Beef up security in office with a BYOD habit

Nancy Crotti, The Daily Record Newswire

If left to their own devices to perform work for your firm, attorneys and staff could get you in a heap of trouble. That’s because of something known as BYOD.

BYOD stands for “bring your own device,” such as a private cellphone, laptop or tablet, and using it for work purposes, such as answering work email.

The likelihood of that happening could be high. A 2013 IDC Research report that used data from 7,446 Android and iPhone users ages 18 to 44 showed that four out of five checked their personal mobile device within 15 minutes of waking up, according to a story in Adweek. Eighty percent of those said it was the first thing they do in the morning, the Adweek story said.

Every company that allows its employees to use their personal mobile electronic devices for work purposes is at risk for a BYOD problem, according to Tina A. Syring, a partner and employment attorney at Barnes & Thornburg in Minneapolis.

“Larger firms are very careful in terms of who is permitted to have their phone and their access rights,” Syring said. “I think solos and smaller firms probably forget to put security requirements around their personal devices, and so those personal devices have client information nine times out of 10.

“If it’s a six- or seven-person law firm with admin folks and a paralegal, then you should be thinking through it like a large employer,” she added.

Another possible problem is pay. The staffer who answers firm email at home is racking up work time and may not be accounting for it. Ultimately, that employee may make a complaint against the firm with the state Department of Labor, demanding overtime pay, Syring said. For a company that brings in less than $500,000 in gross annual revenues, state law triggers overtime pay to begin after 48 work hours. Hourly staff of a company that generates more than $500,000 in annual sales is legally due overtime after working 40 hours, she noted.

The overtime issue has reached the level of national concern. The U.S. Department of Labor’s Wage and Hour Division is looking into the use of portable electronic devices by employees away from work and outside of scheduled work hours, according to a report by the Society for Human Resource Management.

Syring recommended that firms establish BYOD policies that require a password, an additional login requirement, and notification if the device is lost or stolen. Firms should also obtain attorney and staff consent that allows them to wipe firm and client data remotely from lost or stolen personal devices, and from the devices of those who leave the firm.

Passwords for BYOD devices should be complex and difficult to crack, with a combination of upper- and lower-case letters, numbers and symbols, according to Pearson, also an employment lawyer. If an attorney or staffer does not password-protect their mobile device and that device is lost or stolen, the results can be dire.

“That is a huge, huge problem, because you’re talking about data that can be compromised and moved all over the world in seconds,” Shawn Pearson, an attorney at Oberman Thompson, a small firm in Minneapolis.

“I left Barnes the end of 2014,” Pearson said. “When I left, all of my email data from the exchange server was just wiped from my phone, including my contacts, quite frankly. That’s their policy and I tend to think it’s a good policy.”

Without the proper controls in place, an attorney or staff member using a personal device can jeopardize client confidentiality and potentially open the entire firm’s IT system to a breach. That’s particularly true if the device is connected to public Wi-Fi. It’s also true of wearable devices, according to attorney Kenneth Suzan, who is of counsel to Barnes & Thornburg.

“BYOD policies need to address the growing trend of wearable technology,” Suzan wrote in an email. “As employees bring their new devices to work, there is likely to be increased demand on computer network resources.”

Breaching client confidentiality can bring on issues with the Rules of Professional Responsibility, not to mention bad PR and extra costs for the firm.

At his new firm, Pearson uses the Microsoft Office suite on the cloud. “You can store data in a secure way and the mobile device is simply accessing it,” he said.

Case in point: He recently spent about three weeks flying around the country for depositions. Rather than bring stacks of paper containing confidential client information, Pearson said he uploaded all of it onto the cloud, organized it into files and took only an iPad to prep the clients for depositions, take notes and access documents.

“If I’d lost that iPad or it got broken… it’s secure,” he said. “I can replicate it from any other desktop or mobile device. So, cloud computing really does help a lot of these kinds of challenges.