Bring Your

Own Device

“BYOD”

Elizabeth L. Lewis

Randy V. Sabett

Shane McGee

October 25, 2016

12:30 – 2:00 p.m

attorney advertisement Copyright © Cooley LLP, 3175 Hanover Street, Palo Alto, CA 94304. The content of this

packet is an introduction to Cooley LLP’s capabilities and is not intended, by itself, to

provide legal advice or create an attorney-client relationship. Prior results do not

guarantee future outcome.

Presenters

Elizabeth Lewis

Partner

Cooley LLP

Randy Sabett

Special Counsel

Cooley LLP

Shane McGee

Former Chief Privacy Officer

FireEye

Overview

BYOD – Why Are We Here?

• BYOD is increasingly common at work

• It is popular with employees and reduces

employer expense

• But it raises security, loss or spoliation of data,

compliance and intellectual property concerns

BYOD – Today’s Agenda

• This program concerns BYOD and the proactive

strategies you can implement to address them

including:

• policy development

• firewalls and security software

• monitoring employees

• documentation of work

• e-discovery and litigation holds

BYOD – Why Allow It?

• Very popular with employees, particularly

younger workers

• May improve efficiency and productivity

• Employee is carrying and checking one device, not

two

• Employee more likely to review and respond

BYOD – What Are the Risks?

• Loss or misuse of company data, confidential

information and trade secrets

• Potential use and integration of intellectual property of a

former employer

• Data breach

• Exposure to viruses and malware

• Failure to maintain information subject to a litigation hold

or a discovery request

• Limited ability to monitor employee activity

BYOD Policy and Management

BYOD – How to Manage?

Policy Development

• Begin by understanding that employers do not

have unfettered freedom to monitor employees

in their at-home work environment

• Particularly when the employees are using their

own personal computer and telephone

equipment

• These devices may also contain personal

information and be used for personal business

BYOD – How to Manage?

Policy Development

• Be sure employees have reasonable methods of getting

work done without the use of personal devices

• Develop and distribute a written monitoring policy to both

office-based employees and telecommuters that clearly

establishes the right to monitor without notice and under

what conditions

• Limit monitoring to business-related materials and phone

calls

• Obtain employee’s written acknowledgement of the

employer’s monitoring practice

BYOD – How to Manage?

Employee Access to Email and Other

Databases From Their Own Personal Device

• Begin with understanding that privacy concerns

are heightened with personally owned devices

• Have appropriate security precautions been put

into place?

• Can the device be monitored? Wiped?

• If wiped, total device or “sandboxed” portion?

• Do you have a policy that addresses this issue?

BYOD – How to Manage?

Employee Access to Email and Other

Databases From Their Own Personal Device

• Do you need to consider industry-specific issues? (e.g.,

health, financial, government contractor)

• Address concerns by type of information (e.g., personnel

file information, customer bank account information)

• How do you deal with these devices if a legal hold is put

in place?

• Explain what to do if device is lost or stolen (who gets

notified and how)

• Address downloading of company documents

BYOD – How to Manage?

External (USB) Devices

• Problem: external data, viruses and malware imported

into the company’s systems by use of a device that has

been used before

• Possible solutions:

• Best practice is to issue and require use of a new, clean

company device each time

• Record each company device by serial number and scrub after

each use

• If the employee brings a non-company device require that it be

produced and scanned before connected to your system

• Inform employees that the company monitors USB device usage

BYOD –How to Manage?

Cloud and Web Storage

• Require employees to identify any webmail or cloud

storage accounts (e.g., Dropbox, iCloud) that might

contain either company information or former employer

information

• Prohibit further use if necessary

• If you allow, understand the ownership agreement and

date limitations on storage that are associated with these

storage solutions

• Remove or copy company data to a secure location as

soon as possible; frequently if you allow ongoing use

BYOD – How to Manage?

Documenting Development Status

• Regularly document current state of technology

to establish a “baseline” for comparison

• Regularly document current customer/potential

customer information

• Require employees to regularly document their

development efforts

BYOD case study: at the border

Border Cases

• As far as searches of computers are concerned, borders are different than interstate travel

• Why do you think this is?

Border Cases (cont’d)

• Border searches, “from before…the Fourth Amendment, have been considered to be 'reasonable' by the single fact that the person or item in question had entered into our country from outside.” U.S. v.

Ramsay, 431 U.S. 606 (1977).

• According to the Supreme Court:

• routine border searches are unlike most other searches of homes, persons, things or vehicles (regardless of whether of persons or property)

• routine border searches require no probable cause, reasonable suspicion, or warrant

• reasonable expectation of privacy is diminished at the border

• U.S. v. Montoya de Hernandez, 478 U.S. 531 (1985)

• Authority derives from the nation's “sovereign” and “inherent authority to protect, and [its] paramount interest in protecting, its territorial authority.” U.S. v. Flores-Montano, 541 U.S. 149 (2004).

Customs’ Actual Authority • Defined by CBP Directive No. 3340-049 (8/20/09)

and ICE Directive No. 7-6.1 (8/18/09)

4th Amendment Law

• The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

• Case law has developed around whether various searches were constitutional or not

• Early cases involved things like autos, phone booths, hotel rooms, pen registers, etc.

Cases involving laptops

• U.S. circuit courts U.S. v. Arnold and U.S. v. Ickes have held that searches involving laptops:

• do not require reasonable suspicion or probable cause

• are similar to warrantless, suspicionless searches of property allowed by the Supreme Court (e.g., searches of travelers’ suitcases, briefcases, pockets, papers and films)

Cases involving laptops (cont’d)

• Arguments rejected that laptop searches are different, whether because of the massive amount of data they hold, the First Amendment implications of searching “expressive material” or the purported “invasiveness” of the searches

• In Arnold:

• amount of storage capacity would not make an otherwise routine search “particularly offensive”

• rejected analogy between a laptop and a home, humorously(?) commenting that “one cannot live in a laptop.”

Current procedures

• Definition of “electronic media”:

• Policy:

Current procedures (cont’d)

• Detention for further review:

Current procedures (cont’d)

• …and almost an entire page on what constitutes

“reasonable time” for review:

Current procedures (cont’d)

• Oh, by the way, here’s the rest…

Wrap up

BYOD Takeaways

• Firm-Provided Devices & Plans

• Can reduce risk of monitoring issues via a

comprehensive ‘firm-owned’ mobile device program

• Can reduce – but does not eliminate

• BYOD may not reduce costs when carrier contracts

are properly negotiated

• Device availability and lag can cause employee satisfaction

issues

• May increase accounting burden

BYOD Takeaways (cont’d)

• If BYOD not yet implemented, consider sticking

to a firm-provided plan

• When not possible and BYOD is a reality, then

ensure that technology controls are in-line with

legal restrictions

• Increase frequency of AUP awareness/sign-off

BYOD

QUESTIONS?

Bios

Elizabeth Lewis

Elizabeth "Betsy" Lewis' practice focuses on labor and employment law, civil rights law and litigation. In her employment practice, she

works with clients to find cost-effective business solutions to employment problems. She works on a broad spectrum of employment

issues, including advising clients on compliance with employment laws (including FLSA, Title VII, ADEA, ADA, FMLA, WARN, OSHA,

NLRA, FCRA), managing difficult employees, developing and implementing personnel practices and procedures, due diligence for IPOs,

mergers and acquisitions, structuring executive and incentive compensation, drafting employment and noncompete agreements, handling

discrimination complaints before administrative agencies, preparing affirmative action plans and handling OFCCP and other DOL audits,

including glass ceiling audits.

Randy Sabett, JD, CISSP

Randy V. Sabett, JD, CISSP, is vice chair of Cooley’s privacy & data protection (PDP) practice group. He counsels clients on a wide range

of cutting-edge cybersecurity, privacy, IT licensing and intellectual property issues. Randy helps clients develop strategies to protect their

information, including advising companies on developing and maintaining appropriate internal controls to meet privacy and cybersecurity

requirements. He also drafts and negotiates a wide variety of technology transaction agreements. Having previously served as an in-house

counsel to a Silicon Valley startup, Randy employs a pragmatic approach when structuring and negotiating such agreements. He has also

counseled numerous clients on a variety of data breach scenarios, including running incident response for major commercial retailers,

large financial institutions, on-line service providers, and health care organizations.

Shane McGee, JD, CISSP

Until recently, Shane was Chief Privacy Officer and VP of Policy at FireEye where he built a worldwide privacy program to ensure

appropriate use of customer data and engaged with policymakers around the world to promote policy change in an effort to protect against

cyber-criminals and state-sponsored attackers. Shane was Mandiant’s General Counsel prior to FireEye’s acquisition of Mandiant in late

2013, and before that co-chaired the Privacy and Security group at SNR Denton with Randy Sabett. Shane will be starting at PhishMe late

this month as their new General Counsel.