Mobile devices and the law: What are the legal issues?

The launch of the iPad 2 last month underlines the increased use of mobile devices for personal and business use. Most businesses want to ensure that their employees are able to work efficiently when out of the office. However, increased mobility brings with it certain management and legal issues that need to be addressed.

What are the main issues from a management perspective?
By providing its workforce with mobile devices, an organisation can improve productivity by allowing access to up-to-date data at any time in any location. But, to an extent, in doing this an organisation is loosening its control over its data. It may not be possible to know exactly where any data is stored at any time, and data created on mobile devices may not be backed up to a central location. This makes the data vulnerable. Key information may be stored locally and may not be backed up centrally. Critical data may be lost or out of date.

Another issue is security. It is a headache for the IT department to ensure that the mobile devices are all properly protected, especially where employees use their own laptops, smartphones or tablets. If an organisation manages its virus protection centrally, mobile devices that are not synchcronised with the central servers soon become out of date and vulnerable.

Mobile devices can be lost and stolen. Apart from the inconvenience and embarrassment of losing data, there can be legal implications.

What are the main legal risks?
We have all read the headlines about laptops left on trains or memory sticks containing confidential information being sold on eBay. Apart from the loss of business resulting from adverse publicity, there are three main legal issues to consider.

Most organisations possess confidential information. Some confidential information will be owned by the organisation and its disclosure will cause commercial harm. Obvious examples include details of customers, price lists, business models, new products and so on. Equally, most businesses also hold confidential information belonging to third parties under a contractual or fiduciary duty of confidentiality. If this information is disclosed, the business may be liable in damages for the losses suffered by the owners of the information as a result of the disclosure.

The Data Protection Act 1998 imposes obligations on all organisations to keep personal data secure. Companies must take appropriate technical and organisational measures against “unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data”. Failure to put in place appropriate security measures in relation to mobile devices will breach this obligation, which could lead to a fine imposed on companies and individuals. The Information Commissioner now has enhanced powers to investigate and punish breaches of the data protection legislation and has shown a clear desire to use these new powers.

All companies are required to keep accurate accounts and records. Directors are obliged to ensure that all the steps that ought to be taken have been taken in order to ensure the accuracy of all relevant audit information and to ensure that the company’s auditors are aware of that information. “Relevant audit information” is any information needed by the company’s auditors in preparing their report. This obviously includes information on mobile devices used in the business.

Where a director has acted recklessly or in the knowledge that the information was false, he or she is guilty of an offence punishable by fine or imprisonment or both. This means that it is essential that appropriate processes are in place to manage information generated, processed and stored remotely.

Those businesses which are regulated, such as financial services companies, law firms and accountants, will have further regulations imposed on them either by statute or by their regulating bodies.

What should firms be doing?
An organisation cannot prevent mobile devices being lost or stolen. Nor can it prevent its employees using their own devices. The ubiquitous USB port makes this almost impossible. But an organisation can mitigate its risks by having in place a well-thought-through policy on the management of data and use of mobile devices. This policy should be clearly communicated, be tied into the organisation’s disciplinary procedures and apply to everyone in the organisation.

It is also important that the policy is enforced uniformly. Employees should be made aware of the risks of mobile computing and careful consideration should be given to the type of data that an organisation permits to be stored on mobile devices.

Finally, an organisation should ensure that all its data while in transit and while stored on mobile devices is encrypted. In this way, if the data is intercepted during transmission or if a laptop or memory stick is lost or stolen, at least the data will not be readable.

Jon Fell is a partner at international law firm Pinsent Masons