OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the third entry here.
Preventing Access by Unauthorized Persons
This section highlights steps that hedge fund managers can take to prevent unauthorized users from accessing a mobile device or any transmission of information from a device. Concerns over unauthorized access are particularly acute in connection with lost or stolen devices.
[Lawyers] recommended that firms require the use of passwords or personal identification numbers (PINs) to access any mobile device that will be used for business purposes. Aaron Messing, a Corporate & Information Privacy Associate at OlenderFeldman LLP, further elaborated, “We generally emphasize setting minimum requirements for phone security. You want to have a mobile device lock with certain minimum requirements. You want to make sure you have a strong password and that there is boot protection, which is activated any time the mobile device is powered on or reactivated after a period of inactivity. Your password protection needs to be secure. You simply cannot have a password that is predictable or easy to guess.”
Second, firms should consider solutions that facilitate the wiping (i.e., erasing) of firm data on the mobile device to prevent access by unauthorized users . . . . [T]here are numerous available wiping solutions. For instance, the firm can install a solution that will facilitate remote wiping of the mobile device if the mobile device is lost or stolen. Also, to counter those that try to access the mobile device by trying to crack its password, a firm can install software that automatically wipes firm data from the mobile device after a specific number of failed log-in attempts. Messing explained, “It is also important for firms to have autowipe ability – especially if you do not have a remote wipe capability – after a certain number of incorrect password entries. Often when a phone is lost or stolen, it is at least an hour or two before the person realizes the mobile device is missing.”
Wipe capability can also be helpful when an employee leaves the firm or changes mobile devices. . . Messing further elaborated, “When an employee leaves, you should have a policy for retrieving proprietary or sensitive information from the employee-owned mobile device and severing access to the network. Also, with device turnover – if employees upgrade phones – you want employees to agree and acknowledge that you as the employer can go through the old phone and wipe the sensitive aspects so that the next user does not have the ability to pick up where the employee left off.”
If a firm chooses to adopt a wipe solution, it should adopt policies and procedures that ensure that employees understand what the technology does and obtain consent to the use of such wipe solutions. Messing explained, “What we recommend in many cases is that as a condition of enrolling a device on the company network, employees must formally consent to an ‘Acceptable Use’ policy, which defines all the situations when the information technology department can remotely wipe the mobile device. It is important to explain how that wipe will impact personal device use and data and employees’ data backup and storage responsibilities.”
Third, a firm should consider adopting solutions that prevent unauthorized users from gaining remote access to a mobile device and its transmissions. Mobile security vendors offer products to protect a firm’s over-the-air transmissions between the server and a mobile device and the data stored on the mobile device. These technologies allow hedge fund managers to encrypt information accessed by the mobile device – as well as information being transmitted by the mobile device – to ensure that it is secure and protected. For instance, mobile devices can retain and protect data with WiFi and mobile VPNs, which provide mobile users with secure remote access to network resources and information.
Fourth, Rege suggested hedge fund managers have a procedure for requiring certificates to establish the identity of the device or a user. “In a world where the devices are changing constantly, having that mechanism to make sure you always know what device is trying to access your system becomes very important.”
Preventing Unauthorized Use by Firm Personnel
Hedge fund managers should be concerned not only by potential threats from external sources, but also potential threats from unauthorized access and use by firm personnel.
For instance, hedge fund managers should protect against the theft of firm information by firm personnel. Messing explained, “You want to consider some software to either block or control data being transferred onto mobile devices. Since some of these devices have a large storage capacity, it is very easy to steal data. You have to worry not only about external threats but internal threats as well, especially when it comes to mobile devices, you want to have system controls that are put in place to record and maybe even limit the data being taken from or copied onto mobile devices.”
To prevent unauthorized access and use of the mobile device, firms can consider remote monitoring. However, monitoring solutions raise employee privacy concerns, and the firm should determine how to address these competing concerns.
Because of gaps in expectations regarding privacy, firms are much more likely to monitor activity on firm-provided mobile devices than on personal mobile devices. . . . In addressing privacy concerns, Messing explained, “You want to minimize the invasion of privacy and make clear to your employees the extent of your access. When you are using proprietary technology for mobile applications, you can gain a great deal of insight into employee usage and other behaviors that may not be appropriate – especially if not disclosed. We are finding many organizations with proprietary applications tracking behaviors and preferences without considering the privacy implications. Generally speaking, you want to be careful how you monitor the personal device if it is also being used for work purposes. You want to have controls to determine an employee’s compliance with security policies, but you have to balance that with a respect for that person’s privacy. When it comes down to it, one of the most effective ways of doing that is to ensure that employees are aware of and understand their responsibilities with respect to mobile devices. There must be education and training that goes along with your policies and procedures, not only with the employees using the mobile devices, but also within the information technology department as well. You have people whose job it is to secure corporate information, and in the quest to provide the best solution they may not even consider privacy issues.”
As an alternative to remote monitoring, a firm may decide to conduct personal spot checks of employees’ mobile devices to determine if there has been any inappropriate activity. This solution is less intrusive than remote monitoring, but likely to be less effective in ferreting out suspicious activity.
Policies Governing Archiving of Books and Records
Firms should consider both technology solutions and monitoring of mobile devices to ensure that they are capturing all books and records that are required to be kept pursuant to the firm’s books and records policies and external law and regulation with respect to books and records.
Also, firms may contemplate instituting a policy to search employees’ mobile devices and potentially copying materials from such mobile devices to ensure the capture of all such information or communications from mobile devices. However, searching and copying may raise privacy concerns, and firms should balance recordkeeping requirements and privacy concerns. Messing explained, “In the event of litigation or other business needs, the company should image, copy or search an employee’s personal device if it is used for firm business. Therefore, employees should understand the importance of complying with the firm’s policies.”
Policies Governing Social Media Access and Use by Mobile Devices
Many firms will typically have some policies and procedures in place that ban or restrict the proliferation of business information via social media sites such as Facebook and Twitter, including with respect to the use of firm-provided mobile devices. Specifically, such a policy could include provisions prohibiting the use of the firm’s name; prohibiting the disclosure of trade secrets; prohibiting the use of company logos and trademarks; addressing the permissibility of employee discussions of competitors, clients and vendors; and requiring disclaimers.
Messing explained, “We advise companies just to educate employees about social media. If you are going to be on social media, be smart about what you are doing. To the extent possible, employees should note their activity is personal and not related to the company. They also should draw distinctions, where possible, between their personal and business activities. These days it is increasingly blurred. The best thing to do is just to come up with common sense suggestions and educate employees on the ramifications of certain activities. In this case, ignorance is usually the biggest issue.”
Ultimately, many hedge fund managers recognize the concerns raised by mobile devices. However, many also recognize the benefits that can be gained from allowing employees to use such devices. In Messing’s view, the benefits to hedge fund managers outweigh the costs. “Everything about a mobile device is problematic from a security standpoint,” Messing said, “but the reality is that the benefits far outweigh the costs in that productivity is greatly enhanced with mobile devices. It is simply a matter of mitigating the concerns.”