• Join our Communities!

  • Twitter Updates

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

  • Disclaimer:

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. The opinions and interests expressed on this employee blog are the employees' own and don't necessarily represent EMC's positions, strategies or views. Inappropriate comments will be deleted at the authors discretion.

Archiving To Help Solve BYOD

We have written before about the security, privacy, compliance and legal issues created by the Bring Your Own Device (BYOD) phenomenon.  And if BYOD seems difficult here in the US, it’s far more difficult in the EU with its stronger protection of personal data.  With BYOD, personal information is being mixed with corporate information on an employee-owned device, often with no real corporate oversight, creating all kinds of new problems.

The UK’s Information Commissioner’s office recently published guidance to assist organizations in dealing with BYOD concerns in the EU.  Of course, a main point is that having a clear and effective BYOD policy is a crucial step for any organization.  But one issue, along with its related advice, really caught our attention:

     “If copies of data are stored on many different devices. . . there is an increased risk that personal data will become out-of-date or inaccurate over time … [or] retained for longer than is necessary … [because] it is more difficult to keep track of all copies of the data.  Using devices to connect to a single central repository of data can help mitigate this risk.”   [Emphasis added].

Centralized archives, operating and retaining data according to company policies, serve this purpose.  For example, rather than having email (and attachments) stored on various email servers, in PST files and on devices for every custodian, it should be stored, maintained, accessed (and ultimately deleted) from a single instance email archive.  Each device can serve as a “window” to that centralized content so that it’s accessible as needed, and then deleted.  This avoids creating new instances of each message that are stored and managed for each individual device requiring access to the data.  And this same concept can be applied to documents from file systems, Sharepoint, even records management systems.

Not every organization will have to meet EU (or even EU-style) data requirements.  But centralizing and managing content is a solid best practice that will pay dividends no matter where you are located.

BYOD: Bring Your Own . . . Disaster?

While the “Bring Your Own Device” phenomenon seems to be gathering even more momentum, few organizations seem to be working on the compliance issues that BYOD can create.  BYOD is clearly an important technology wave, but without some thoughtful planning, this BYOD could easily turn into “Bring Your Own Disaster”.

BYOD can be loosely defined as employees using their own devices to access company resources and complete job-related tasks.  In the real-world, BYOD can be as simple as an employee using personal funds to purchase a cell phone for business use; or as complex as an employee-purchased tablet (or laptop!) with monthly wireless charges reimbursed by the company and access to the company network encouraged.   These devices can boost productivity but with an impact.  Some companies have found that several hundred applications — typically unapproved and many completely unknown to the company — are touching their network from employee smartphones.

BYOD creates concerns that need to be addressed, or at least considered.  In the more complex situations (usually with laptops or tablets), both corporate and personal data will probably be mixed on the device.  If a mixed use device contains illegal or infringing data, is the company responsible?  If a lawsuit or investigation requires access to the employee’s data, does the company have the right — or obligation — to collect relevant information from the device?  What if it has the obligation but not the right?   And what happens if data is clearly relevant to a company issue but also clearly personal to the employee — will the employee resist?

Specific regulations regarding data retention or security may also be triggered.  How does an employer insure that record content created on these devices, which may have never touched a corporate server, is retained for required retention periods?  Insuring compliance with regulations such as HIPAA (related to health information) and 17a-4 (broker-dealer communications) is unlikely without the company having some access to and knowledge of information created and/or stored on the device.  Outside the US, the problem can become more difficult because data privacy laws further limit the company’s access to the information.

What can you do?  Although the ultimate solutions will likely be technology based, start with policies.  Dust off your records retention, email retention, corporate network, cell phone, security and other related policies and read them with an eye on BYOD issues. Consider whether the company can or should mandate access to a personal device used for corporate purposes, or create an obligation granting access to the device if it has data necessary for the company’s regulatory requirements or legal requests.  There is not yet much guidance from the courts on whether this is sufficient, but putting these requirements in writing is a start.

Longer term solutions may be technology based.  Access to company resources via smartphone and tablets can be controlled through security applications installed on the device.  Applications (like EMC’s Syncplicity) can deliver the convenience and open collaboration of an application like DropBox but with corporate controls.  And some creative planning can insure that most email and documents available on a smartphone or tablet are also on a corporate network for easier access and retention.

But beware —  employees and employers may not see eye-to-eye on many of these concerns. For example  over 75% of employees said they would not give an employer access to see the apps installed on their device and would not permit a tracking application to identify their whereabouts.  

Like it or not, BYOD is here.  Giving it some consideration and planning now can help you ensure the productivity side of BYOD without the disaster.

Are you moving your data smartly?

Bryant Bell, eDiscovery Expert, EMC Information Intelligence GroupIn my last posting I wrote about what you can do to protect your company assets if you decide to move your ESI (electronically stored information) into the cloud. I pointed out that you should be sure that your cloud provider adheres to or is at least aware of US – EU Safe Harbor. This has been a topic of concern for multinational or at least transatlantic corporations. But now with the advent of the cloud your data could be stored in Dublin, Ireland or Stuttgart, Germany even though you may be a medium-sized business in Laredo, TX. The cloud will now essentially force you to start thinking about your data as if you were a multinational even if your business doesn’t expand past Texas. This is because you have now tossed your ESI into the cloud and it will reside in any country your provider finds fit. So as you take that “Journey to the Cloud’ I want to share some suggestions from Greg Buckles from the Discovery Journal, http://ediscoveryjournal.com/2011/06/moving-your-esi-to-the-cloud/

You need to understand and ask the questions to your cloud provider about the basic infrastructure and data flow process that your ESI will experience:

  • How is it transferred to the cloud?
  • Where does it physically reside?
  • Is it transformed for storage?
  • How is it kept separate from other customers?
  • Does the company own all the infrastructure outright?
  • What is the disaster recovery or co-location arrangement?
  • What are your guarantees on uptime, accessibility and Service Level Agreements (SLAs) for issues?
  • What are the company policies on data privacy, subpoenas and security?
  • How can your ESI be accessed, searched and retrieved?
  • What are reasonable restoration rates for retrievals?
  • Is there an established migration/transfer mechanism in case you want to change providers?

From a regulatory, internal investigation and litigation perspective, the points to pay particular attention to are: Where does your data reside, Company policies on data privacy, subpoenas and security, and how can your ESI be accessed, searched and retrieved?

Moving to the cloud may be inevitable but just make sure you have a plan and are taking safeguards.