The San Bernardino County government paid for, but never installed, a feature allowing employer access to any employee mobile devices. If the installation of the new feature was done, the current legal and philosophical battle between Apple and the FBI over how to access shooter Syed Rizwan Farook’s iPhone may have been avoided.
What’s more, the county not only had the software, but also a longstanding policy eliminating any expectation of privacy by the employee: “No User Should Have an Expectation of Privacy.” Had the county simply installed the technology, public officials could legally and ethically access the relevant data from the mass murderer’s iPhone without court involvement.
Two lessons are apparent. First, mobile device management (MDM) is an important part of any information technology system, allowing remote access to phones and tablets for a range of services, from wiping a hard drive to automatic backup or streaming software updates. Beyond the increased security, a robust MDM policy facilitates legal and regulatory compliance, from implementing litigation holds to, in the case of San Bernardino, assisting with a criminal investigation.
The second lesson is equally important: organizations must audit compliance with MDM policies and procedures on a regular basis to ensure proper implementation. The county had the foresight to purchase MDM software, but, as is the case with most organizations, could have benefitted from a more robust MDM and self-assessment regimen. As previously posted, a data security plan is only as strong as its weakest link.