The Fourth Amendment Vs. (Mobile) Risk Management

For better or for worse, the world of enterprise mobility is, in my opinion, saddled with an alphabet soup of acronyms.  EMM, MDM, MAM, WEM, MEAP, MCAP….I could go on and on.  Call it society’s ever increasing need for speed, and a small peppering of ADD (oh, wait…I just did it myself).  One of the newest terms to come up in the last few months is MRM or Mobile Risk Management.  MRM in the EMF’s view (darn it….I did it again!) is the business side of mobile security, meaning what is the impact of data or information loss protection/prevention.

While this is still an emerging topic of discussion, my sense is it’s going to become an increasingly important matter moving forward in our industry.  We’ve already seen signs of this emerging trend at what I’ll call the periphery.  Specifically, I am talking about how risk management is becoming an increasingly important business issue, and it will take precious little time for those discussions to extend into a mobile context.

Take a recent example I just stumbled upon yesterday.  InformationWeek published two days ago an article regarding six former employees and contractors of the US Food and Drug Administration filing a suit against the FDA illegally spied on them by taking a peak inside their personal Yahoo!Mail or Gmail accounts.  In what feels like an increasingly common stand, they are alleging that their Constitutional rights, as defined by the Fourth Amendment (among others) were violated.

This made me instantly think about the mobile consequences.

Specifically, unless you use a mobile device that was provided by your employer and you work in a tremendously highly regulated industry (or are a super big shot at your company) where the practice might be forbidden, you in all likelihood have not only your work email on your smartphone, but your personal email as well…and more and more frequently, you have it all in one unified inbox.

So what is preventing your company from taking a peek at what you’re doing on the device?  Now, before you think I’m being an alarmist or a worry wart, let me put that theory to rest.  I’m not.  Companies have the right to protect their information from all employees – particularly the dumb ones or the ones that may have less than above-board objectives.  But what about good people like you and me:

• What if I decided for whatever reason to send a file to my personal account from my mobile device for whatever legitimate reason I had?
• Am I now in breach of my company’s policies?
• Do they have the right to monitor that action?
• What is deemed “excessive” searching?
• Is it a different situation if I am using a corporate liable device vs. an individually liable device?
• Should I use a device that supports dual personas such that there is a clear segmentation of my personal vs. professional life?

Can my organization take a peak at what I’m doing?  I don’t know.  The economist in me wants to start off any answer I could come up with by saying “Well, it depends…”  That’s not particularly satisfying to me, though.  The main problem is that I’m not sure many people are going to have straight forward answers to these questions and the myriad other questions that will emerge as organizations continue to expand their risk management strategies for the mobile world.

Furthermore, there isn’t much legal precedence in mobile risk management.  Sure, we had Sgt. Quon vs the City of Ontario, CA a couple of years ago, but that was a lawsuit (again leveraging the 4th Amendment) that was all about inappropriate use of a corporate liable device during “off-hours.”

I guess my final thought/suggestion is that, moving forward, we will definitely need to keep our eyes and ears peeled around mobile risk management and the impact of mobile security breaches.