Mobile Security

Mobile Security

Mobile Security for Lawyers

By Susan Kuchinskas. She is a technology journalist in Berkeley and has covered the birth of the Internet, the rise to the cloud, and the move to mobile.

Security challenges mount when lawyers and staff use their own mobile devices for work.

It may infuriate law firm administrators, but if lawyers don’t like the mobile devices their firm supplies, they’ll use their own, and the firm will have to adjust – or risk security breaches.

The use of personal devices for work has become so pervasive it’s known by the acronym BYOD, for “bring your own device,” which became an official word in August, per Oxford Dictionaries Online. CompTIA, an information technology trade group, estimates 64 percent of companies allow or require employees to use their own mobile devices for work; this includes 12 percent that feel the trend would be too hard to stop.

“I personally carry a BlackBerry provided by the firm and an iPhone that I use to keep in touch with my wife and family,” says Todd Wulffson, a partner at Carothers DiSante & Freudenberger in Orange County. “My clients have migrated over to the iPhone because I respond to that quicker. … I don’t text clients, since that’s problematic.
If a client texts me I respond using the BlackBerry, since the emails go through the firm exchange and get backed up.”

Even more than other businesses, California law firms have to guard against data breaches: They must comply not only with California SB 1386, the stringent reporting requirements for data breaches, but also with the California Rules of Professional Conduct requiring confidentiality of all client information. “When we renew our licenses every year, we are, among other things, certifying to the State Bar that we are continuing to follow the rules,” Wulffson says. “You have one lawyer that goes rogue and … you could have a malpractice case.”

So firms need cost-efficient software that can secure and protect the full range of devices their lawyers happen to bring in. Enter mobile device management technology, or MDM. As of May, the market research firm Gartner was tracking 18 top MDM vendors, and there are many more. But beware. Some products can’t be configured to manage anything but the standardized devices a company issues, or they can’t control usage securely without getting into the device owners’ personal business. And there’s a substantial risk that nonexempt employees who work in a BYOD environment – and answer the occasional work email at night or on weekends – could rack up lots of overtime. Wendy E. Lane, a partner at Greenberg Glusker Fields Claman & Machtinger in Los Angeles, notes that BYOD also opens firms to claims that employees are being required to provide the equipment to do their job, which is illegal in California.

So Many Choices

To be effective, the software that law firms use to manage BYOD devices must be able to integrate with multiple operating systems and still keep data and applications secure. It can be installed behind a firm’s firewall or delivered as a cloud service. And it can be “self-service,” where each employee provisions his or her personal device with applications and security managed by the firm. Or, devices can be authenticated and set up by the firm’s IT personnel.

“If I want to be able to use my iPad for business as though it was my desktop computer, I hand all my stuff to [IT] and then work with them to make sure we’re protected and following best practices,” says Lane. “Of course, I still have to be mindful not to use my iPad in any way that could compromise security.”

Fresno-based Dowling Aaron saves about 20 hours a month in IT staff time by maintaining fewer laptops for its 41 lawyers to take on the road, now that so many are using their own mobile devices.

BYOD software can include its own mobile apps or manage the data stored on employees’ personal devices using the devices’ native security. But employees who prefer their own devices may resist using firm-approved apps on their mobiles. Another caveat: The American Bar Association’s Legal Technology Resource Center – noting that MDM is still a young field – recommends verifying the financial stability of any software vendor.

BYOD Standouts

– MobileIron is one of many vendors whose MDM software can either be installed on a firm server or run as a cloud service. It offers an app store, where users can access mobile business apps their firm has authorized for use. MobileIron counts law firms of all sizes as customers. Its on-demand MobileIron Anywhere, designed for offices without IT expertise, may appeal to smaller firms. Price: $75 per device for a perpetual license, or $4 per device per month for the cloud-based offering. Access to SharePoint and other repositories costs extra.
– Citrix Systems offers XenMobile, which manages both company-issued and personal devices and can work with a wide variety of mobile operating systems, including the obscure Symbian. It provides a corporate app store where users select approved apps to download and use. Price: From $50 per year per device, or $65 per year per user.
– Good Technology’s Good for Enterprise earned a high rating from Gartner for its strong security framework and the way it allows secure access to corporate email, documents, contacts, calendars, tasks, and a secure browser. At the same time, end users must use Good’s apps to access email and calendars. Price: Annual licenses run $5 per user per month.
– AirWatch also provides secure BYOD software. Lawyers go online to authenticate their devices, and the software then configures secure profiles and installs approved applications and content. Price: From $4 per month per user to manage a mobile device, email, and apps; or $50 per year per device for on-premise software.

Wulffson reminds clients that are contemplating allowing BYOD to keep California employment law in mind. The same goes for law firms: Every time a paralegal answers an email off hours, it adds up.

“Multiply 15 minutes a day by 100 employees by three years, and that’s something to make a class-action lawyer salivate,” he says. “I’ve had clients come up with hundreds of thousands of dollars in liability because they should have known their staff was using a smartphone for work-related activities after hours.”

Darin Adcock, CIO at Dowling Aaron, says his firm allows only exempt employees to use personal devices for work – with one big exception: During a trial or other extended project when attorneys and support staff are working weekends and at night, nonexempt staff are permitted to sync their personal devices with relevant folders on the firm’s server. “Once trial is over, we send an enterprise wipe, and they’re back to their own personal device,” Adcock says. Making BYOD a perk – instead of a requirement – also helps curb disputes, he says.

This is just a sampling of vendors and only a partial list of features, capabilities, and caveats about MDM. As a firm evaluates its options, considering end users’ experience is key. Adcock has found that letting lawyers use the devices they like best keeps them happier and more productive. “You know attorneys,” he says. “If they’re frustrated with a piece of technology, they’ll leave it sitting at the bottom of their briefcase.”