Bring Your
Own Device
“BYOD”
Elizabeth L. Lewis
Randy V. Sabett
Shane McGee
October 25, 2016
12:30 – 2:00 p.m
attorney advertisement Copyright © Cooley LLP, 3175 Hanover Street, Palo Alto, CA 94304. The content of this
packet is an introduction to Cooley LLP’s capabilities and is not intended, by itself, to
provide legal advice or create an attorney-client relationship. Prior results do not
guarantee future outcome.
Presenters
Elizabeth Lewis
Partner
Cooley LLP
Randy Sabett
Special Counsel
Cooley LLP
Shane McGee
Former Chief Privacy Officer
FireEye
BYOD – Why Are We Here?
• BYOD is increasingly common at work
• It is popular with employees and reduces
employer expense
• But it raises security, loss or spoliation of data,
compliance and intellectual property concerns
BYOD – Today’s Agenda
• This program concerns BYOD and the proactive
strategies you can implement to address them
including:
• policy development
• firewalls and security software
• monitoring employees
• documentation of work
• e-discovery and litigation holds
BYOD – Why Allow It?
• Very popular with employees, particularly
younger workers
• May improve efficiency and productivity
• Employee is carrying and checking one device, not
two
• Employee more likely to review and respond
BYOD – What Are the Risks?
• Loss or misuse of company data, confidential
information and trade secrets
• Potential use and integration of intellectual property of a
former employer
• Data breach
• Exposure to viruses and malware
• Failure to maintain information subject to a litigation hold
or a discovery request
• Limited ability to monitor employee activity
BYOD – How to Manage?
Policy Development
• Begin by understanding that employers do not
have unfettered freedom to monitor employees
in their at-home work environment
• Particularly when the employees are using their
own personal computer and telephone
equipment
• These devices may also contain personal
information and be used for personal business
BYOD – How to Manage?
Policy Development
• Be sure employees have reasonable methods of getting
work done without the use of personal devices
• Develop and distribute a written monitoring policy to both
office-based employees and telecommuters that clearly
establishes the right to monitor without notice and under
what conditions
• Limit monitoring to business-related materials and phone
calls
• Obtain employee’s written acknowledgement of the
employer’s monitoring practice
BYOD – How to Manage?
Employee Access to Email and Other
Databases From Their Own Personal Device
• Begin with understanding that privacy concerns
are heightened with personally owned devices
• Have appropriate security precautions been put
into place?
• Can the device be monitored? Wiped?
• If wiped, total device or “sandboxed” portion?
• Do you have a policy that addresses this issue?
BYOD – How to Manage?
Employee Access to Email and Other
Databases From Their Own Personal Device
• Do you need to consider industry-specific issues? (e.g.,
health, financial, government contractor)
• Address concerns by type of information (e.g., personnel
file information, customer bank account information)
• How do you deal with these devices if a legal hold is put
in place?
• Explain what to do if device is lost or stolen (who gets
notified and how)
• Address downloading of company documents
BYOD – How to Manage?
External (USB) Devices
• Problem: external data, viruses and malware imported
into the company’s systems by use of a device that has
been used before
• Possible solutions:
• Best practice is to issue and require use of a new, clean
company device each time
• Record each company device by serial number and scrub after
each use
• If the employee brings a non-company device require that it be
produced and scanned before connected to your system
• Inform employees that the company monitors USB device usage
BYOD –How to Manage?
Cloud and Web Storage
• Require employees to identify any webmail or cloud
storage accounts (e.g., Dropbox, iCloud) that might
contain either company information or former employer
information
• Prohibit further use if necessary
• If you allow, understand the ownership agreement and
date limitations on storage that are associated with these
storage solutions
• Remove or copy company data to a secure location as
soon as possible; frequently if you allow ongoing use
BYOD – How to Manage?
Documenting Development Status
• Regularly document current state of technology
to establish a “baseline” for comparison
• Regularly document current customer/potential
customer information
• Require employees to regularly document their
development efforts
Border Cases
• As far as searches of computers are concerned, borders are different than interstate travel
• Why do you think this is?
Border Cases (cont’d)
• Border searches, “from before…the Fourth Amendment, have been considered to be 'reasonable' by the single fact that the person or item in question had entered into our country from outside.” U.S. v.
Ramsay, 431 U.S. 606 (1977).
• According to the Supreme Court:
• routine border searches are unlike most other searches of homes, persons, things or vehicles (regardless of whether of persons or property)
• routine border searches require no probable cause, reasonable suspicion, or warrant
• reasonable expectation of privacy is diminished at the border
• U.S. v. Montoya de Hernandez, 478 U.S. 531 (1985)
• Authority derives from the nation's “sovereign” and “inherent authority to protect, and [its] paramount interest in protecting, its territorial authority.” U.S. v. Flores-Montano, 541 U.S. 149 (2004).
Customs’ Actual Authority • Defined by CBP Directive No. 3340-049 (8/20/09)
and ICE Directive No. 7-6.1 (8/18/09)
4th Amendment Law
• The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
• Case law has developed around whether various searches were constitutional or not
• Early cases involved things like autos, phone booths, hotel rooms, pen registers, etc.
Cases involving laptops
• U.S. circuit courts U.S. v. Arnold and U.S. v. Ickes have held that searches involving laptops:
• do not require reasonable suspicion or probable cause
• are similar to warrantless, suspicionless searches of property allowed by the Supreme Court (e.g., searches of travelers’ suitcases, briefcases, pockets, papers and films)
Cases involving laptops (cont’d)
• Arguments rejected that laptop searches are different, whether because of the massive amount of data they hold, the First Amendment implications of searching “expressive material” or the purported “invasiveness” of the searches
• In Arnold:
• amount of storage capacity would not make an otherwise routine search “particularly offensive”
• rejected analogy between a laptop and a home, humorously(?) commenting that “one cannot live in a laptop.”
Current procedures (cont’d)
• …and almost an entire page on what constitutes
“reasonable time” for review:
BYOD Takeaways
• Firm-Provided Devices & Plans
• Can reduce risk of monitoring issues via a
comprehensive ‘firm-owned’ mobile device program
• Can reduce – but does not eliminate
• BYOD may not reduce costs when carrier contracts
are properly negotiated
• Device availability and lag can cause employee satisfaction
issues
• May increase accounting burden
BYOD Takeaways (cont’d)
• If BYOD not yet implemented, consider sticking
to a firm-provided plan
• When not possible and BYOD is a reality, then
ensure that technology controls are in-line with
legal restrictions
• Increase frequency of AUP awareness/sign-off
Bios
Elizabeth Lewis
Elizabeth "Betsy" Lewis' practice focuses on labor and employment law, civil rights law and litigation. In her employment practice, she
works with clients to find cost-effective business solutions to employment problems. She works on a broad spectrum of employment
issues, including advising clients on compliance with employment laws (including FLSA, Title VII, ADEA, ADA, FMLA, WARN, OSHA,
NLRA, FCRA), managing difficult employees, developing and implementing personnel practices and procedures, due diligence for IPOs,
mergers and acquisitions, structuring executive and incentive compensation, drafting employment and noncompete agreements, handling
discrimination complaints before administrative agencies, preparing affirmative action plans and handling OFCCP and other DOL audits,
including glass ceiling audits.
Randy Sabett, JD, CISSP
Randy V. Sabett, JD, CISSP, is vice chair of Cooley’s privacy & data protection (PDP) practice group. He counsels clients on a wide range
of cutting-edge cybersecurity, privacy, IT licensing and intellectual property issues. Randy helps clients develop strategies to protect their
information, including advising companies on developing and maintaining appropriate internal controls to meet privacy and cybersecurity
requirements. He also drafts and negotiates a wide variety of technology transaction agreements. Having previously served as an in-house
counsel to a Silicon Valley startup, Randy employs a pragmatic approach when structuring and negotiating such agreements. He has also
counseled numerous clients on a variety of data breach scenarios, including running incident response for major commercial retailers,
large financial institutions, on-line service providers, and health care organizations.
Shane McGee, JD, CISSP
Until recently, Shane was Chief Privacy Officer and VP of Policy at FireEye where he built a worldwide privacy program to ensure
appropriate use of customer data and engaged with policymakers around the world to promote policy change in an effort to protect against
cyber-criminals and state-sponsored attackers. Shane was Mandiant’s General Counsel prior to FireEye’s acquisition of Mandiant in late
2013, and before that co-chaired the Privacy and Security group at SNR Denton with Randy Sabett. Shane will be starting at PhishMe late
this month as their new General Counsel.