How to Stay Compliant with Mobile
About The Webinar
The number of employees taking their work mobile is on the rise and firms are facing potential risks as a result of this influx of new collaboration tools. These shifting demographics are causing organizations to support new tools for business communications. How can firms drive productivity and offer remote working options while staying compliant? We will cover the advantages to giving employees the tools they need to communicate and how to use technologies to help mitigate the risk these dynamic communication tools create.
Listen to industry experts Robert Cruz, Sean Moshir and Brandon Leatha to learn about:
- Key mobility challenges in today’s work from home environment
- How tools like WeChat and WhatsApp create new challenges for information governance programs
- How to prepare for the new normal of mobile communications
Panelists For the Webinar
VP of Information Governance,
Robert Cruz is Vice President of Information Governance at Smarsh. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and Discovery cost and risk reduction.
Co-Founder, CEO and Chairman,
Sean Moshir, CellTrust’s co-founder, CEO and Chairman pioneered the multi-billion dollar patch management industry, which now secures over 90% of enterprise IT systems around the world, when he founded PatchLink in 1991 (now part of Ivanti) prior to founding CellTrust in 2006. Recently named Arizona Business Leader in Cybersecurity for 2020, for over three decades Mr. Moshir has been recognized internationally as a cybersecurity visionary and software innovator. Anticipating that the mobile enterprise would face many of the same security and compliance challenges they faced at the dawn of the Internet, Sean led CellTrust to become a leader in secure and compliant mobile communication. Awarded Productivity App of the Year 2019, CellTrust SL2™ helps those operating in the financial services, government and healthcare industries to manage and archive text messaging, voice and chat communications. SL2 balances mobile productivity, risk, control and enforces regulatory compliance. SL2 is licensed by hundreds of enterprises, with tens of thousands of users across 100+ countries, who count on it every day. Paredes was a professor of law at Washington University in St. Louis before joining the SEC. He also has been a Lecturer on Law at Harvard Law School, a Distinguished Scholar in Residence at NYU School of Law, and a Distinguished Policy Fellow and Lecturer at the University of Pennsylvania Law School. Paredes co-hosts a podcast on fintech called “Appetite for Disruption.” Paredes holds a bachelor’s degree in economics from UC Berkeley and earned his J.D. from Yale Law School.
Founder and CEO,
Leatha Consulting LLC
Brandon Leatha, the Founder, and CEO of Leatha Consulting LLC, is an expert in digital forensics, e-Discovery, and data analytics. With over 18 years of technology consulting experience, he advises clients on digital forensic investigations, e-Discovery, and cybersecurity. Mr. Leatha has extensive experience with enterprise software including both on premise and cloud-based email, database, line-of-business applications, and custom software solutions.
Transcription of Webinar Audio
Davi Schmidt: Hi everyone. We're going to give people a few minutes to join and we'll begin the webinar shortly. Okay, let's get started. Thank you all for joining us for today's webinar, On-the-Go Workforce: How to Stay Compliant with Mobile. Please be aware that all participants will be muted for the duration of the call. Feel free to submit any questions you may have via the GoToWebinar messaging app, and we'll attempt to answer as many of them as possible during our Q and A session. Joining us today are presenters Robert Cruz, Sean Moshir, and Brandon Leatha. With that, I will hand it over to you Robert.
Robert Cruz: Thanks Davi and thank you everyone for joining. Really appreciate you spending this hour with us. We're going to talk about mobility and mobility has a couple of dimensions that we really want to make sure we touch into today, which is the fact that this is where business is getting done today. We want to talk about not just the device, but what businesses are doing with mobility in terms of the applications, in terms of the voice recordings, in terms of all the other activity that organizations need to be responsible for. We're going to look at where the market is and where we think it's going to be going considering the fact that this stay-at-home posture looks like it's going to be with us for a while.
Robert Cruz: We'll talk about the current market as well as some of the risk dimensions that companies need to consider, and then finish it up with some discussion around best practices. First of all, as the standard introduction, the introduction or the disclaimer that we typically provide in front of our webinars, we are providing this data for informational purposes only. Smarsh does not provide legal advice or opinions. You must consult with your attorney regarding compliance with applicable laws and regulations. With that, let me first show you the topics. We'll cover mobility today, discuss some of the risk dimensions, and then get to the discussion around best practices and things that we're seeing emerge for organizations both on the regulatory side as well as around e-discovery and litigation and investigation.
Robert Cruz: Then we'll finish it up with a brief overview of how we can help. As Davi Schmidt mentioned, would encourage you to use the chat panel, submit questions. We want to make this an interactive discussion, so that we can really get some insights from you and share some of the things that you're experiencing and learning along the way as well. Let's begin by doing some quick introductions, and I think the place to start is to first let me hand it over to Sean Moshir, our CEO from CellTrust. Sean, thanks for joining us today. Why don't you tell us a little bit about yourself and CellTrust, and how your firm is focused in this particular area?
Sean Moshir: Sure. Thank you Robert. First of all, I'd like to thank Smarsh and all the staff that made this webinar possible. My name is Sean Moshir. I'm CEO of CellTrust Corporation. I've been involved in cybersecurity since the early 1990s, found a few companies, which the latest one obviously is CellTrust that I co-founded in 2006. CellTrust is in the business of secure mobile communication and collaboration where the communication from text and voice are captured, tracked, and archived into a long-term enterprise archiving system such as Smarsh for e-discovery and compliancy and typically, our customers have to retain these communication information, their regulated entities, financial entities, banks, broker, dealers and such.
Robert Cruz: Terrific. Sean, thanks very much for joining, really appreciate it and let me introduce Brandon Leatha. Brandon founder of Leatha Consulting, forensic investigator expert in e-discovery. Brandon, thanks for joining. Tell us a little about yourself.
Brandon Leatha: Sure. Thank you Robert. Like Robert said, my name is Brandon Leatha. I've been consulting on digital forensics and e-discovery for just over 20 years now, and worked with companies of all sizes. In the last 10 years, I've really focused my practice on dealing with some of the more challenging aspects of e-discovery and investigations, and that's brought me into the mobile, social, and cloud area, and that's a lot of what I've been working on. I'd like to second Sean's thanks to Smarsh for this webinar. Thank you for putting this together.
Robert Cruz: Terrific. Thanks both of you and for those of you that may not be as familiar with Smarsh, I mean who are we as a company? Basically, our mission is to help organizations communicate and collaborate through the communication tools of their choice, the ways that your clients are asking you to be able to interact. We've been doing this for over almost two decades and essentially, we've established leadership both in the financial services marketplace, as well as in other domains other regulated markets where we've been able to help companies capture, store, review, and preserve some of the data that's being used today outside of email, these collaborative tools, mobile applications, other emerging content sources.
Robert Cruz: We have established a leadership position that's been recognized both by Forester as well as Gartner, something we think is very important both in terms of our ability to look and see where some of these communication trends are going, and also our ability to execute upon this. As far as supervision dealing with regulatory compliance and e-discovery, we're providing a single pane of glass so that organizations can deal with these use cases with all of these unique communication sources that they're now wrestling with. Very much in our wheelhouse in terms of being able to support this.
Robert Cruz: Let's turn to the discussion, and what I wanted to start with is thinking about mobility today and again, not just the device itself, but the way the companies are embracing these tools or embracing the device and the applications that run on top of it, and looking at a historical view here of January 2020 where we were prior to the pandemic. I mean some of this data almost feels like it's out of date now, the idea that people spend over three hours a day on their mobile device. Today, I spend significantly more than that. My modes are Teams, Zoom, and my phone, and that's it. Some of the data here though I think Sean just wanted to talk to you about, in particular that third box, the idea of responsiveness, businesses using a mobile device because they can get the immediacy and the communications with their clients.
Robert Cruz: They get the 90-second response rate to a text message as opposed to 90 minutes to an email. It's not just a millennial thing. It seems like this is across the board, companies are realizing these benefits of embracing mobile in order to get their core business accomplished. Is that the way you see it? Is that what you've seen companies embrace mobile, in particular looking back to the January time frame prior to the pandemic?
Sean Moshir: Sure, absolutely. I mean what we've seen is that the mobile provides a competitive advantage, businesses that are taking advantage of mobile devices and doing business on the go and in a variety of different organizations, especially in the financial sector which is very competitive. Just having a slight advantage of being able to communicate with your client through text message provides a quick response, and that obviously drives more business. The interaction is actually much simpler than an email because of the just the overhead involved in how the setup of the text message are quick short messages to go back and forth to discussing different things.
Sean Moshir: What we started to see obviously is some organization started to adopt this and realize this advantage, and trying to incorporate this into their business fabric and allowing mobile devices to get incorporated and allowing their staff to communicate through mobile devices, and obviously taking advantage of capturing those communications just like email, whether it's text or voice capturing that communication, archiving them. They would be doing this in a regulated way, and those who already incorporated these, obviously what we're seeing, so you mentioned January and as the COVID-19 started take like a foothold, globally we've seen that there has been a very major push on trying to take the business that was obviously being done in the office at home because of the stay home policies and so forth that was set in place.
Sean Moshir: Those who didn't have this obviously rushed to implement it in the process, and these things obviously take some time. As employees are expected to all the sudden start working at home, it is expected that the compliancy officers would keep the company compliant. Security offices obviously look to make sure things done properly and so forth as far as cybersecurity. There's a lot of activity was going on, and those who did the early setup obviously took advantage of it and extended. What we've seen is a very large business increase in this sector.
Sean Moshir: I mean just through our existing customers, we've seen quite a bit over 50% increase in just texting and voice that allows people to basically text enable their landline at their office, and take that voice and text obviously connect it to their mobile, and take that home with them.
Robert Cruz: Yeah, and I want to get to that point of the what's changed since the pandemic. Let's get to that, but Brandon, I want to ask you as well, where business goes, litigation discovery are going to follow. Looking back over the past 12 months, I would imagine that you've seen this shift as well where the mobile application is showing up in discovery more frequently. You're doing more collections around mobile devices. Is that true for the nature of your work that you're experienced with?
Brandon Leatha: Absolutely. We were already seeing a large shift to mobile before the pandemic, and I think the last 12 months, it's just really accelerated significantly. Mobile used to be a secondary data source and more and more, we're seeing today that the desktop may be the secondary and the primary source for communications relevant to a matter may be coming from mobile or from some communication application.
Robert Cruz: Right, exactly. I know that there's a lot of different companies on the line, large and small, regulated, non-regulated, a lot of financial services firms, but Sean, the point that you raised regarding some firms were prepared, others not as much. I really want to get a sense from the audience, how you've seen this pandemic affect the way that mobile is being used. Davi Schmidt, why don't we get to the first polling question for the audience, and what we want to find out is what's really changed for you here. Have you seen A, an increase in call volume, B, an increase use of text messaging, C, an increased use of mobile apps, D, no significant change or E, the first three.
Robert Cruz: In other words, everything has changed in terms of the way that the mobile devices are being used. If you could go ahead and submit your poll response, would appreciate that and while this...
Davi Schmidt: Right now, it looks like we've got 50% that say A, B and C.
Robert Cruz: A, B, and C.
Robert Cruz: Does that surprise you guys? Brandon, is that something that you would have expected, the fact that it's all three of those items?
Brandon Leatha: I think absolutely. If you can't do an office drive by or see someone at the water cooler, you're going to have to find some way to communicate with your colleagues. Those are going to be the key mechanisms, and I think folks are just if they were afraid to adopt what I would call alternate communication methods before the pandemic, they're embracing them now because it allows them to stay connected with their teams.
Robert Cruz: Yeah, and I think Sean, you already mentioned that the fact that a 50% increase in the demand that you're seeing, so that plays into this feedback as well. Let me add some additional data to this though. I think that if you look at what are some of the other implications here, the call recording volume increasing by 600%. The delivery of texts or SMS messaging up 250%. The average length of a call increasing from two to six minutes, as well as the use of Microsoft Teams and its video capabilities up a thousand percent in one single month. This seems pretty significant if you look at just how does this then change the obligation a firm has to be able to capture this.
Robert Cruz: I mean Sean, what are your key takeaways from this slide in terms of now so much more digital information being delivered, whether it's text messaging, voice recordings, or what have you? What's most important about this significant increase?
Sean Moshir: Obviously, one of the most important takeaway from this is the fact that organizations that are regulated are expected to have archived this information, to capture and archive this information. As we all know that there are regulators routinely audit a lot of the entities, and they look for these particular items, but given the situation with COVID, obviously a lot of the organizations were pushed or forced to have people work at home. Some of the employees were originally set up to be mobile. They had laptops and everything else, and some were not, but what's interesting is that on the mobile device, those that that were set up on the mobile device, whether they were in the office or at home, not a whole lot has changed for them because they could still continue to use their mobile home.
Sean Moshir: Now by taking all those calls that would go into the office that they take those calls at home, that obviously explains a lot of the activities on the mobile phone that the length of the calls have been increased and the text messages have been increased. That tells us that more business is being done on mobile phone, which means that there is more risk obviously if it's not captured and not done in a compliant way.
Robert Cruz: Right and I think you guys both have said similar things, which is if companies were prepared with the appropriate tools and guidance, then individuals will do the right things on the right applications, but Brandon, WeChat and WhatsApp growing at this rate, that's a challenge to begin with, but then you also have the signals and discords and house parties and Marco Polos and other tools that an individual may use because it's accessible. It's easy to get. I can do a free download. I'd imagine this mobile application usage can also be a challenge because someone may believe it's safe because it's encrypted. I mean how are you seeing that application aspect change?
Brandon Leatha: I've just seen such a significant increase in the number of apps used and like I said earlier, folks that may have limited their communications to certain channels that they're just now increasing because whatever your clients, whatever your colleagues are using, they'll respond back. Just anecdotally, I work with some teams that I've communicated with using text, using chat, using in meeting chat phone calls just with a single exchange. The aspect of multi-modal communications has just blossomed. You might have a side chat going on during a primary chat over a Zoom meeting.
Brandon Leatha: You mentioned encryption and I think employees think they're doing the right thing by using a secure or encrypted channel, but what that introduces is a lot of new challenges, is how's the corporation manage that new channel because that encryption may be end to end, and you can't intercept that. You can't extract that. From a reactive forensics perspective, you may or may not be able to get that information if it's needed for regulatory or compliance reasons.
Robert Cruz: Exactly. That whole discussion of risk, I want to get to that topic because I think the idea that regulated firms are concerned about capture store supervision to meet a regulatory obligation. It seems like this is now much broader because the things that can happen here that we've started to touch on really hit a number of different dimensions, whether this is the appropriate device, whether this is a device that's been issued by the company that has all the appropriate controls on, or whether the individual is using the right applications, or they have a mechanism to block the prohibited apps. When you think about risk, how do you get your hands around all the different things that potentially companies are exposed to, and how do you deal with that? Brandon, what are your thoughts for just looking at the risk factors?
Brandon Leatha: Well, it can't be an afterthought. I think the risks are that if you ignore the fact that these apps are being used, you risk not be able to monitor, manage, and access that information if it is required. It's very important to be aware of what those risks are. The other risk is just data leakage. Intellectual property is being shared via these communication channels, and people are sending documents through unauthorized communication means and that document transfer may seem benign to the employee at the time, but you've now essentially leaked or increased the proliferation of your IP and the number of places where it may exist. Once it goes through these communication channels, you might not be aware of where those documents or where that key information is being shared.
Robert Cruz: Right. You're talking about not just regulatory litigation data privacy, but also data security and those last two topics, Sean, obviously data security is going to be on the top of everyone's list just in terms of are you exposing the firm to malware to phishing attacks, to ransomware. The data privacy implications here, obviously you spend a lot of time talking to clients about just how do you maintain that separation between personal information and business information, how do you make sure you're not doing things that are not compliant with CCPA. How do you address some of these security and privacy risks when companies are thinking through this?
Sean Moshir: One of the easiest way for a lot of organization obviously as measures separating personal data and corporate data is obviously using containers. There are a lot quite a few of them out there, such as the Blackberry UEM, the Microsoft Intune and MobileIron. These are a lot of different containers that allow you to have applications that run inside the container and separate all of the activity that's related to the corporation, separate the personal data and it's on the same device. Obviously, this is a BYOD solution. Alternatively, they can hand out phones to their users, but the cost of that been handing out a phone for several hundred dollars might be cost prohibitive for some organization.
Sean Moshir: The technology is out there to address all of these and address them in a very cost effective way, and given the market circumstances today, these can be addressed very quickly with a lot of the different technology that are out there and allow organizations to separate the data, keep them encrypted, still have it managed by the corporation and in a very cost effective way.
Robert Cruz: That's a great segue into an area that I would consider a knowledge gap or just an awareness gap perhaps, and challenged us to think about why do these gaps continue to exist. The first one on this slide, something that we've seen for multiple years when we do our compliance survey, and that is the mobility knowledge gap or just the notion that it's recognized by firms that the devices are being used to communicate with your clients, but still a significant percentage of firms have prohibition policies. Question Sean, is this going to go away? Did the firms now realize there is no choice other than to allow their employees to use a mobile device, or is there still going to be this knowledge gap in the compliance realm?
Sean Moshir: Well, the knowledge gap always been there, and it's going to get reduced as time moves forward. What we've seen in April of 2017, FINRA clearly outlined that in case of using a mobile device communicating via any other messaging systems including text, what needs to be done and is that information needs to be captured. Now that that's out there, it's expected that organizations to comply to it, but some organization obviously, they have text prohibition which we think is not sustainable because of the competitive advantage that other organization will have when they're texting their clients for a faster result. In these industries, that would make sense to have that, so to have text prohibitions.
Sean Moshir: The other shift that obviously we've seen is, yeah, a lot of the organization are beginning to realize that with what happened again with this pandemic is the fact that people who already were set up for communicating with their clients on the mobile device simply can go home and continue that. The infrastructure for that hasn't changed, whether you're using it at work, using work wi-fi or your wi-fi is often using the tower. You come home, the same thing goes through the same cellular tower and you still communicate with your clients voice, text, whatever you had. However, the infrastructure may not be the same when you pick up your laptop and you bring it home, and that infrastructure obviously a little bit different.
Sean Moshir: Obviously VPN, things will be a little slower, but overall at home, you don't have the same firewall you had at work. You don't have the same router you had at work. The infrastructure at home, it doesn't provide you with the same type of security that you actually had at work. There's a little bit of difference there and managing that obviously becomes very challenging, but on the mobile device, it's really straightforward. Once it's set up and it's set in the proper way, you can just move around and there's no degradation of service.
Robert Cruz: Right. I would agree with you that this seems like it's going to be an area that's going to look very different next year, and perhaps the text and SMS box is replaced by voice and video because now the knowledge gap or the confusion or perhaps the need for additional clarity is around what do you do with your voice recordings and conferencing apps now that everyone is on Zoom. The regulator guidance here is fairly limited in the US in particular from FINRA addressed via the taping rule for voice and method to obviously within Europe, but really nothing clear in terms of yes, some firms are making use of voice recordings for remote individuals that have some concern about previous mishaps they've had with regulators, but it's another one where additional regulatory guidance perhaps is coming.
Robert Cruz: Would you see it the same way? I mean is that fair for you? Would you also see that gap also emerging here in the next year?
Sean Moshir: Absolutely, yeah.
Robert Cruz: Yeah.
Sean Moshir: Yes. As that gap obviously closing is the fact that there would be awareness among different organizations and in the marketplace in general.
Robert Cruz: Right.
Sean Moshir: That awareness which allows them to understand what are the requirements and why they need to be capturing that information for e-discoveries and so forth and the cost saving that's also involved when you go through certain litigation where you actually are using archiving and digging up the information in the archiving system, whether it's done through the reports in that system or manually doing it. There's a lot of different awareness that needs to be done in the market to still educate a lot of organizations about these things, but typically under competitive pressure, some of them, still they use mobile devices, and I think that gap will close as time moves forward.
Robert Cruz: That's a good segue to Brandon, and we've had this discussion many times about the practices companies continue to use for litigation and discovery, in particular around a device and using a forensic service, which could very well be the right answer in some specific cases, relying upon an individual to do a download or wrestling with the carriers directly when you need to get some historical records. Why does this continue to exist, and do you think this is going to change?
Brandon Leatha: I think first of all I think it's going to have to change. Historically, mobile data was a small percentage of the relevant information and discovery matters. It was considered a supplementary source. You may only collect mobile data on a case-by-case basis from certain users and as a result, it was a reactive approach. We'll deal with it if we need to, and we're going to very focus of scopes that those collections narrowly. As the use of mobile has increased, it has become on par with the use of email and desktop computers as a source of information. It's become a primary source. I think that it's going to need to shift and it cannot be such a reactive process.
Brandon Leatha: Relying on end users, especially if you're just doing the custodial interview where you're asking users, do you communicate via text messages with your customers, you need to test that because a lot of users or employees will say, "No, we don't use that." Then once you dig into it a little further, yeah, well in many cases they do and it may not be their choice, but their customers may be texting them, and then they respond back via those channels.
Robert Cruz: Right.
Brandon Leatha: Lastly, in the pandemic era, it's made going to the end point a lot more expensive and a lot more difficult with air travel as it is and folks not wanting to or it not being safe to work closely with individuals devices. It's gotten very challenging to go to the endpoint. Literally many of the methods to collect evidence from these data sources require going to the actual device and plugging into forensic software. We're going to have to get more proactive with methods to manage this data before it becomes too late.
Robert Cruz: Yeah, I think that's great advice. I mean just the moving of this as a first-class target of increase in volume, the frequency, the heterogeneity of all this data means that doing this in a reactive mode is going to continue to be more problematic riskier. There has to be a better way. Why don't we get to the second polling question. We've talked about a lot of different dimensions here, the data privacy, the security, the litigation, the regulatory exposure. The second question we want to ask the room is, what's your greatest concern around mobility?
Robert Cruz: Is it A, difficulty in reviewing mobile content for discovery and compliance, recognizing that these conversations are very different than email, B, the use of unauthorized apps, C capturing of historical mobile content where you may have to wrestle with the carriers, D, potential cybersecurity exposures or E, all of the above. I think your comments earlier Sean, this is going to be security and security and security?
Sean Moshir: It's all of the above, but if you had to only pick one...
Davi Schmidt: We've got right now, it looks like 67% are all of the above.
Sean Moshir: Yeah, all of the above, but usually if you have to pick one, security always trumps everything.
Robert Cruz: Yeah. Yeah, we should have phrased that question a little bit differently because it seems like security is going to be on everyone's mind. Take that off the list and just ask everyone to pick the others, but yeah, not too much of a surprise there. It's all over the board, and I think that's a very important segue into the last portion of the discussion here, which is what do you do about this? We've talked about everyone being thrust into the situation. We were executing our emergency procedures just to make sure that the company can continue to operate. The lights are on, you can serve your customer.
Robert Cruz: That's where we've been and now we hopefully have gotten to an inflection point where we can look at what has taken place, what have we learned from it, and what can we take to the next stage, whatever the new normal is. Two-thirds of organizations and financial services we've heard will continue to operate in some virtual or flexible mode for the foreseeable future. That's pretty significant in terms of now I can stop and I can think about how to invest in people or process or technology to be able to take the company to a next spot. Brandon, why don't you start us off with you want to make sure that mobility is a central part of your risk mitigation strategy, both dealing with regulatory discovery and elsewhere.
Robert Cruz: What are the two or three key things you would advise companies to do as they go about and build this plan for their next wave of a virtual work environment?
Brandon Leatha: Sure. I think the first step with any process to improve your current posture would be awareness, understanding what are the risks, what apps are the users communicating on, are we able to manage and collect information from those apps, are we able to offer an alternative to funnel those communications through a single or a small number of sanctioned applications and prohibit the use of others. Really that first step is awareness. Then once you're aware of your risks, developing policies around those risks. There are written policies that are very clear and fresh that outline those risks and what the company's position are, and then last is to train. We need to train our employees and that can't be a one and done.
Brandon Leatha: That training needs to be ongoing because things change and as we've seen this rapid decentralization of a workforce, that requires new training. I think it's an approach of prioritizing, us understanding what's occurring today, and how to implement that and refresh your policies, and then how to train your employees and the company to adhere to those policies.
Robert Cruz: Right, and I'll ask you to comment to a question that came in. It gets to the awareness and the planning, and the question is, from a discovery perspective, organizations that have a requirement to record conversations, how could you retrieve that information from a mobile device? Is that done automatically or do you do it on an individual basis? That's both a direct question, but also a broader question of if that's something that you know you're going to experience, then have a plan for it, build your playbook so that you can address those regulatory obligations, the need to capture voice recordings, make sure that that's something you can execute on that particular device. Yeah.
Brandon Leatha: I guess I'll say first from the reactive perspective, getting decentralized recordings from devices can be very challenging and as a result, expensive. Going to the end point to gather those is challenging and sometimes may not be successful. Coming up with understanding your requirements for those recorded communications, implementing centralized technology to do it, so you're not relying on the users or the endpoint is going to be the key.
Brandon Leatha: The other thing is just dealing with encryption. I often get asked to estimate what it costs to extract information from mobile device and if you're talking about a single channel or a single targeted thing that's well-supported, yeah maybe that's easy to estimate, but I will tell you that the layers of encryption and passcodes and biometrics and two factor, and then the departed employee problem, we have the device but we don't have the encryption or decryption keys. That gets to be very challenging and expensive and as a result risky.
Robert Cruz: Exactly. Great advice. Sean, what's your perspective here in terms of what a firm should be doing about building a plan that embraces mobility as a first class target for business?
Sean Moshir: Absolutely. I think they have to understand what the requirements are and putting the proper policies in place with the training and the awareness, what channels or communication is okay, what channels are not. When you have the proper tools and the proper tools is extremely important for organizations to decide what are the tools that they're going to use to capture this information because we totally believe everything should be just automatically done, things should just get captured, if you're texting, if you're calling, and so forth, whether it's BYOD or obviously in a corporate liable. In BYOD, you separated your personal dialer and the corporate dialer would be separate and obviously, this is important.
Sean Moshir: The right tool I'm emphasizing on that quite a bit because it needs to make sure that for regulated industry, it addresses what the requirements are. For example, if you're texting someone using any tools or you're using your phone, are you telling him this text is being been recorded, is there a privacy link at the bottom of the text, is there anything that's done automatically added in there that takes advantage of the fact that you're addressing privacy in there as well.
Sean Moshir: Organizations definitely have to do their due diligence, making sure that they pick the right tools to do this, and I totally believe it's got to be done in some sort of an automated fashion, where you don't put so much burden on the user trying to do business on the mobile device. Rather than, they can just focus on the business itself.
Robert Cruz: Exactly.
Sean Moshir: Yeah.
Robert Cruz: That's the key point there, just making it easier for firms to get business done through the tools that are accessible to individuals now, and just wanted to flash one slide that actually pretty well talks to the points you both have raised to this stage. Getting in front of this by having a mobile task force, individuals, the various stakeholders that are involved on the business side and knowing how mobile is being used, as well as those individuals that can address the various risk vectors that we've discussed here. Assessing the current environment in terms of the technology infrastructure, and also just the applications that are in use and those that are prohibited, making sure that you've got a good read on what that environment looks like.
Robert Cruz: Refreshing policies or making sure that your communication policies weren't implicitly written for a work office scenario and properly address the way that individuals are working now at the remote. Looking at what is the trade-off between reactive and proactive in terms of the way that you would collect. If mobile is a target for discovery, how would you do that with existing methods versus is there an opportunity to be more proactive? As both of you have said, training, training and training just around the devices, new capabilities, as well as new applications. I think we're all aligned here in terms of your feedback, things we've heard from other clients, and other practitioners as they've dealt with this challenge.
Robert Cruz: Hey, so why don't we wrap it up just with a couple of key takeaways and if we could for Brandon and Sean both of you, if you could give a little bit of insight into how can your firms help organizations as they are trying to wrestle with this challenge? What can your consulting services assist with and CellTrust, how can they help organizations in this area as well? Let's start with Brandon.
Brandon Leatha: Yeah. Thanks Robert. Like I said in my introduction, my goal is to deal with and help clients with some of the more challenging aspects of discovery and forensic investigations, so dealing with new communication channels, dealing with cloud and social, helping to evaluate what solutions work for an organization and right sizing those solutions. That's really been my focus so please reach out to me if you have any questions. This has been my career but also my passion for 20 years, and I really enjoy working in this area. Thank you.
Robert Cruz: Terrific. Thanks Brandon and Sean.
Sean Moshir: Yeah, absolutely. I think the best way to explain what we do is just as simple as we provide a mechanism to capture text and voice, and this is by simply installing an app on a BYOD or the corporate liable, and anything you do inside, the app is a phone all by itself. It has its own dialer, its own text messaging inbox, its own contact list which is connected to the corporate contact list, its own call logs, everything. Everything done inside that app obviously belongs to the corporations and gets archived according to the policies that are set, and then all those informations are captured and sent to archiving systems such as Smarsh.
Robert Cruz: Very important technology. I think there's a question that came in I want to ask you, just how you've seen organizations adjust their strategies between corporate owned and BOYD policies. I think we may have touched that briefly, but I wanted to make sure we addressed that question.
Sean Moshir: What are the things that we have seen and the corporations obviously look at both different systems, whether it's corporate liable or BYOD, depending on what works for them. Obviously with corporate liable, you have to have two phones, you carry two phones. One is obviously your personal one and then the corporate version, and the information on the corporate version, everything you do gets archived. On the BYOD, obviously what we've seen is organizations that are more cost conscious as far as what it would spending. It could cost up to several hundred dollars for each, phone where the app could be just a few dollars.
Sean Moshir: The cost saving is there for them to use the BYOD, and the app obviously does not intrude on anything personal and doesn't access anything on a personal device. It's a self-contained. What we've seen is corporations are exploring both side of this area, and we predominantly have been strong in the BYOD, and we've seen a very large increase as I mentioned over 50% increase in the BYOD just in the recent months.
Robert Cruz: Okay, terrific. Thank you very much for both of you to spend your time and share your expertise with everyone. Really appreciated. We have a couple of additional questions, but I want to cover one quick slide just to give some additional context that we can answer at least one with a broader point of view here. If you could hang on for a second folks, we'll get to some of those additional questions here in the last couple of minutes. Just looking at how we can help to complete the picture between how Brandon's organization and CellTrust can work together with Smarsh to address some of the challenges that we've raised here.
Robert Cruz: In the case of Smarsh, the basic set of capabilities we're providing, first in the initial column and our capture technologies, these are designed to work natively with whatever communication source needs to be captured. It's working with the native APIs, the methods that work directly with the carrier if that's the method that is the appropriate one. Whether that's email or social media or a mobile application like WeChat or WhatsApp, we're working directly with sources that we can understand the native context that's happening on each of these communication sources. The important point that came up earlier is that a conversation that's taking place on a device, it's going to look very different than what it looks like in email.
Robert Cruz: It's going to be fragmented over multiple entries. Being able to capture all that communication flow natively then allows you to deliver that information in our case to our connected archiving capabilities, and the connected archiving capabilities are there where you can create the policies. You can then determine how that information needs to be retained, whether that's driven by your regulatory obligations. Whether you're a financial services firm or a healthcare organization or a biotech company, you have to meet your regulatory obligations. We're allowing you to capture all those communication sources to meet those retention requirements.
Robert Cruz: We're also enabling you to store that data, so that you can search, you can review, you can supervise, you can manage the early stages of discovery, and you can do that all in its native context. You can do those communication reviews with a snapshot of the way those communications took place on all that disparate data sources. Once that has been done, you then can work seamlessly with the external applications that we provide through integration with third parties, legal review tools, business intelligence tools, as well as our own native applications for supervised review, for FINRA firms, as well as SCC on the investment advisor side and also for discovery, enabling companies to legal hold management to do preservation, to calling and filtering to shape that data before you send it off to a legal review tool.
Robert Cruz: We complete the picture by enabling those content sources to be captured, to be stored, to then lead those into the business processes that companies have to be worried about, now with all of this variety of data that's floating around. I know that we're going to do an exit survey in here, or I guess after we answer some of these last minute questions, but I hope you all can stay on the line for a couple of minutes and fill out some of the questions that would really give us some additional insight into the kinds of things that you were looking for, the things that you have on top of mind in terms of the things you need to do with mobility. Davi Schmidt, why don't you want to tell us a little bit more about the survey?
Davi Schmidt: Yeah. The survey is going to pop up as soon as I close the webinar. There's a bunch of questions in there, if you go ahead and answer those questions. We will reach out to you afterwards to discuss some of the answers and if you'd like to speak to a Smarsh representative, we will follow up with you after the webinar.
Robert Cruz: Terrific. Some questions and I have seen a few come by and just one right in my screen now is, how do you defensively delete regulated data? Is there an audit log or report? Great question and since quite a few folks on the line are working within regulated industries, retention is only as good as you have the ability to also enforce a disposition policy. If you've defined retention based on whatever your regulatory obligations are, that also means that once that data has reached the end of its retention period, that information is going to be automatically disposed of from the repository. That's the ongoing process for us to enable companies to retain data only for as long as it's necessary from a regulatory perspective or from your other governance objectives.
Robert Cruz: If you have records management policies outside of regulatory, same thing, you can set policies either globally across all communications. You can set that granularly. You want to treat mobile different than WeChat, different than Slack or what have. You have the flexibility to be able to set those policies and also ensure that the disposition process happens in an automated fashion with full audit logs and reporting that happens as part of that. Were there other questions Davi Schmidt?
Davi Schmidt: Yeah, so that was a multi-part question, so I'm going to go back up to the first couple of questions that that person asked. The first one was, are you applying classification to these SMS text messages? If so, what is the capture mechanism and how are the classification policies defined?
Robert Cruz: Yeah. I think we covered that. We talked about the methods that working together with CellTrust, how we're enabling the identification to be created for the business communications that then gets delivered to our archive. Within the archive, you can define the classifications and policies you want to apply against any of that capture content.
Davi Schmidt: Then a continuation from that, understanding that there is a heavy finance play here, they were wondering about healthcare international privacy, state privacy, federal laws, et cetera.
Robert Cruz: I think we hit that from a regulatory perspective. Again, if it's a matter of policy that's driven from HIPAA high tech or from the FDA, you can enforce those policies in whatever fashion you need within the system. You've got the flexibility and the granularity to do that. Data privacy, I don't know if you want to talk at all about GDPR or CCPA, Sean, if that's something that you tend to work with in navigating.
Sean Moshir: Absolutely, we're definitely compliant. We do allow in our back-end services for the data to be captured on obviously different continent, and then it could be sent. You have an option to have organizational unit within the company. If a particular branch or a division of the company is in another country and they don't allow the data to be transferred outside of that country for some particular rules or regulation, you have an option to do separate archiving. People in different organizational unit can archive to different locations.
Robert Cruz: Yeah, absolutely.
Sean Moshir: We use Smarsh for that.
Robert Cruz: Okay, and that's a great question with several parts to it as far as how do you comply with GDPR. I think a good starting point is having data under central management is a great start because you know where your data is. The biggest challenge we see from companies facing GDPR and CCPA is responding to the right of access requests. If a citizen inquires as to how their data is being used, it's much easier if you have that data under management. The ability to apply policies, you can segregate here's EU user citizen data, here is CCPA California citizen data. You can respond to those requests very easily. The notion of being designed for by default for data privacy I think is a central tenant to the way that we've built our systems.
Robert Cruz: Having all of the cybersecurity controls in place to make sure that data's under proper management is also a fairly central tenant. Yeah, so there's a whole bunch of other dimensions that I think our website has some additional data on how we address that.
Davi Schmidt: Thank you. Do you think workplace productivity via electronic communications has increased or decreased as a result of COVID-19?
Robert Cruz: Good question.
Sean Moshir: Obviously, there has been an impact and productivity was started to get impacted a bit at the higher rate to begin with, but then I think it tapered off and it's beginning to pick up because of the involvement of a variety of the IT and all the different organizational within the company that has helped it to move the infrastructure, to expand on the infrastructure. Obviously, it has created some sort of an interruption in productivity, but at the same time and I think what at least we've seen is by working at home, employees spend a little bit more time on average on doing work-related tasks and so forth, so it's beginning to offset some of those things.
Robert Cruz: What do you think Brandon?
Brandon Leatha: I completely agree with Sean on that last point. What I have both experienced and just heard anecdotally as well as I believe Microsoft just released the results of a survey they did with Harvard, is that employees are replacing their commute with additional work hours and the traditional workday has just gone out the window. The number of hours worked has increased [inaudible 00:58:00]. In terms of access productivity, I'm not so sure that that would have increased.
Brandon Leatha: Again, I think it's early to really say from any official studies on productivity, but the number of distractions that users have working remotely and from home, the gaps that you might have between communications where folks are taking breaks during the middle of the workday and may not be available. Maybe that's decreasing productivity, but again I think it's really, really safe from a scientific perspective.
Robert Cruz: Yeah, I would agree with both of those points of view. I'm online more hours of the day because what else am I going to do? I'm not going to go on vacation, but there's a point of diminishing returns and I think somebody published a survey that said after three hours of Zoom face time, the decline in your attentiveness and productivity, you can see the drop. Zoom fatigue is real and I've been on that side of the line. Yes, more hours and being connected all the time is one of the natural things, but I think you're going to start to see a rebound where companies are providing more guardrails to make sure that individuals do have a time to decompress, go offline, plant a tree, do something else other than just being connected all day every day.
Davi Schmidt: I think we have time for one more question. I think this one will be a quick one. Does Smarsh capture mobile messages in their native form?
Robert Cruz: Absolutely yes and with partnership with CellTrust and also when we work with the corporate devices, that's one of the critical things of just looking at all these different disparate data sources. A conversation is unique in each one. There's a message opposed to like a share an emoji, a file. It really matters to make sure that you have all of that information in context. You capture that whole conversation snapshot and once you have captured it, then you can play it back without losing some of the fidelity, missing a message, or missing some important context. That's one of the key things that we do, is making sure that all of that's captured and played back in its native format.
Davi Schmidt: Great. Thanks Robert. Thank you everyone for participating in our innovation exchange webinar series. Please note that the webinar has been recorded and a link to the recording will be sent out. You're welcome to send any additional questions you have to us at email@example.com. If you asked a question and we were not able to get to it, we'll have someone reach out after the webinar to make sure all of those questions get answered. Thank you to our speakers Brandon, Sean, and Robert, and thank you again to the participants for joining us. Hope to see you next time. Thank you.