ORLANDO -- Enterprises that issue, support or simply grant access to mobile devices without first putting a stringent mobile device security policy in place are setting themselves up for not only potential data loss, but also a myriad of nightmare legal entanglements.
That was the message from A. Spencer Wilcox, supervisor of compliance services for Constellation Energy, during a presentation Monday at the (ISC)2 Security Congress.
Before ever permitting an employee to access corporate networks and data with a mobile device, Wilcox said, enterprises should mandate that employees sign a written agreement to abide by the organization’s mobile device security policy and all other applicable policy statements. That document should state that the company retains the right to any corporate data on the device, including usage and location data, and that it may share that data with third parties if necessary.
That level of submission may seem unusual or unnecessary, but Wilcox explained how a variety of legal precedents sets the stage for companies to pay a heavy price if the wrong set of circumstances occurs involving employee use of mobile devices.
For instance, in the 2009 case of LVRC Holdings LLC v. Brekka (.pdf), a rogue employee stole data from his company-issued device in order to advance his career. The company sued the employee, citing a violation of the Computer Fraud and Abuse Act, but the U.S. Ninth Circuit Court of Appeals ruled in favor of the employee, Wilcox said, largely because the organization hadn’t properly defined what actions constituted violation of its policy and, in turn, revocation of the employee’s access rights.
“The court said, ‘You gave the employee permission to act as he saw fit,’” Wilcox said. “Therefore he’s allowed to use the computer without restraint. He had a blanket authorization. He can do anything he wants with your data because you didn’t set limitations on it.”
Wilcox also encouraged companies to have a policy that forbids engaging in phone conversations with employees who are driving. An Indiana court last year ruled that a mother who knowingly spoke with her daughter while the daughter was driving was equally negligent for the accident her daughter caused while on the phone.
The implication for enterprises, Wilcox said, is companies that issue phones to employees and then expect them to be available anytime, anywhere for a phone conversation, including on the roadways, could be exposing themselves to legal liability should an accident occur.
Another potentially worrisome scenario without a specific legal precedent tied to it involved pictures taken with corporate-owned or managed devices. Wilcox said many people don’t realize digital photos have embedded metadata that includes information about the photo; that data can include latitude and longitude data of where the device was when the photo was taken if the device that took the picture has GPS capabilities.
The takeaway, Wilcox indicated, is that attackers can easily harvest that data to reveal the location of something they want to get their hands on.
Wilcox admitted that the pervasive nature of mobile technology today and the emergence of popular new devices like iPhones and iPads make it difficult to deny access to mobile devices outright, meaning some legal liability and risk of data loss will always be present, but he encouraged organizations to use technology, policy and controls to limit data exposure.
Attendee Krister Samuelsson with Volvo Sweden said his organization has a mobile device security policy in place, but the process of managing that policy is challenging because it extends across numerous countries. Because the legal landscape is different in each nation, geographic policy exceptions are commonplace, increasing the difficulty of ensuring employees adhere to policy.