On the first business day of 2011, the New York Times reported that Apple’s rivals had proclaimed 2011 to be their year to recapture a slice of the computer tablet market, currently dominated by the iPad. Since the iPad’s launch in late 2010, Apple has sold more than 4 million of its tablets; some commentators predict that Apple will sell tens of millions more iPads in 2011. Adding to the flood of tablets into the marketplace — and into the workplace –- corporate IT departments are getting into the act. According to a recent report by ChangeWave, only 1% of corporate IT buyers reported in August 2010 that their organization provided employees with a tablet, but that number jumped to 7% in November 2010, and 14% of respondents stated that their organization plans to buy tablets in Q1 of 2011. Even the public sector is turning to the iPad. The Virginia legislature recently purchased 45 iPads for selected legislators and staffers in an effort to reduce the use of paper.
These trends pose serious challenges for corporate HR, Legal, and IT departments that should be addressed — or at least considered — before the “tablet tsunami” hits with full force. To begin with, employees in many organizations — often senior executives who scored an iPad as a holiday present — are clamoring to connect their iPad to the corporate network or are using the iPad for work even if the IT department refuses a connection. In fact, the iPad may represent a turning point in the battle between businesses and their workforce over the use of personal devices to conduct business. According to a November 2010 study by Ovum, approximately 50% of employees already are permitted to connect their personal devices to the corporate network. Because the iPad is so enjoyable and easy to use, that percentage is likely to surge in the next year or two as organizations bow to employee demands to use their personal iPad (or other tablet) for work.
The fundamental problem with the trend toward employee use of personal devices is the organization’s potential loss of control over its information and its information security. Employees, for example, might not take steps, such as activating a log-in screen, to secure their personal devices against unauthorized access. Employees can refuse to permit access to their personal device when the organization needs it to conduct a workplace investigation or to satisfy its e-discovery obligations. As a third example, an employee who loses a personal device may be loathe to send a “kill command” (assuming the employee has enabled the ability to do so) out of concern for losing personal files, e-books, music, photos, and video, even if the lost device puts corporate information at risk.
Organizations can try to regain a modicum of control by issuing corporate iPads or other tablets, but that will not solve all of the problems. Anyone who has used an iPad knows that a no-personal use policy would be like telling Adam not to take a bite of the biblical apple. Indeed, according to the Ovum study referenced above, 70% of employee-respondents stated that their organization (apparently bowing to the inevitable) permits them to use company-issued devices for personal purposes. Thus, company-owned tablets likely will have an agglomeration of personal and business documents, complicating searches, electronic discovery, and access to business information when an employee is unavailable.
What issues should HR, Legal, and IT be considering? They include the following:
- How can the organization help its workforce enable the security features of their personal devices to make them more secure?
- Should the organization require employees to load anti-malware software (to the extent available) onto their personal devices to reduce the risk of infecting corporate networks?
- To what extent is information stored on employees’ personal devices encrypted so that the organization can benefit from the “encryption safe harbor” in security breach notification laws if a device is lost or stolen?
- If the personal device is not, or cannot be, encrypted, how will the organization determine the full scope of business information stored on the device to satisfy its breach notification obligations?
- How can the organization arrange to send a “kill command” to an employee’s personal device without violating state and federal computer trespass laws as well as potential liability for destruction of the employee’s digital belongings stored on the device?
- What type of monitoring, if any, will the organization conduct when an employee connects a personal device to the corporate network?
- How will the organization ensure that the monitoring of a personal device, which likely includes substantial information that the employee considers to be private, does not violate applicable privacy laws?
- How will the organization gain access to relevant information stored on the personal device when needed for a workplace investigation, especially where the employee-owner of the personal device is the target of an unannounced investigation?
- Will the organization be responsible for preserving business information stored on the personal device when the organization is sued or threatened with a lawsuit?
- How will the organization collect discoverable information from a personal device while avoiding allegations of invasion of privacy by the employee-owner?
Grappling with these issues in advance — before a personal device loaded with sensitive employee, customer or business information is lost or stolen and before a complaint that a manager propositioned his subordinate through his “mixed-use” personal device is made — will go a long way towards protecting the organization’s interests.
This entry was written by Philip Gordon.
Photo credit: kupicoo