said they use personal mobile devices to access company networks and business applications.
Further evidence of the blurring of the line that once shielded corporate networks from employees’ personal devices and activities can be seen in research from Forrester – a synopsis of which can be read at SearchMobileComputing.com. Forrester’s recent survey of 432 workers found that 42 percent use their personal smartphones to search the Internet or corporate intranet for work-related information, and 48 percent check corporate e-mail.
Clearly, this is important to compliance professionals who must now contend with employees’ changing behaviors. The potential impact on the enterprise, corporate compliance and risk management efforts cannot be overestimated, nor can it be ignored.
Mobile Devices Today – A Widening Field of Threats
IT departments remain cautious of the impact of mobile devices. Most rightfully will not open up their networks and allow full access because they pose a continual and growing threat to enterprise security, intellectual property and safety.
Maintaining access control and determining which devices are in use, of course, is one way to limit risk. Not surprisingly, the Ovum report found that 90 percent of companies already do or will provide employees with approved mobile devices. Research in Motion’s BlackBerry still outnumbers all other types of smartphones in this regard, but the variety of devices and disparate operating systems that IT departments must contend with continues to grow. This challenge will only increase as more enterprise users expect IT support for their personal mobile devices.
Mobile viruses are also a real concern, as is Wi-Fi connectivity, which if not addressed correctly can result in direct access to enterprise servers. Even the mere presence of mobile devices within the enterprise poses real risks – risks that increase with new functionality that makes video, audio and photographic duplication easier than ever before.
The risks associated with theft also cannot be dismissed. A stolen device puts business data in jeopardy. No one is immune, a point made painfully clear in 2008 when a member of Mexico’s Presidential Press Office reportedly was apprehended shortly after stealing U.S. government officials’ smartphones during a meeting with President Bush.
These risks are increasing with the proliferation of mobile devices; even as their singular impact on a cornerstone of compliance efforts increases.
Mobile Devices and E-discovery – The Greatest Risk?
E-discovery needs no introduction for those charged with ensuring corporate compliance and mitigating risk. The collection of information for regulatory response and litigation is a common occurrence at most corporations and it’s well known that failing to respond correctly, on time and comprehensively, can result in fines, negative headlines, contempt of court and even criminal charges.
The introduction of mobile devices has made many companies’ e-discovery strategies obsolete; corporations are unable to keep pace with the increasingly common view of the courts that new technology innovations are fair game in the eyes of the law and subject to the rules of discovery. In light of these developments, e-discovery is no longer an issue that can be deemed “legal’s problem.” It is, and should be, an issue that corporate compliance experts discuss regularly with CEOs, CFOs, CIOs, CISOs and other key stakeholders in the enterprise.
Notably, it is also imperative to realize that mobile devices can’t be viewed solely as an e-discovery challenge that can be effectively addressed with an IT solution. Despite the availability of advanced e-discovery solutions that streamline the collection of electronically stored information (ESI), this technology must be used by knowledgeable experts with a keen understanding of relevant compliance issues.
It is therefore of crucial importance that corporate compliance professionals review their approach to e-discovery and address the presence of mobile devices in the enterprise. Failing to do so can be disastrous – resulting in inadmissible evidence, court sanctions and even courtroom losses. This is particularly true as the courts show that while they understand the challenges associated with e-discovery, they are increasing reticent to overlook errors and accept an “honest mistake” defense.
Among many examples is the case of R & R Sails, Inc. v. Insurance Company of the State of Pennsylvania, Case No. 07-cv-0998-H (POR) (S.D.Cal., Apr. 18, 2008). The court imposed sanctions, although it was acknowledged that the defendant’s error was an honest one. The takeaway is clear: Companies will increasingly be held accountable for responsible e-discovery practices – a point many legal experts feel will make all mobile data subject to discovery guidelines.
The Solution – How do You Minimize the Risks?
Fortunately, there are many steps corporate compliance professionals can take to safeguard their enterprises, both from the threats mobile devices pose and the complexities they present in e-discovery efforts. The following steps, while merely an overview, provide a basic framework all enterprises should consider when determining how to structure a comprehensive strategy and approach to compliance.
Know the law and regulations. The corresponding explosion of electronic data is being met with an equally significant increase in statutes that address relevant issues, from data breaches to e-discovery and encryption. Notably, these laws do not make an exception for mobile devices or data shared through them. It’s therefore imperative that all corporate compliance professionals foster a regular and diligent dialogue among enterprise stakeholders on the constantly changing regulatory landscape and how the use of mobile devices impacts the enterprise’s ability to comply. Some examples of relevant statutory requirements and regulatory guidance include:
- Healthcare Information Portability and Accountability Act (HIPPA): HIPPA Section 4 requires companies to implement technical security mechanisms that guard against unauthorized access to “protected health information” transmitted over a communications network, including access and audit controls, integrity, authentication, transmission security, and incident response and reporting. Failure to comply can result in civil and criminal penalties beginning at $50,000.
- Health Information Technology for Economic and Clinical Health Act (HITECH): Like HIPPA, HITECH includes provisions for protecting patients’ personal information, and enables state Attorneys General to impose penalties when violations occur, including fines up to $1.5 million.
- Financial Industry Regulatory Authority (FINRA): Created in 2007, the authority is a regulatory agency for the financial services industry. FINRA requires financial services firms to regularly review their representatives’ electronic messages, document the inspections and note any actions that result.
- Sarbanes-Oxley Act: Section 404 mandates financial reporting internal controls so that transactions are securely authorized, recorded and reported. Section 409 requires prompt reporting and handling of unauthorized financial data disclosure. Violators face market repercussions (such as skepticism among investors and increased scrutiny from regulatory bodies) and can incur up to $1 million in fines and 20 years in prison.
- California Senate Bill 1386: The bill requires enterprises to notify individuals affected when a security breach occurs and a state resident’s unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. Notably, there are similar laws in 35 other states.
Define which mobile devices are allowed and under what conditions. It is imperative to determine which devices will be allowed to access the network and what data employees will be allowed to view, store or transfer through a mobile connection. This process should be a collaborative effort that involves IT and corporate counsel. Enterprise versions, such as smartphones that lack cameras, should be considered.
Revise your corporate compliance plan to include protocol specific to mobile devices. The compliance plan’s guidance on mobile devices should begin first with those devices provided to employees, and dictate acceptable and unacceptable use – such as forbidding the use of social media with company-owned devices. The plan should also offer specific guidance for network access from employee’s own devices – or when warranted, forbid this access.
In addition, guidelines should be put in place that govern whether employees are allowed to possess mobile devices in certain areas, for example sensitive areas where the risk of capturing proprietary information on video is a legitimate threat. The National Institute of Standards and Technology’s Guidelines on Cell Phone and PDA Security is a helpful reference that should be consulted.
The compliance plan should also include specific rules for security, including an overview of data that under no circumstance should be stored on mobile devices and password protocol for employees to follow. Of equal importance, the plan must include steps the enterprise will take to audit employees’ adherence to the compliance plan, as a well as a clear and definite roadmap of consequences for non-compliant behavior. In all cases it should be supported by executive leadership with the resolve to enforce it. Even the best plan is of little value if there are no ramifications for those who fail to adhere to the guidelines within it.
Perhaps most importantly, the compliance plan should include steps the enterprise will take to access and preserve mobile data in e-discovery efforts. Under all circumstances, this should also include a process for collecting or wiping this information remotely, a step that can now be taken when litigation requires it or if theft or loss of mobiles devices occurs – even without employees’ knowledge.
Invest in the right technology. Corporate compliance professionals should consider some of the many technology solutions that help manage mobile device compliance and manage risk. Some of these include:
- Mobile Mandate: The first mobile electronic communication compliance solution to achieve compliance with the Electronic Discovery Model Reference Model (EDRM) XML for export, Mobile Mandate delivers a standardized approach for mobile messaging compliance.
- TextGuard: TextGuard provides a mobile communication monitoring and archiving solution and ensures compliance with the rules and regulations of all relevant regulatory bodies.
- Credant: Providing on-device policy enforcement and data access control, Credant also includes encryption capabilities.
- Privacy Screens: A privacy screen on a mobile device can prevent someone sitting in an adjacent seat on an airplane from reading their neighbor’s mobile device.
Together, these resources offer a primer on the actions enterprises should take to address the risk mobile devices introduce to the enterprise. All are of great importance, but one strategy rises above all others in importance: compliance begins and ends with people. No single technology or strategy offers a complete solution, nor does the best compliance plan guarantee success. The key is to ask for help from senior leadership, industry experts, consultants and even employees. Only then will you be able to answer “yes” to the question the increased use of mobile devices demands: Is your enterprise up to the task?
**********
About the Author
Jeffery Fehrman is the VP of Forensics and Consulting for Integreon and is the co-founder of EDD blog online.
PDF 
