The official hub of The Enterprise Mobility Foundation
Want more than just blog posts? Login or Sign up for a free acount and get research, videos, slide decks and more! Join the online social network for Enterprise Mobility.

The Fourth Amendment Vs. (Mobile) Risk Management

For better or for worse, the world of enterprise mobility is, in my opinion, saddled with an alphabet soup of acronyms.  EMM, MDM, MAM, WEM, MEAP, MCAP….I could go on and on.  Call it society’s ever increasing need for speed, and a small peppering of ADD (oh, wait…I just did it myself).  One of the newest terms to come up in the last few months is MRM or Mobile Risk Management.  MRM in the EMF’s view (darn it….I did it again!) is the business side of mobile security, meaning what is the impact of data or information loss protection/prevention.

While this is still an emerging topic of discussion, my sense is it’s going to become an increasingly important matter moving forward in our industry.  We’ve already seen signs of this emerging trend at what I’ll call the periphery.  Specifically, I am talking about how risk management is becoming an increasingly important business issue, and it will take precious little time for those discussions to extend into a mobile context.

Take a recent example I just stumbled upon yesterday.  InformationWeek published two days ago an article regarding six former employees and contractors of the US Food and Drug Administration filing a suit against the FDA illegally spied on them by taking a peak inside their personal Yahoo!Mail or Gmail accounts.  In what feels like an increasingly common stand, they are alleging that their Constitutional rights, as defined by the Fourth Amendment (among others) were violated.

This made me instantly think about the mobile consequences.

Specifically, unless you use a mobile device that was provided by your employer and you work in a tremendously highly regulated industry (or are a super big shot at your company) where the practice might be forbidden, you in all likelihood have not only your work email on your smartphone, but your personal email as well…and more and more frequently, you have it all in one unified inbox.

So what is preventing your company from taking a peek at what you’re doing on the device?  Now, before you think I’m being an alarmist or a worry wart, let me put that theory to rest.  I’m not.  Companies have the right to protect their information from all employees – particularly the dumb ones or the ones that may have less than above-board objectives.  But what about good people like you and me:

  • What if I decided for whatever reason to send a file to my personal account from my mobile device for whatever legitimate reason I had?
  • Am I now in breach of my company’s policies?
  • Do they have the right to monitor that action?
  • What is deemed “excessive” searching?
  • Is it a different situation if I am using a corporate liable device vs. an individually liable device?
  • Should I use a device that supports dual personas such that there is a clear segmentation of my personal vs. professional life?

Can my organization take a peak at what I’m doing?  I don’t know.  The economist in me wants to start off any answer I could come up with by saying “Well, it depends…”  That’s not particularly satisfying to me, though.  The main problem is that I’m not sure many people are going to have straight forward answers to these questions and the myriad other questions that will emerge as organizations continue to expand their risk management strategies for the mobile world.

Furthermore, there isn’t much legal precedence in mobile risk management.  Sure, we had Sgt. Quon vs the City of Ontario, CA a couple of years ago, but that was a lawsuit (again leveraging the 4th Amendment) that was all about inappropriate use of a corporate liable device during “off-hours.”

I guess my final thought/suggestion is that, moving forward, we will definitely need to keep our eyes and ears peeled around mobile risk management and the impact of mobile security breaches.

5 Comments

  1. Posted February 1, 2012 at 23:41 | Permalink

    I read with much interest your article and believe with Mobile Risk Management, that you are on the leading edge of what is going to be the next big trend in mobile device security. Risk management is the key, and with most large organizations, its not about actually viewing everything that every employee is accessing, but more about which ones present that highest risk that need further attention. This is as true with risk management with mobile security as it is in other industries, and this is why I believe MRM will only increase in importance as the most cost effective way to manage the risk to an organization.

    I look forward to additional writings from you on this topic in the upcoming days. Well done.

    Thumb up 1 Thumb down 0

    • Posted February 2, 2012 at 09:58 | Permalink

      Much appreciated @ssahay !!! I want to stress to the enterprise mobility universe that mobile security and mobile risk management are two sides of the same coin. One is technology centric, and one is business centric, but both need to be addressed immediately.

      Thumb up 0 Thumb down 0

  2. Posted February 2, 2012 at 05:03 | Permalink

    My gut feeling is that, whether the device is yours or your companies, if you *can* do things then there’s no reason for your company to blame you for doing it… Either they trust you and accept that you may do these things, or they don’t and should make sure you can’t do them.

    Thumb up 0 Thumb down 0

    • Posted February 2, 2012 at 09:59 | Permalink

      @mathieu I’m not sure I’ll agree with your statement. There are too many examples in all facets of the world where people do things they shouldn’t just because they can.

      Thumb up 0 Thumb down 0

  3. Posted February 4, 2012 at 13:58 | Permalink

    The only difference I see is whether the device is a BYOB or a company issued. If it is a company issued device then I think the same security policies enterprise currently apply to laptops can be tweaked and extended to a mobile device. The grey area I see is when it comes to the BYOB scenario.

    Thumb up 0 Thumb down 0

Post a Comment

You must be logged in to post a comment.