The rise of mobile devices has created uncertainties regarding what authority a company has over an employee’s personal device if it is also used for work-related activities, and what actions a company must take if a device is lost or stolen, according to experts.
Mobile devices are vulnerable to cyber attacks just like desktop computers and laptops are, according to Larry Collins, vice president, e-solutions, risk engineering at Zurich NA. Speaking yesterday during Advisen’s webinar, “Cyber Security: The Growing Liability of Handheld & Mobile Devices,” Collins explained that these devices are essentially mini or micro computers, and he added that any computer system that has a networked connection or software system can be broken into and hacked.
Additionally, because devices such as smartphones and tablets are small and portable, they are easily misplaced. John Mullen, a partner with Nelson Levine de Luca & Hamilton, said during the webinar that the TSA had to lease a new warehouse just to store devices misplaced and left behind at airports.
If a mobile device is misplaced by a high-ranking employee connected to sensitive data, and that employee does not immediately report the device as lost, the company could be facing a large problem by the time the issue comes to light, Mullen said.
Even if a lower-ranking employee loses a device, problems can arise, Mullen noted. That employee may have information stored on the device including contacts, photos, call history, and notes and personal information about contacts.
If the employee works in the healthcare field, theft of such information could trigger Health Insurance Portability and Accountability Act (HIPAA) violations, Mullen said.
Mullen pointed to another emerging risk tied to mobile devices: a “bring your own device” philosophy developing at many companies. He says there are some advantages to such a policy, such as cost savings if employees are spending their own money on smartphones and tablets that are constantly evolving and being updated.
However, he said such a policy can raise questions regarding who owns the data on the phone when company data is mixed with personal data. For example, Mullen asked if the company would have the authority to wipe the information from the phone when the employee leaves the company.
Mullen said that if an employee connects a personal device to a company network, the company just inherited responsibility for that device.
Despite the risks, though, Catherine Mulligan, senior vice president at Zurich NA, said that in an age where employees take advantage of 24/7 connectivity, a mix of personal and company information on personal devices “feels pretty inevitable.”
In order to address the risks around mobile devices, the webinar panel said companies must enact comprehensive risk-management plans that include training employees on how to respond if a device is lost or stolen.
Mulligan said C-suite executives and risk managers cannot assume that IT departments will be responsible for all security measures. Plans have to be enterprise-wide, she said. Risk management, she explained, starts with IT controls such as VPN (virtual private network) usage, encryption, and having a plan to track down lost devices and react.
But beyond the IT department, employees should know who to call if a device is lost or stolen, and the person the employee calls should know what to do once notified, said Mulligan. She said companies should provide regular training in which all employees using personal devices must participate on annual basis.
Mullen added that response to a lost device can become “surprisingly simple” if a company has the proper procedures in place.
Mulligan said insurance for devices is also available. Coverage, she said, is not much different for mobile devices than for any other type of data breach. She said there is liability coverage that deals with legal costs and third-party expertise such as forensics firms to analyze a breach and call centers to provide information and public relations. Coverage also may include services, such as access to tools to estimate costs, a checklist for a company’s planned response, and access to experts who can answer questions and review a company’s policies and procedures.