Brock Smith’s clients regularly send him documents to sign using tools like DocuSign or Adobe Acrobat’s signing feature.
The partner at B.C.-based Whiteboard Law also acts as a part-time general counsel for a technology company. He is an authorized user of both their systems and Whiteboard’s. And he does a lot of his work using applications on his mobile devices.
So who manages the mobile applications lawyers use?
This is a relatively recent issue. Third-party mobile applications were not widely used in the days of BlackBerry hegemony. Lawyers largely stuck to native apps that shipped with the handset. Mobile device management (MDM) systems that could secure devices and wipe data off them remotely kept client information secure.
Mobile apps used for business
Mobile apps in business seemed to take off around 2012, a few years after Apple Inc.’s iPad and iPhone started to replace BlackBerries in businesses. “People started transferring e-mail (and calendars and contacts) from BlackBerry to iOS in 2010,” said Ojas Rege, chief strategy officer for Mountain View, Calif.-based enterprise mobility management (EMM) solution provider MobileIron, Inc.
From MDM to EMM
It then became important to secure all apps (and their data) from the prying eyes of IP-hungry criminal hackers. This meant MDM had to evolve into enterprise mobility management, which secures applications and their data as well as the physical device. Comprehensive EMM prevents data from going places it shouldn’t. It can start with an internal “app store” where attorneys can download apps around which IT departments “wrap” security protocols.
“When it’s downloaded from the enterprise app store, you can also delete the app if the individual leaves the firm,” Rege said.
Rege believes firms sometimes must accommodate apps outside its “whitelist” of approved apps. “If IT doesn’t provide users with the applications they want, users will go around them,” he said.
Smith’s firm lets lawyers and staff install apps that work for them, as well as their clients. “You have to be open to clients asking you to use their apps,” he said. He counts the messaging app Slack as one such app used by his “GC client.”
“You have to decide whether to meet those requirements,” he added. “If you can’t, you might lose a client.”
Controlling app installs
Firms that engage in mobile device management often know when lawyers install apps on their devices. “There’s a delicate dance between ensuring you know what’s going on but not being too Big Brother,” said Justin Hectus, who serves as director of information for business law firm Keesal, Young & Logan at its Long Beach, Calif., office.
The dance might not be necessary. “Instead of telling the user to not use an app, get a focus group of attorneys together and ask them what applications they really use for note-taking and other parts of the job,” said Rege. “They’ll tell you what they use.”
He recommends adding legitimate apps to the internal app store to keep their data secure. Should an app prove to be a security risk, IT can ban the app, explain the ban to lawyers and offer better alternatives. “No attorney will push back on that,” Rege said.
Data at rest and in motion
Beyond apps, firms must protect data on each device. Should a device be “jailbroken” (modified to remove manufacturer-imposed restrictions to allow installation of unauthorized software), the data “at rest” on the device can be compromised.
Data in motion may be compromised too. People may connect to rogue WiFi access points, for instance. Once connected to such points, they may fall victim to “man in the middle” attacks as they transmit data through the rogue access point owner’s computer, which may make a copy of everything that passes through it.
“Everybody has done this, I’m sure, without even knowing it,” Reje said. “If you have good security on your device, the device flashes a message saying it doesn’t recognize the server. ‘Are you use you want to do this?’ it asks. Unfortunately, most users say ‘Yeah, I’m sure!’ and the data’s gone.”
EMM tools also must ensure data travel only to authorized devices. For instance, should a phone’s battery give out in the middle of a lawyer’s work session, said lawyer might borrow somebody else’s device, download the app from an app store and sign in to the firm’s system to continue working. This attorney ignores that data ends up on a device outside the firm’s control.
Hectus and his firm take a stricter approach. “We prevent data from being saved on devices,” he said. “We employ certain controls like forced encryption and forced password. But we no longer have a mobile app management approach.”
Usability versus security?
“The pendulum has shifted from usability first to security first,” Hectus said. “It’s the reality of the world we live in, the cost of doing business. We offer robust remote access, but it has to be done on our terms.”
Tech-savviness is “one of the criteria we look for in new lawyers, and we offer intensive training once they come on board.”
However, not all firms need to use EMM solutions. They may hire lawyers and staff with an eye to tech savviness and discuss their tools at regular team meetings. Their approach results in a tacit app management policy that can exist in an environment with high trust. “We vet our lawyers thoroughly to ensure they can work in a virtual environment,” Smith said. “That includes knowledge of technology and a willingness to adapt, use only approved apps, staying abreast of technology.”
Smith doesn’t dictate what technology to use, though he influences it. For instance, their practice management system came out with thumbprint security several versions ago. “We didn’t mandate that, but we strongly suggested that people move to that.”
“It’s a lot easier than trying to type in your darn password on those small screens.” “People can install whatever apps they want to on their phones, which are owned by the individual lawyers. We provide connections to our back office.”
“We trust they won’t pick ‘password’ as their password,” Smith said.
This article originally appeared on The Lawyer’s Daily website, published by LexisNexis Canada Inc.