Ok, it looks like my work is done here, folks. You’re welcome. All of my posting and journaling and blogging about the threat faced by in-house counsel (and every other kind of counsel) from the BYOD revolution has been proven by a survey!
According to Corporate Counsel’s 2013 Tech Survey, “mobile is here, and it’s hot.” And, “it … may be steering law departments toward trouble.”
The survey findings from nearly 50 companies with nearly 50 lawyers on their rolls each revealed that 76 percent allowed their legal staff to use their own mobile devices for work. This should not be surprising, considering that approximately everyone has a “smart” device of some sort today. What is surprising, however, is that nearly a quarter of those responding said that their legal department had no policy in place covering the use of these devices. Well, maybe not surprising, but certainly disappointing. (Especially the 3 percent who admitted they didn’t know whether or not there was a policy in place!)
Meanwhile, the survey also shows a concurrent uptick in those who use “cloud-based services”. Presumably, the use of remotely-hosted services and repositories both encourages and responds to mobile workflows. The survey finds that “[n]early two-thirds of respondents—63 percent—said that their legal department uses cloud-based services, up from 50 percent in 2011.” In an uncharacteristically positive statement from the legal industry, 80% of those who have shifted to the cloud report a “mostly positive” experience while the other 20% say it was “somewhat positive”. So, to restate this a bit: 100% of respondents have had positive experiences in utilizing “the cloud”.
I think the main take-away here, clearly, is that mobility continues to change the way we do the work we do and, for those of us who read blogs like this about technology and the legal world, to change the work we do itself. At least, the work we do should be changing. It’s worth noting, as CorporateCounsel does,
One of the more startling findings on our 2011 survey was that only half of responding legal departments had a formal security policy for mobile devices . . . 23 percent of law departments said they still had no formal security policy.
At the risk of pounding one note into the ground here, I would like to ask you to re-read that quote. A “startling finding” on this same survey — two years ago — is still found on this current survey two years later with only marginal improvement. It’s true that much of the important decision-making that goes on the legal sphere turns on determinations of reasonableness. Our duty to comply with discovery requests, for instance, often boils down to a duty to do whatever a reasonable company would do to collect and hand over any relevant documents that another reasonable company has reasonably requested. Our duty to preserve documents boils down to a duty to take reasonable measures to preserve documents. Our duty to protect our clients’ documents from electronic theft is a duty to take reasonable precautions to protect ourselves and our clients from reasonably anticipated malware attacks.
If I may make a bold generalization, the genius of the reasonableness standard is quite simply that it is not really a fixed standard, it’s more of a dynamic state. Sure, we refer to it in law school as the “objective” standard but that’s law school. What reasonableness actually becomes in the real world is dependant on the circumstances that surround it at a given time. Or, what were reasonable precautions five years regarding either the safeguarding of an electronic repository or an electronic document transfer or an electronic preservation effort should certainly not be found reasonable today. This digital landscape remains a frontier. And the newest territory, expanding steadily like our networks of social “connections”, is the territory occupied by mobile devices.
For today, I’d like to call out three areas where the findings in the survey are of particular importance. You will not be surprised to to hear what they are when you consider that I work for a company that legitimately produces promotional mousepads with the tagline: “Digital Investigations of Any Kind” next to concentric circles representing digital forensics, cyber security and electronic discovery.
Mobile Device Forensics
There is also the issue of how documents are getting onto mobile devices. Does the company have its own internal process for access—for example, letting attorneys download what they need from a central repository? Or must lawyers go the DIY route, using third-party, often cloud-based solutions, like Dropbox—outside the company’s reach and perhaps even its knowledge?
As we’ve discussed often and in some depth here, the wall that separates e-Discovery and digital forensics is flickering away like the mirage it’s always been. No where perhaps is that more evident than in the case of mobile devices. These devices bop in and out of wireless networks and cellular connections and utilize a dizzying variety of “cloud” servers to store the data they create or collect. This is all very cool for employees and, handled correctly, even better for employers. In virtual essence, the new mobility “enables” employees to never leave the office.
However, they do leave the secure corporate intranet. They do leave the document management system. They begin a document at their desk and email to their personal account and then upload it to the unvetted third party repository of their choice. They make personal choices based on personal preferences and are, rarely, asked to document those choices.
And then, let’s just hypothetically say, they quit. They go to work for a competitor. Or maybe they retire. Or they have a horrible accident and go on disability. You can use your imagination, right? They leave your network. And maybe that’s on a Monday. After scrambling the next two weeks to replace them and keep the machine running, you breathe a sigh of relief. And, then, it’s 4:55 on Friday — you can taste the weekend ahead.
A hand-delivered envelope arrives with a return address full of last names and LLP. You try to run but you can’t. You have to open it. You’ve been served with requests for documents that have everything to do with the position that’s been vacated. They even name the individual whose gone. They make specific enough references to emails that you know, you just know, he or she did some ill-advised emailing of work-related documents over a weekend or late a night. And you know, you just know, the other side knows it too. You breathe. OK. It’s ok, we can get the cell phone. That’s right. No problem.
You make a few calls. Miracle upon miracle, you actually find the person who knows where the phone is. They promise to ship it to you. They do. Another miracle: it arrives the following Monday. You turn it on. It’s empty. Shenanigans! Can you call it quits now? Have you done what you could? Is your examination reasonably complete?
You know the answer, right? Of course it isn’t. There is a growing market out there of tools thatuncover what was wiped. And, more and more, the judges know it. You can do better and you have to. And you had better do better, because your opposition is going to do better.
In the recent past, perhaps, we could leave forensics to the forensics guys because we at least knew where our data lived — most of the time. It’s just not the case anymore. These devices, so frequently off of our networks, still contain documents created in the course of our business. And we are, in terrifying part, responsible for them.
Mobile Devices and Cyber-Security
After all, these are products that are a lot more likely than laptops and desktop PCs to be lost or stolen, and also more likely to be used for nonwork reasons (no one ever photographed their kid’s graduation with their workplace Dell).
This section goes out, today, to Android users in the audience. According to a report by Juniper, cited last week at Cnet, mobile malware has grown by 614% between March 2012 and March 2013. And, said InfoWorld in May of this year, 94 percent of all mobile malware targets Android. Android devices are much more open that Apple devices, a large part of their attraction. But this openness leaves them vulnerable to attack. This vulnerability, in turn, follows them into and out of the networks they use.
The Corporate Counsel survey finds that most “law departments rely on passwords, encryption, and remote wipes” with some using mobile device management (MDM) software to implement those protections. The troubling term is “rely”. Relying solely on these beneficial tools makes about as much sense as relying solely on our seatbelts as we drive our cars off of a secure highway and onto a minefield before heading over a cliff. The explanation for why we would do that might be that our seatbelts are extraordinarily well-padded, our suspensions and shock absorbers are so perfect that we don’t feel the terrain, and we’re blindfolded.
What I mean is: there’s no reasonable explanation for why we might rely solely on these tools and not use everything available to prevent attacks.
Mobile Devices and Electronic Discovery
Nor is it just security that needs a close look in the mobility era. Law departments may need to rework their policies and processes for documents as well. According to the survey, 71 percent of law departments permit lawyers to bring digital files in from home on electronic devices or flash drives. That raises a crucial question: Where exactly do work-related files reside?
So, coming somewhat full-circle and arriving again at the disappearing line between e-discovery and digital forensics, we have to address the fact that “[h]aving mobile devices and screens everywhere means more locations where corporate records could be located,” says Tom Mighell, former chair of the American Bar Association’s law practice management section.
Attorneys may be notoriously late adopters of new technologies to improve their workflows, but what attorney (or law student) has not conducted a significant (if not a majority) amount of her work on the fly, on the run, at home or in the car while rushing from one “important and time-sensitive” appointment to another? If Blackberries and iPhones are driving the workday of attorneys, it’s a sure thing that these devices (and the data we transmit with them) are also driving the workdays of our clients, coworkers and opponents. Just think of the data that’s hanging out in your own device: emails to co-workers, histories of financial transactions, information casually disclosed to non-co-workers about your workday, off-the-cuff searches for random answers to random questions from your commute or latest team meeting. It very close to a sure bet that the next smoking gun you find will be found on a mobile phone.
So, finally, let’s remember the changes made in March to the ABA Model Rules of Conduct [in bold below]:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Perhaps an attorney can still punt the forensic and security issues related to mobile devices back to specialists in those fields this week. Maybe even next week or the next. But sooner than any of us can say, that option will disappear. It will simply be unreasonable to not address the new mobility.