Jump to Navigation | Jump to Content
American Bar Association - Defending Liberty, Pursuing Justice ABA Logo

ABA Section of Business Law


Business Law Today
May/June 2001 (Volume 10, Number 5)

Is the one in the hand really worth two in the office?
That pocket-sized device could be a nightmare
By Spencer G. Feldman

In what seems like the blink of an eye, handheld computers have become the preferred data and information interface used in today's business environment. While pioneers like Federal Express have long had proprietary handheld systems for handling certain types of data, handheld computing for the average consumer started as a trend within the last couple of years with the introduction of the Palm Pilot. At its most basic level, it allowed users to enter phone numbers and set appointments.

Today's mobile, handheld computing devices are operating at the speed of full-sized computers and are rapidly evolving into devices that can store gigabytes of information while also being able to connect to the Internet at broadband speeds and interact with widely distributed e-mail systems including Microsoft Outlook and Web-hosted e-mail.
Converging design features on Web-enabled cellular phones and two-way paging technologies such as Research in Motion's BlackBerry are also overlapping and enhancing the features found on Palm Pilot-style handheld devices. As with all new waves of technology, the language and practice of corporate security as well as mergers and acquisitions must keep up and anticipate the day when computing through handheld devices will be omnipresent and their information flow ubiquitous.
The small size, light weight and shape of handheld devices allows them to fit easily into a pocket and, if past trends are any indication, we can expect their size to continue to shrink. However, these qualities also make them easy to steal or lose. While it is difficult to gauge the actual number of lost or stolen handheld devices, an estimate can be derived from a report by insurance company Safeware Inc. indicating that there were nearly 319,000 reported cases of stolen laptop computers in 1999.

It is not unreasonable to assume that handheld devices are similarly attractive targets of theft because of their relatively high value-to-size ratio. However, the value of the device is insignificant when compared to the information stored in it or what it can access. In the past year, two high-profile cybercrimes involving laptops stolen from Qualcomm Inc. as well as U.S. State Department personnel have highlighted this issue.

At the nuisance level, if an employee loses a handheld device and has failed to back up the information on his or her office system, important information can be lost forever. More seriously, without password protections, a top manager's contact list with names, phone numbers, e-mail addresses and meeting notes are all accessible and potentially exploitable by competitors and - as reported in at least one case - extortionists.

Another major concern is that a handheld device may be pre-set to bypass internal security settings, offering an unauthorized user access to a company's entire network and phone system. For a sophisticated illicit user, such a device can serve as a gateway to a company with the end result being a defaced home page, a stolen credit card number, a bill for a series of mysterious long distance calls, or worse.
Increasingly, handheld devices, through third-party software, give users the ability to download and store full-sized documents and spreadsheets. While it is still inconvenient to make significant modifications to such files using a handheld device, this offers users a wonderful capability to take such files on the road for review and minor modifications.

However, it also increases the potential damage that can result from a lost or stolen handheld device because such a device may now also contain confidential business strategy documents, technical information or accounting information. It is not too difficult to imagine circumstances in which such information, if pilfered, can potentially jeopardize the underlying valuation of a company or place a company in a precarious situation defending shareholder derivative class-action lawsuits or SEC enforcement actions.

As a general principle, all handheld devices should be treated with the same caution and security that a full-sized PC or laptop computer is afforded. This includes examining all file types and assessing them for appropriate read and write privileges. Downloading should be monitored at the individual user level. The uploading of files from a handheld device to the company network should be put through the same "sanitation" process that any other incoming file receives to guard against viruses.
As is all too apparent, given the business interruptions many users have experienced because of recent well-documented virus attacks, the concern from downloading and transferring potentially virus-infected files should be taken with extreme seriousness. At the very least, productivity may suffer from such events and, at worst, an entire business may be forced to shut down if it is Web-based or dependent on an affected system.

In addition, the loading and use of "pirated" or unauthorized software should be monitored and actively discouraged for corporate security as well as legal usage reasons, though the ease with which this is accomplished on handheld devices (in fact, applications can sometimes be simply beamed from one device to another through the infrared port) makes this much more difficult to enforce with handheld devices.

With today's generation of handheld devices, sharing information between such devices, desktop computers and the overall network is simpler than ever. Both employees and information technology personnel need to be aware of the potential of security breaches, virus propagation and illegal software duplication.

It probably has not occurred to many users yet, but handheld devices are susceptible to computer viruses too. In September 2000, McAfee.com, an anti-virus software company, found a virus propagating through the Palm operating system and subsequently developed a "cure" for such a virus. Early versions of anti-virus software are now available for most handheld devices and should, as a matter of course, be one of the applications downloaded into them.

The future will no doubt bring more of these viruses and it is not inconceivable that at some point in the not too distant future, someone may develop a hybrid virus that can infect multiple types of operating systems, such as those of both a handheld device and its office-based desktop system. The best course of action is continued vigilant use of anti-virus software on all network components, including handheld devices.

Most large companies remove desktop floppy disk drives and CD-ROM drives from all desktop computers to minimize the likelihood of employees installing software that may contain viruses or is pirated. Removing floppy disk drives, for instance, reduces the likelihood of employees copying confidential files and carrying them out of the office where a floppy diskette can easily be lost or stolen, or even worse, from a malicious act of an employee who is about to quit. Handheld devices, nowadays not much larger than a fat floppy disk, need to be managed with the same level of scrutiny.
As noted above, handheld devices can be used to download or upload files, and the very nature of the benefits of these devices makes cutting them off from desktop systems and the corporate network too harmful to productivity for serious consideration. Handheld devices will continue to become capable of greater storage capacity, and it will become more critical for companies to compartmentalize and track access to confidential files through them.

To minimize potential security breaches from stolen information, appropriate encryption technologies should be applied to all devices, files and transmissions. At a minimum, handheld devices should use basic device-level password protection, especially if they are used to store, transmit or receive confidential information. However, device-level protection is, at most, a nuisance for a determined hacker. For all truly confidential documents that need to reside (even temporarily) on a handheld device, file-level encryption should be used.

In addition, all handheld devices should be treated as corporate property to be physically secured with inventory-control identification and physical lock-up when not in use. Users should be in immediate sensory contact with their handheld devices when out of the office and should never divulge passwords or change a device's company-set security settings. Ownership of all material on a handheld device should clearly be stated to belong to the company and not the individual using or assigned to the device.

Another, albeit expensive, solution to data and material theft is the use of global positioning system (GPS) tracking hardware and software. The cost of this technology is expected to drop significantly in coming years and will likely be incorporated in handheld devices in the near future.

Without actually securing a handheld device, it is possible for people nearby to look over a user's shoulder to view confidential information. Companies should consider adopting a policy discouraging employees from working on confidential files in public places. Better yet, if possible, confidential information should not leave the office.
Many of these security considerations are not as onerous as they may appear. One reason for this is that, as the Palm and Microsoft CE operating systems grow more robust and standard, the more they are able to accommodate and accept off-the-shelf solutions. These solutions include setting user log-in requirements, such as ID and password control. System administrators can log and track all access attempts and report any unauthorized activity. In addition, most wireless devices come with identification in the form of a subscriber ID that can be tracked by a system administrator. As for sensory contact, under almost all circumstances, this requires simply that a user should not leave the device unattended if it is not protected.

While a Palm Pilot-style device is what we typically think of, a cellular telephone is absolutely a handheld device as well. The amount of confidential information discussed on cell phones in public places is extensive. It is common to overhear confidential conversations on trains, planes and in restaurants, without even trying. If a business competitor wants to intentionally listen in, off-the-shelf technology exists and is available to intercept a cell phone call or wireless Internet transmission.

Companies need to be aware of how their employees communicate when they are outside their offices, and harden their systems with encryption technologies. Traditional handheld devices are also beginning to feature wireless connections to the Internet, making them susceptible to the same concerns as cell phones. Connections in airports are particularly prone to interception and should generally be avoided for any nonencrypted confidential data.

In the legal arena, where corporate lawyers can be particularly helpful - such as with mergers and acquisitions - the loss or misuse of a handheld device can jeopardize the confidentiality of a transaction. Acquirers and their M&A professionals need to be sensitive to new handheld technologies and their effect on confidentiality.

In an acquisition transaction, not only does a buyer want the assets it is purchasing, it does not want any liabilities associated with illegally loaded software, undisclosed or undiscovered software such as a virus, or a breach in system security. An audit of the seller's computer policies should determine the basic protections covering the proprietary data that can leave the office and its method of egress, and include the handheld devices that now proliferate in the corporate environment but are often not logged as part of the overall network.

In the due diligence phase of an acquisition, acquirers need to determine the identity of all third parties who have access to or control any part of the information systems of a target company. For example, there is growing concern where wireless technologies, such as those used with certain handheld devices, require intermediate servers to bridge the wireless and Internet protocols. These bridge servers typically exist within the wireless service provider and their firewalls, meaning that wireless traffic is susceptible to tampering while in the service provider's possession.
Physical and technical inspections of the service provider's security measures are mandatory for companies, such as e-brokers and e-health care companies, that transmit confidential customer or user information through these bridge service providers. Major providers that do support these requirements include AT&T and Sprint.

In addition, the outsourcing of vital organizational functions, such as accounting, are increasingly being performed by outside application service providers whose representations and warranties need to be fully understood in order to grasp the "at risk" nature of a business.

Hackers interested in breaking into a company's network, and the preparations in place to thwart such attempts, pose another area of concern. A company has to anticipate these attempts and even expect some attempts to succeed; however, the company must work to limit the actual physical damage an unauthorized user can do and compartmentalize the damage. Companies may be required to expend significant capital and resources to protect against or to alleviate problems caused by such parties, and must also address their ability to mount a timely remedy against a hacker or any "force majeure" catastrophe.

A related concern is the extent to which a company uses encryption and authentication technology to ensure secure transmission of confidential information, such as customer credit card numbers. Generally, the ease with which a hacker can penetrate a company's network is inversely proportional to the thinking and resources that have been devoted to securing the network.

The increasing use of handheld devices and their growing connectivity to corporate networks through wireless and other methods means that information technology personnel must fully incorporate such devices into an overall network security strategy and protocol, and this strategy should be carefully reviewed as part of the due-diligence process.

As with all computers, the information stored on cell phones, personal digital assistants, notebooks and handheld computers is worth substantially more than the cost of the devices itself. Most companies do not yet police the types of information contained on handheld devices or what information these devices upload, download or transmit. As this technology permeates the workplace, our commutes and our homes, the legal and information technology staffs of companies that rely on them will need to address and solve these matters to maximize the benefits and minimize the risks inherent in their use.

Feldman is a partner at Greenberg Traurig, LLP, in New York City. His e-mail is feldmans@gtlaw.com.

Back to Top

Copyright American Bar Association. http://www.abanet.org