Shop Talk: Crafting Policies That Address Mobile Computing Risks

Given the ubiquity of iPhones, iPads, and Android-based devices—as well as the perpetual postings to social media sites by the employees who use them—you might expect that most companies have adopted comprehensive policies by now on the use of mobile devices.

THE PANELISTS

The following executives participated in the Sept. 18 roundtable on how to mobile devices, social media, and data security.

Stella Acosta,

Director of Internal Audit & SOX Compliance,

Motorcar Parts of America

Bruce Anderson,

Chief Ethics Officer,

Health Net Inc.

Stephen Arietta,

VP of Internal Audit,

United Online

Raj Chaudhary,

Prin., Practice Leader, Security & Private Practice,

Crowe Horwath

Rick Dukhovny,

VP, Corporate Governance,

ValueClick Inc.

Rick Frye,

Senior Manager, IT,

KB Home

Lisa Hancock,

Chief Compliance & Privacy Officer,

Children's Hospital Los Angeles

Bart Kimmel,

S. Calif. Leader, Risk Consulting Practice,

Crowe Horwath

Ged Nichols,

VP of Corporate Audit,

Fox Entertainment

Diane Novak,

Chief Compliance Officer,

Toyota Financial Services

Tom Rudenko,

Former VP of Internal Audit,

Caesar's Entertainment

Maryanne Siek,

Director, Records Management,

Freeport-McMoRan Cpr. & Gold

For More Information on Compliance Week Roundtables

You would be wrong.

Although smartphones and other mobile gadgets have become a staple in the workplace, whether companies issue them to workers or employees bring their own to work, corporate leadership may still not fully appreciate the risks that such devices present.

At an executive forum last month in Los Angeles that was hosted by Compliance Week and accounting and consulting firm Crowe Horwath, compliance and audit professionals from a diverse set of industries, including entertainment, real estate, and healthcare, discussed both the opportunities that mobile computing offers companies and the unique compliance challenges that it raises. They also discussed the growing need to establish social media policies that foster the use of such powerful sites in a sensible and controlled way.

Raj Chaudhary, principal and practice leader for Crowe Horwath's security and privacy practice, said it was surprising how many companies still don't have comprehensive policies in place for mobile device management that identify the biggest risks and how to address them.

“There are some [companies] who are leading the pack in terms of having a policy in place, but that policy seems to change quite often,” said Bart Kimmel, Crowe Horwath's Southern California leader in its risk consulting practice. “It also appeared that the policies that are in place are much more device reliant and specific versus governance over technology [in a more general way].” He said companies in highly regulated industries tend to have more of a handle on risk mitigation and governance when it comes to new technology.

Healthcare companies, for example, have been dealing with the unique compliance challenges of evolving technology for years. “It was surprising for me to learn that healthcare was ahead of the game in many regards,” said Lisa Hancock, chief compliance and privacy officer for Children's Hospital Los Angeles. She credited this to the many privacy regulations enacted at both the state and federal level for healthcare companies. “Maybe healthcare just made the big mistakes first,” she joked.

Many of these regulations forced companies in the healthcare sector to formalize their approach to how data is handled and who has access to it. The Health Insurance Portability and Accountability Act of 1996, for example, mandated that hospitals have a privacy officer, issue a privacy notice, and provide ongoing employee training on data privacy. These commitments, she said, better positioned management to appreciate the challenges posed by new technologies.

One of the difficulties that companies have in crafting policies for mobile computing is that the technology is evolving so quickly. New versions of devices and the apps that run on them provide the ability to handle data in ways that were never considered just years or even months earlier. The adoption of new technology is faster than what the compliance function or IT Department can keep pace with.

"It depends on the industry," said Tom Rudenko, former VP of internal audit for Caesar's Entertainment. "Companies operating in the digital, gaming, and online space are generally further along the curve, as many of their products and services are already being conducted on mobile devices and they have a more experienced vision about controls."

According to Kimmel, it's better to set broad policies that govern the use of technology in an over-arching way than to try to address specific uses or applications that can quickly become outdated.

Another mistake that companies make is that they don't first get a better grip on the risks they face, several roundtable participants noted. “If you don't start out by doing some level of risk assessment, you are going to be spending money in areas that you shouldn't be, because you really don't have an understanding of your biggest risks and how to mitigate them,” Chaudhary said.

One of those risks is that a portable device can be lost or stolen with sensitive data stored on it. While services exist to track lost devices and, if needed, remotely wipe hard drives, that technology could be an invasion of employee privacy, one roundtable participant offered, because it essentially tracks their whereabouts 24/7. Companies with an international presence, have to worry about how data is transferred and, for example, complying with EU privacy regulations.

"One way to think about social and mobile is to consider them in the risk assessment process," Rudenko said. "How do they rank in helping or preventing the company from achieving its objectives?"

The BYOD Debate

An ongoing debate among companies is over bring-your-own-device policies, allowing employees to use personal tablets and smartphones.

Indeed, many roundtable participants said the subject of allowing employees to BYOD, as it is known, is hotly debated at their organizations. Hancock, for one, said there is little policy agreement on this front among her peers. Some hospitals in her market buy no devices at all for employees and fully embrace BYOD, she said. Others require employees to sign a confidentiality agreement, while some will only allow employees to use a sanctioned device.

Bruce Anderson, chief ethics officer for Health Net (right),  with Crowe Horwath's Raj Chaudhary is at left.

Companies that do allow employees to use their own hardware will want a strong policy in place that puts some guidelines around how such devices can be used. Crafting effective policies needs to have a multi-disciplinary approach, bringing together human resources, marketing, legal, compliance, and IT, Chaudhary said. Reaching out to employees and other end users is also important, as it clarifies how they intend to use the devices and services available to them.

“A key challenge is the tension between the need for risk assessment and the need for speed,” said Maryanne Siek, director of records management for Freeport-McMoRan Copper & Gold Inc., a leading international mining company. “Employees get frustrated by the fact that they have cooler technologies at home than at the office. IT wants to accommodate them by delivering new tools and associated policies as soon as they've met security requirements.”

Executive demands for the latest technology can also push the need to better govern the use of personal devices. “The CEO and CFO will go out and buy an iPad and say, ‘OK, I want all my e-mail on this.' How do you say no to the CEO?” Chaudhary said. “People are in a rush to get things out and that creates another level of risk.”

Social Media Risks

Like mobile computing, social media sites and other communication apps also come with inherent risks to address. For example, a corporate Facebook page carries with it reputational risk, since irate customers can post online missives from an irate customer or employees can post either unthinkingly or with malice. “I was struck by the idea that we should be auditing social media to understand what's being said about us,” said Siek. “We're not a social media-oriented business, but we need to be aware of and manage how we're being portrayed in these media from a risk and reputation standpoint.”

New tools are finally hitting the marketplace, especially during the past 12 months, to aid companies with their social media efforts, initiatives that would otherwise sap significant resources. Typically, they break down into either listening tools (used to gauge consumer sentiment through what is being said) versus actual risk-management tools, Chaudhary explains. Some offer complete social media management tools for the entire publishing lifecycle; others include compliance tools that allow true monitoring of accounts.

From left: Toyota Financial CCO Diane Novak; Health Net Chief Ethics Officer Stephen Arietta; Crowe Horwath's Bart Kimmel; and Stella Acosta, director of internal audit and SOX compliance at Motorcar Parts of America.

“We're not a social media-oriented business, but we need to be aware of and manage how we're being portrayed in these media from a risk and reputation standpoint,” said Maryanne Siek, director of records management at Freeport-McMoRan Copper & Gold.

“You can put policies in place, but now there are actually tools available to monitor how the procedures behind them are operating,” Chaudhary said.

“You need to address social media on a number of different levels,” said Bruce Anderson, chief ethics officer for managed care company Health Net. “You have to see how an audience perceives messages. It's a different world and your marketing and communications efforts need to keep that in mind.”

His company deploys tracking and monitoring systems. It also has clear-cut policies for employee use of the company's social media presence. “Everyone has access to LinkedIn,” Anderson said. “On Facebook there are only a few people who are allowed to have access. I happen to be one of them because of my job, but the vast majority of the employee population are not.”

Social media policies should also address who owns the accounts that are set up on the company's behalf. When employees set up Twitter or LinkedIn accounts as part of their jobs, occasionally when an employee is leaving a custody battle can ensue over who owns the account. When an online “handle” is created by an employee, the company must make sure it retains ownership of that name, as current lawsuits are showing that sometimes the creator refuses to give it back.

The key to getting a buy-in on policies is two-fold. Employees must have adequate training in what they can and cannot do at work, and encouragement in what to avoid with their personal accounts (one participant pointed out that employees often “rat each other out” over such posts). Companies can find themselves in awkward situations if they don't put clear policies in place and make sure they square with employees' personal rights and laws that govern them.

The policies that are put in place cannot be static and must continually adapt in lockstep with new technology. “We can't resist it, so we need to find a way to move forward and take reasonable efforts to prepare,” Anderson said of mobile and social media technologies. “You can't think of every possible future scenario, but you need to think of the ones that are most important, which for us is protecting our members' and employees' information. Whatever we do, we have to make sure that is never compromised.”