The Start of Bring Your Own Device Policies

It really is the iPhone’s fault. Yes, Apple is to blame for designing the most desirable piece of technology of the last decade. So desirable, in fact, that employees of all stripes requested (and, often, begged) their IT departments to toss the increasingly-“corporate” Blackberry out the window and allow the use of their personal iPhones for corporate emails and calls. As a result, we have been living in the age of “Bring Your Own Device” where employees use a single personal mobile phone (or tablet) for both their personal email, texting, and social media while also using it for work email, word processing, and other enterprise applications.

controls-300x200

Before the Bring Your Own Device era, a company’s greatest out-of-office security concern was an employee who left a briefcase in a taxi. Today, the worry is an employee misplacing a device the size of wallet containing almost limitless amounts of data that criminals or hackers would easily and quickly exploit if given the chance. Clearly, there is an obvious financial motivation for all businesses to protect their own or customer’s sensitive data.

However, lawyers face particular ethical consequences if they fail to take reasonable efforts to either investigate the technologies that they implement or protect their client’s confidential information.

The New Ethics of Legal Technology

The ABA began a thorough review of the Model Rules of Professional Conduct in 2009 in order to better educate and equip lawyers about their ethical obligations in light of advancing technological developments. As a result of the Ethics 20/20 commission, numerous changes to the model rules were adopted by the ABA’s House of Delegates on August 6, 2012 including changes to Model Rule 1.1 (competency) and Model Rule 1.6 (confidentiality). Though the material and information contained on this blog is for academic and educational purposes only and this information is not provided in the course of an attorney-client relationship and is also not intended to constitute legal advice (ugh, disclaimers), we will look at the two amended rules and then at some steps that should help you in your efforts to comply with the requirements. However, you should check with your individual state’s ethics rules and seek the guidance of an attorney in your jurisdiction for legal advice.

Model Rule 1.1 – The New Comments about a Lawyer’s Competency

The black letter law of Model Rule 1.1 requiring competency did not change and requires that:

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

However, the ABA did adopt an amended Comment [8] (previously known as Comment [6]) to Model Rule 1.1 advising that:

 To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (emphasis on text added in August 2012).

This change suggests that lawyers are not demonstrating the level of “competency” necessary to satisfy Model Rule 1.1 if they do not stay abreast of relevant technology such as mobile device security when that security is the last line of defense protecting a client’s confidential data.

Model Rule 1.6 – The New Rules and Comments about a Lawyer’s Efforts to Keep the Client’s Information Confidential

Also, the ABA amended Model Rule 1.6 itself by adding Paragraph (c) that, for the first time, requires that:

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

This is a monumental change that sets a new standard suggesting that lawyers are required to implement reasonable technological safeguards to prevent even an “inadvertent” disclosure of a client’s information or data.

The ABA seemed to confirm this new philosophy through the amendment of Comment [18] of this rule which, in part, specifically states that:

Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. (emphasis on text added in August 2012)

Also, Comment [18] added brand new language explaining that:

The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.

Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

It is important to note that the ABA does not seem to expect lawyers to immediately become IT security experts as Comment [18] acknoweldges that there would be no violation under the Model Rule 1.6 “if the lawyer has made reasonable efforts to prevent the access or disclosure.”

So, what do the new Model Rules tell us about our ethical obligations in using mobile devices? Quite simply, lawyers are arguably now expected to investigate, appreciate, and understand the risks associated with using a mobile device or allowing an employee to do so in furtherance of the lawyer’s practice. Also, lawyers are arguably now expected to not only understand their applicability but to actually implement reasonable efforts, such as software or hardware safeguards, to prevent the unauthorized access by a third party (such as a hacker, a thief, or well-intentioned but nosey family member) to their client’s confidential data (such as correspondence, notes, financial records, etc.)

Two Suggestions to Comply with Model Rules 1.1 and 1.6: Bring Your Own Device Policies and Mobile Device Management Software

So, what some action steps for a lawyer in light of the adoption of these two new ethical mandates? While reading this article is surely an effort to educate yourself about the ethical implementation of technology in your practice, the following two suggestions are two possible actions to take in order to protect your client’s data:

The Bark: Bring Your Own Device Policy Basics

First, a managing lawyer who allows other partners, associates, or staff of any nature to use their personal mobile devices for firm or client work should create a Bring Your Own Device policy that defines the firm’s security policies. A Bring Your Own Device policy often contains language regarding the following important issues:

  • Permitted devices – Which devices will you permit (phones, tablets, laptops?)
  • Password requirements – How strong must passwords be (length, complexity) and in what situations must they be used (phone lock screen, all apps, etc.)
  • Support limitations – Will the firm offer any technical support for the user’s personal device and, if so, will it be limited to just problems relating to the firm’s apps and data?
  • Ownership of data/apps – The firm should specify that it owns certain apps/data relating to the firm or client’s data
  • Whitelisting/Blacklisting of apps – Which apps are allowed and which ones are banned (Facebook, Netflix, etc)?
  • Acceptable Use Policy integration – If your firm doesn’t have an Acceptable Use Policy that defines appropriate use of firm-owned technology (such as not engaging in personal social media postings during the day), an AUP should be developed that does not conflict with the Bring Your Own Device policy.
  • Loss or Theft procedure – What will happen in the even that a device is lost or stolen? How quickly should the firm’s IT manager, managing partner, or office manager be notified by the user? What passwords are changed in what time frame? Must clients be notified?
  • Exit Strategy – If an employee/user voluntarily or involuntarily leaves the firm, how is their device restored to personal-only use? What apps are deleted and what accounts for those apps are disabled?

As a caveat, larger firms that offer firm-issued devices typically set polices and utilize software or hardware safeguards through their IT department. However, it is entirely possible, particularly in a growing small firm, that the firm may issue firm-owned mobile devices but only in the sense that the firm physically hands out the mobile devices for which they pay without any additional IT management or oversight. In this scenario, though the “Bring Your Own Device” in the policy’s title doesn’t necessarily apply, a BYOD policy is materially the same in terms of the security requirements as a firm policy on firm-owned mobile devices. The only difference is that the BYOD policy traditionally contains specific language relating to the personal-portion of the mobile devices’ data.

Second, a Bring Your Own Device policy is truly only worth the paper on which it is written. Quite simply, constant human monitoring (without a software/hardware component) of a user’s personal device is impractical and would likely create accusations of privacy invasion. The solution is cloud-based mobile device management (“MDM”) software.

The Bite: Mobile Device Management in the Cloud

MDM software is the bite behind the Bring Your Own Device policy’s bark. The typical implementation consists of a manager (IT, firm, office, etc.) setting up an account on the vendor’s website and setting any combination of numerous security policies and then requiring every Bring Your Own Device user to download and install the vendor’s management app. When the vendor’s app is installed, the device will be added to the firm’s roster on the website, the policies set by the manager will be pushed to that user’s device, and the user will be subject to those policies. There are multiple vendors from well-known tech companies such as IBM, Citrix, and VMware who offer completely affordable solutions starting from $5-6 per device per month.

The policy settings in a MDM system are far more technical, specific, and in-depth than the rules and guidelines contained within a Bring Your Own Device policy. Some of the settings closely mirror a related written clause in a Bring Your Own Device policy.

For example, an MDM system will render a phone inoperable if that phone’s lock screen password or the password to access the email application, for example, is not of a certain length and complexity. Also, MDM systems can actually prevent the download of Black-listed apps where a Bring Your Own Device policy simply designates the download of those apps a violation of the firm’s rules.

Other settings are unique technological innovations that achieve the goals of the Bring Your Own Device policy like systems that allow the “sandboxing” of related apps. An example of “sandboxing” might consist of the manager allowing the user to download the Dropbox and Microsoft Word apps and then set up a restriction that those two apps can only share data with each other and the standard Apple email app. This type of scenario would restrict a user from sharing client documents stored on Dropbox with the user’s unregulated personal document management app (such as their personal Google Drive app).

Lastly, an MDM system can be configured to allow the manager to remotely “wipe” every last bit of data from a device if it is lost or stolen or, now, have it “wipe” the phone if anyone tries to remove the network’s SIM card (that allows the MDM system to track the stolen or lost phone’s location). From an ethical standpoint, these are the types of safeguards which help protect a client’s confidential data from the possible misuse by thieves or former Bring Your Own Device employees.

The recently-amended Model Rules 1.1 and 1.6 suggest that solo and small-firm lawyers are required to reasonably investigate and implement Bring Your Own Device policies and MDM solutions in order to protect the unauthorized disclosure of confidential client data and communications when they are allowing lawyers and staff to use their own personal cell phone or tablet to conduct firm business. Again, thanks to the cloud, solo and small-firm lawyers have an option to utilize the cutting-edge technology employed by Fortune 500 companies to protect their client’s confidential data for the monthly price of a deli sandwich. On second thought, maybe we can forgive Apple – these smart phones are not as difficult to manage as we once thought.

**Once again, the disclaimer! While I am a licensed attorney in Ohio, I am not your attorney. This blog post is not legal advice nor should it be considered as legal advice. Check your state bar rules of professional conduct and ethics opinions for more information or speak to an ethics attorney.