Mobile Device Policies for the

Workplace

Kathleen M. Porter, Esq., Partner, Robinson & Cole LLP

CIPP/US, International Association of Privacy Professionals

Member, Cyberspace Law Committee, American Bar

Association, Business Section

© 2012 Robinson & Cole LLP

Mobile Devices

Portable, handheld

devices that allow

people to access data,

applications and

information from

where ever they are.

__________________

o Wireless

o Voice/text/email/

Internet capable

PDAs

Laptops

Tablets

Smart phones

Storage disks

Pagers

Navigational

devices

Mobile Devices – We Love Them!

• Productivity

• Personal Choice

• Cost

• Generational Shift

• Dual Use

• Portability/BYOD

Mobile Devices Not Typically Covered

in Existing “Electronic Use” Policies

• Company property (hardware,

software, phones and devices)

• Company provided service and

access (voice and e-mail, wireless,

remote and Internet access)

• Provided to enable employees to

perform duties

Mobile Devices Not Typically Covered

in Existing “Electronic Use” Policies

Therefore….

– Company owns all records or data

– Employee has no expectation of privacy

– Company has right to access and view data

and communications created, stored,

received at any time; with or without notice

• business-related or personal

• disclose to law enforcement or government

officials or to other third parties

Electronic Use Policies - Outdated

Often not even a recognition of employee

accessing personal web-based password

protected accounts from work equipment or

device.

Need a Policy for Mobile Device

Use in the Workplace

• Needs to Be a Collaborative Effort

– IT

– HR

– Legal

Need a Policy for Mobile Device

Use in the Workplace

• Cost and Resources

– Permitted and supported devices,

manufacturers, models, operating systems,

platforms, mobile networks, etc.

– Company or employee-devices or a

combination

– Allowance or stipend for employee

purchase of device or service.

Need a Policy for Mobile Device

Use in the Workplace

Policy Decisions

• Fair Labor

Standards Act

(FLSA)

• Affects Device and

Access Eligibility

Agui v. T-Mobile

Inc.

Rulli v. Richard

Ellis, Inc.

Oprah - non-

exempt employee’s

time sheet 800+

hours in 17 weeks -

$32,000 in

overtime pay.

Policy also needs to address what

happens when device is lost…..

• 17,500 USB sticks left in

pockets of clothes at 500 UK

cleaners*

-- 4X more in 2010 than 2009

• Thousands of handheld

devices left in the taxis, hotel

bars, rooms and lobbies,

malls.*

*Information from surveys by Credant Technologies

Or stolen….

• 48 NASA notebooks and mobile devices stolen

between April 2009 and April 2011.

• One stolen in 2011 was unencrypted. Contained

command & control codes for the International Space

Station.

How to Obtain Acceptance?

• Electronic Use Policy – use of equipment is

acceptance of terms.

• Mobile Device Policy

– Employee wants to connect device to network

– Important to authenticate device

– Require log-in with click-thru agreement

whereby employee accepts policy

– Don’t just allow access if have login and

password

Loss/Theft Vulnerabilities

• Loss of Confidential Data

• Loss of Work Product/Productivity

• Negative PR

• Reporting reluctance

– Fear loss of personal data

– Fear disciplinary action

Loss/Theft Vulnerabilities

• Massachusetts 201 CMR 17.00

Mandates encryption of all “personal

information” stored on devices

• Oct. 31, 2007- Sept. 30, 2011 Report

– 75 devices lost/misplaced; 1 encrypted

• 1.2 million pieces of information compromised

– 290 devices stolen, 12 encrypted

• 220,000 pieces of information compromised

• Data breach notification costs/time/exposure

Cases Shaping Policies

City of Ontario, Cal. v.

Quon, 130 S. Ct. 2619

U.S. Supreme Court

2010______________

– Employer owned

pager and service

– Personal messages

to girlfriend

– Written policy

allowed monitoring’

and prohibited

personal use

– Supervisor allowed

behavior that

differed from policy

– Employee

terminated for

excessive, highly

personal texts

– Termination upheld

because of policy,

tailored monitoring

Mobile Device Policy – Summary

Written Policy

• Tailored to specifics

• Give notice to employee

• Condition access to acceptance

of policy

• Monitor only to protect

interests (scope and duration)

• Consider type of behavior

and communication

(illegal, productivity,

privileged etc.)

• Require encryption

Mobile Device Policies at Work

• Policy Alone Often Insufficient

– Compliance

– Reporting Reluctance

• Mobile Device Management

– Initial and Ongoing Authentication

– Black/White App List

– Selective Remote Wipe

– Push Updates

– Active Monitoring and Security

Consider Use Outside the U.S.

• Need to comply with

U.S. export laws

regarding physical or

electronic

transmission of

controlled data

outside the United

States.

• Check device and

review policy with

employees prior to

overseas travel.

Consider Use Outside the U.S.

Other jurisdictions may have

different rules on mobility,

e.g., privacy of personal

information; required

authorization to monitor,

access or remote wipe.

Allow for Changing Technology

• Allow for amendments and updates to

reflect changing technology, models and

devices.

• Allow for IT, HR and legal and MDM

vendor to issue periodic updates/alerts for

security and changes, etc.

Questions?

Kathleen Porter

Robinson & Cole LLP

kporter@rc.com

617.557.5989