The BYOD (Bring Your Own Device) discussion is quickly approaching a fevered pitch within the legal industry as firms attempt to balance the need for security against the needs of employee mobility. With many firms no longer providing phones and / or tablets for their staff, employees are forced to purchase their own devices and then ‘sync’ those devices with the firm’s management systems. Mobile access to information such as client contacts, employee calendars and case information is then available whenever – and wherever – staff members need it.

Luckily, this typically works very well. The challenge is that with people bringing their own devices, the firm’s confidential information is now mingled on these devices with the personal information of the staff members. Which only present a problem when someone either loses their phone or leaves the firm.

The firm has a responsibility to keep client and case information secure but when the phone is no longer in your possession, what do you do?

There are several ways to manage this situation; however, the most important thing is to have a well communicated plan. Any employee who connects to the firm’s IT environment will need to know exactly what to do in the event they lose their device or leave the firm and what will happen when they do. This all starts with a policy regarding what information and applications are allowed on the phone and ends with what will happen to that information should the device fall out of the firm’s control.

Mobile Information Planning is intended to provide a clear over view of what information is stored where and what applications are managing that data.

In an effort to make this a little easier, we’ve created the following guideline for firms to use when creating a BYOD policy. The chart below is to separates business and personal information on mobile devices and give both the user and the firm options should things go awry. It also clearly show to everyone involved exactly what information will be ‘wiped’ from the phone should the device no longer be in the firm’s control.

In this example, the shaded areas represent what information the firm plans to remove they should need to. This is just an example and should vary for every firm.

Information Category

Primary Application

Second Storage Application

Mobile Device

Other Applications

Company Contacts

Amicus Attorney

Outlook / Exchange

Yes

None

Company Calendar

Amicus Attorney

Outlook / Exchange

Yes

None

Personal Contacts

None

None

Yes

Google

Documents

Dropbox

None

Dropbox

Dropbox

Cases

Amicus Attorney

None

Amicus Anywhere

None

Personal Photos

None

None

Yes

Yes

Financial App

 

PCLaw / QuickBooks

None

None

None

Time Capture App

 

Amicus Attorney

None

Amicus Anywhere

None

In this example, users will know that personal contacts placed in the company contact directory will be quickly removed from their phone or tablet should they leave the firm.

The key thing to remember is that the easiest policy to enforce is the one where the firm intentionally asks employees to keep work and private data separate. Once they become mixed, the enforcement of the policy becomes much more difficult as the remote ‘wipe’ of a device will most certainly clear information that does not belong to the firm.

Other important BYOD considerations:

  • BYOD Policies should be included in employment agreements. This is merely an extension of the firm’s intellectual property agreement.
  • If the firm allows employees to use a cloud storage system such as Dropbox, the firm should maintain administrative controls for those accounts and quickly move to update access to that system should an employee leave the firm. This goes for ALL employees – even those remaining at the firm. Many times, people who leave the firm will know other employee credentials and could still access confidential information should all access information (i.e., passwords) be updated.
  • Firms need to employ the necessary technology to centrally manage whatever the company agrees to as a policy. A policy without a means to control is isn’t very helpful in an emergency.
  • All users MUST be required to use password protection on their devices. This basic security measure is far too often ignored and represents a substantial security risk.
  • Controlling what applications can be installed on the mobile devices requires a more substantial enforcement policy and technology plan. The costs to manage devices this way can be reasonable; however, it does require a more active management effort. This choice is most popular with larger clients.

Some IT companies offer Mobile Device Management (MDM), a program that enables your firm to manage, secure and monitor your firm’s mobile devices in real time. Additional features include the ability to:

  • Remotely lock or wipe lost devices
  • Track device location via GPS
  • Keep track of devices across your firm
  • View health and usage statistics
  • Enforce passcode requirements
  • Prevent unauthorized access to apps and websites

Regardless of your approach – just make sure you have a plan. Make sure that plan is well communicated (both internally and with clients) and that you have a means to implement that plan.