CIO Takes Action to Solve BYOD's Privacy Problem

In California's central valley, attorneys at employment law firm Dowling Aaron came up with a nickname for CIO Darin Adcock, who had just crafted a Bring Your Own Device (BYOD) user policy. They called him "Big Brother," referring to the oppressive party leader in George Orwell's dystopian novel "1984."

"They'd come by my office and say, 'What's up, Big Brother? How's my phone today?'" Adcock says.

CIO Darin Adcock, aka "Big Brother," Dowling Aaron

Then a thief smashed the window of an attorney's Lexus and swiped his iPhone 5. Big Brother leaped into action and quickly wiped the phone of all data and apps, saving the attorney from the threat of having his personal banking information, texts and emails compromised.

Word spread throughout the law firm, and the name-calling stopped. "I started getting comments of appreciation," Adcock says.

The Two Sides of BYOD: Flexibility vs. Security

The events at Dowling Aaron underscore one of the great challenges in the ongoing saga between CIOs and employees: BYOD has a privacy problem. Employees want to tap the power of BYOD to make their work lives easier, while CIOs must take measures to safeguard corporate data.

Truth is, many CIOs attach draconian user policies to their BYOD programs that are heavily weighted toward corporate rights to access and monitor devices. An employee's expectations of privacy get short shrift. Employees simply don't trust the IT department to have access to their personal devices.

[Slideshow: 10 BYOD Worker Types]

Making matters worse, privacy-and technology's capability to circumvent it-is on people's minds these days. Facebook, Microsoft, Apple and Yahoo have all come under fire recently for secretly handing over customer information to the government.

President Obama summed up the problem while defending National Security Agency's spying programs: "We're going to have to find ways where the public has an assurance that there are checks and balances in place ... that their phone calls aren't being listened into, their text messages aren't being monitored, their emails are not being read by some big brother somewhere."

Dowling Aaron is a particularly interesting case, because the firm's employees are well-versed in BYOD. They often advise clients about employment policies and safeguarding corporate assets. Now they are on the receiving end of one of those BYOD employee policies.

You'd think they would be more vocal about employee privacy rights in their own company, but the opposite happened. One of the advisors to the BYOD policy was a Dowling Aaron attorney specializing in HIPPA, the Health Insurance Portability and Accountability Act. He wanted tougher security measures in place.

"If it was up to him, we'd be doing retina scans on our way to work," Adcock says. "I say this only half-jokingly; he'd probably really want it."

BYOD Policy From the Top Down

The drive for greater BYOD security starts at the top. Many of the employees are stakeholder partners. As an employment law firm, they've seen the blunders other companies have made. They understood the dangers having some 50 attorneys carrying phones with access to client documents but no passcode protection or wipe capabilities.

"If we end up on the front of the Fresno Bee because an attorney left his phone at the bar... the damage to your reputation could literally be millions of dollars," Adcock says.

The first iteration of the BYOD policy emphasizes passcode and wipe. It requires passcodes with a minimum of five digits every five minutes of screen inactivity, along with the capability to fully wipe a lost or stolen device and to selectively wipe devices when attorneys leave the firm. The latter only affects Active Sync accounts for corporate contacts, email and calendar.

[Infographic: BYOD's Dirty Little Secret]

Adcock knows that BYOD can't start out heavy-handed. "You can go a little deeper once they're comfortable with it," he says. "But if you put all 10 policies on at once, then they're going to fight back and call you Big Brother your whole life."

Upcoming requirements for BYOD user policy 2.0 will include measures such as making sure attorneys have updated anti-virus software. Corporate documents aren't allowed on BYOD phones and tablets but often make their way onto them, and so new requirements will block attachments from being saved.

Dowling Aaron does not track GPS locations nor read personal texts and emails. Adcock does little data collection and auditing even though the mobile device management software he uses, AirWatch, is capable of delivering a wealth of information. He will monitor device memory and advise attorneys when they're nearing thresholds.

That's pretty hands-off, but it didn't stop the "Big Brother" catcalls.

Par for the Compliance Course

Adcock has had his share of run-ins with noncompliant attorneys. One attorney, for instance, is an avid golfer and uses a GPS-enabled mobile golfing app that bogs down due to the five-minute screen inactivity requirement. The attorney regularly turns off the passcode, which invokes an automatic compliance warning from AirWatch to Adcock.

"I'll tell him, 'Let me guess, you're golfing again, just make sure you put it back on so we get the compliance back to 100 percent,'" Adcock says.

Other times, Adcock has had to take more drastic actions, even one aimed at a partner in the law firm. The attorney was sharing his iPad with his family, and they kept taking off the passcode. Adcock sent a friendly email reminder. On the next failed compliance check, Adcock had to selectively wipe the iPad per the BYOD policy.

Top management compelled the attorney to comply with the BYOD policy in the future.

"Luckily, the other board members are all playing ball," Adcock says. "We practice what we preach, because we know it's best practices."

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at

Read more about byod in CIO's BYOD Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Consumerization of IT | BYODpolicyhardware systemsiPhonebrotherIT managementCIOprivacyiPadBYODconsumerization of ITconsumer electronicssecurityLexussmartphonestablets

More about AirWatch AustraliaAirWatch AustraliaAppleBrother International (Aust)FacebookGoogleLexusMicrosoftNational Security AgencyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts