As attorneys demand the ability to do more work on their mobile devices, IT departments of all sizes are scrambling to address the challenges of keeping information assets protected. While the firm’s confidential data is typically stored securely inside its private network, attorneys and their mobile devices are roaming around in a very hostile environment. In order to operate properly, an App installed on the attorney’s device will need one of two things:
- Remote access to the data.
- A local copy of the data.
In this post we will focus on Apps that have a local copy of the data stored on the user device and why that could be dangerous for law firms.
The Nature of Confidential Data On Mobile Devices
You might be wondering exactly what kind of data we are referring to, and here is your answer: anything that you or your clients would consider confidential and privileged information. It could be something as simple as client or matter names (ex: “ABC merger with XYZ”), or it could be something more complex such as deposition documents, medical histories, etc. It also includes account information such as usernames, passwords, or VPN credentials that – if exposed - could be used to steal additional data or breach your backend systems.
How Can Data Stored On a Mobile Device Be Compromised?
Mobile devices are lost or stolen quite often. If those devices contain confidential data, then the data is lost or stolen as well. And if you think that most people that find a lost device will simply erase it, think again: research conducted by Symantec showed that 83% of lost devices showed attempts to access corporate-related apps or data.
Are You Obligated to Notify Your Clients Anytime a Device is Lost or Stolen?
From a professional ethics point of view, if you lose a device containing a list of all your matters you should contact all your clients to let them know. The ABA seems to indicate so here (see Section III.A) and your clients would probably agree. In addition to any ethical obligations, each jurisdiction may have its own notification requirements for different kinds of confidential information. For example, take a look at this useful chart compiled by the folks at Baker Hostetler listing the notification requirements for PII in different states.
But What if You Have Implemented an MDM Solution?
MDM solutions will help you encrypt or obfuscate the data stored on user devices, but keep in mind that these systems are not bullet proof and have been shown to be vulnerable in multiple occasions in the past. Also, most MDM deployments keep the encryption keys on the device itself, so you are still on the hook to notify your clients about lost devices. MDM solutions also provide remote wipe capabilities, but the wipe won’t take effect until the phone connects to the network, which may give additional time for the data on the device to be compromised.
How Can You Tell if an App Stores Data on User Devices?
You should ask the App’s vendor about what data is stored on the device, how does it get there, how it is protected, and how can it be removed. Most vendors will be forthcoming but some will be less so. One thing is certain: if the App advertises any kind of “offline mode” capability that’s a sure sign that it is storing confidential data on the device and that this whole discussion applies to you.
The bottomline is simple: Apps that store confidential data on user devices –whether encrypted or not - are ticking time bombs waiting to explode. Your best approach is to find similar Apps that provide your attorneys with the same capabilities without putting your data at risk.