Solving BYOD's privacy problem
In California's central valley, attorneys at employment law firm Dowling Aaron came up with a nickname for CIO Darin Adcock, who had just crafted a Bring Your Own Device (BYOD) user policy. They called him "Big Brother," referring to the oppressive party leader in George Orwell's dystopian novel "1984."
"They'd come by my office and say, 'What's up, Big Brother? How's my phone today?'" Adcock says.
CIO Darin Adcock, aka "Big Brother," Dowling Aaron
Then a thief smashed the window of an attorney's Lexus and swiped his iPhone 5. Big Brother leaped into action and quickly wiped the phone of all data and apps, saving the attorney from the threat of having his personal banking information, texts and emails compromised.
Word spread throughout the law firm, and the name-calling stopped. "I started getting comments of appreciation," Adcock says.
The Two Sides of BYOD: Flexibility vs. Security
The events at Dowling Aaron underscore one of the great challenges in the ongoing saga between CIOs and employees: BYOD has a privacy problem. Employees want to tap the power of BYOD to make their work lives easier, while CIOs must take measures to safeguard corporate data.
Truth is, many CIOs attach draconian user policies to their BYOD programs that are heavily weighted toward corporate rights to access and monitor devices. An employee's expectations of privacy get short shrift. Employees simply don't trust the IT department to have access to their personal devices.
[Slideshow: 10 BYOD Worker Types]
Making matters worse, privacy-and technology's capability to circumvent it-is on people's minds these days. Facebook, Microsoft, Apple and Yahoo have all come under fire recently for secretly handing over customer information to the government.
President Obama summed up the problem while defending National Security Agency's spying programs: "We're going to have to find ways where the public has an assurance that there are checks and balances in place ... that their phone calls aren't being listened into, their text messages aren't being monitored, their emails are not being read by some big brother somewhere."
Dowling Aaron is a particularly interesting case, because the firm's employees are well-versed in BYOD. They often advise clients about employment policies and safeguarding corporate assets. Now they are on the receiving end of one of those BYOD employee policies.
You'd think they would be more vocal about employee privacy rights in their own company, but the opposite happened. One of the advisors to the BYOD policy was a Dowling Aaron attorney specializing in HIPPA, the Health Insurance Portability and Accountability Act. He wanted tougher security measures in place.
"If it was up to him, we'd be doing retina scans on our way to work," Adcock says. "I say this only half-jokingly; he'd probably really want it."
BYOD Policy From the Top Down
The drive for greater BYOD security starts at the top. Many of the employees are stakeholder partners. As an employment law firm, they've seen the blunders other companies have made. They understood the dangers having some 50 attorneys carrying phones with access to client documents but no passcode protection or wipe capabilities.
"If we end up on the front of the Fresno Bee because an attorney left his phone at the bar... the damage to your reputation could literally be millions of dollars," Adcock says.
The first iteration of the BYOD policy emphasizes passcode and wipe. It requires passcodes with a minimum of five digits every five minutes of screen inactivity, along with the capability to fully wipe a lost or stolen device and to selectively wipe devices when attorneys leave the firm. The latter only affects Active Sync accounts for corporate contacts, email and calendar.
[Infographic: BYOD's Dirty Little Secret]
Adcock knows that BYOD can't start out heavy-handed. "You can go a little deeper once they're comfortable with it," he says. "But if you put all 10 policies on at once, then they're going to fight back and call you Big Brother your whole life."
Upcoming requirements for BYOD user policy 2.0 will include measures such as making sure attorneys have updated anti-virus software. Corporate documents aren't allowed on BYOD phones and tablets but often make their way onto them, and so new requirements will block attachments from being saved.
Dowling Aaron does not track GPS locations nor read personal texts and emails. Adcock does little data collection and auditing even though the mobile device management software he uses, AirWatch, is capable of delivering a wealth of information. He will monitor device memory and advise attorneys when they're nearing thresholds.
That's pretty hands-off, but it didn't stop the "Big Brother" catcalls.
Par for the Compliance Course
Adcock has had his share of run-ins with noncompliant attorneys. One attorney, for instance, is an avid golfer and uses a GPS-enabled mobile golfing app that bogs down due to the five-minute screen inactivity requirement. The attorney regularly turns off the passcode, which invokes an automatic compliance warning from AirWatch to Adcock.
"I'll tell him, 'Let me guess, you're golfing again, just make sure you put it back on so we get the compliance back to 100%,'" Adcock says.
Other times, Adcock has had to take more drastic actions, even one aimed at a partner in the law firm. The attorney was sharing his iPad with his family, and they kept taking off the passcode. Adcock sent a friendly email reminder. On the next failed compliance check, Adcock had to selectively wipe the iPad per the BYOD policy.
Top management compelled the attorney to comply with the BYOD policy in the future.
"Luckily, the other board members are all playing ball," Adcock says. "We practice what we preach, because we know it's best practices."
Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at firstname.lastname@example.org
Read more about byod in CIO's BYOD Drilldown.