eDiscovery Daily Blog

Can Pokémon GO Right Into Your Organization’s Data?: eDiscovery Trends

Unless you’ve been living under a rock for the past month, you’ve undoubtedly heard about Pokémon GO, the new location-based augmented reality smartphone game, which has been downloaded by more than 130 million people worldwide in a little over a month.  Believe me, my kids have clamored for it.  But, if you have it installed on a BYOD device for the workplace, could you be putting your organization’s data at risk?

That’s a question raised by this article in Inside Counsel by Amanda Ciccatelli (Pokémon GO exposes the risks of BYOD policies).  In the article, Ciccatelli cites a recent blog post on Data Security Law Blog (of Patterson Belknap Webb & Tyler LLP) which notes that the app poses issues for businesses with bring-your-own-device (BYOD) policies, where employees use their own devices for work purposes.  Those policies, while enhancing employee productivity and satisfaction, can open up potential security risks if not structured – and followed – correctly.

“Because Pokemon GO has been so enormously popular – reportedly the most downloaded mobile game ever, with more than 25 million users playing each day – the security concerns of the game have received wide publicity,” Michael Whitener with VLP Law Group told Inside Counsel in a recent interview.

As a result, some security organizations, including the International Association of IT Asset Managers (IAITAM), have called on corporations to ban the use of Pokémon GO. In fact, IAITAM has described the game as “a nightmare for companies that want to keep their email and cloud-based information secure.”

Whenever a third-party mobile app is downloaded, there are two potential data security concerns, according to Whitener. First, the mobile app customer may be allowing the mobile app vendor access to certain of the customer’s personal information, which the customer may be agreeing to via the vendor’s terms of use.

Second, the mobile app, due to security flaws, may provide a handy backdoor for hackers into the customer’s mobile network – not just on the customer’s phone, but potentially to the servers of the customer’s employer too.

The original terms of use of Pokémon GO allowed the game’s creator, Niantic Labs, to access the entire Google profile of the user, including their history, past searches and anything else associated with their Google login ID.  Niantic later corrected this, but it’s unclear how Niantic may have used the information collected and whether it’s been destroyed.  And, of course, imitation Pokémon GO applications have sprung up with malware that could allow hackers to access users’ personal correspondence and other information or even remotely gain full control of the victim’s phone.

Ciccatelli’s article notes that “a realistic BYOD policy will address such issues as employee obligations to implement device security software, employee expectations of privacy when using devices for business purposes, prohibitions on device use by friends and family, and permissible and impermissible apps”.  In other words, sorry Kiley and Carter, Pokémon GO won’t be coming to my iPhone for the foreseeable future.

So, what do you think?  Does your organization have a BYOD policy that regulates the installation of third-party apps?  Please share any comments you might have or if you’d like to know more about a particular topic.

Time is running out to participate in the quarterly eDiscovery Business Confidence Survey being conducted by Complex Discovery and ACEDS!  It’s a simple nine question survey that literally takes about a minute to complete.  The more respondents there are, the more useful the results will be!  Click here to take the survey yourself.  Deadline is August 31.  Don’t forget!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.