A recent article in the Wall Street Journal aptly identified several challenges that employers face when they allow employees to use their personal smartphones and tablets for work. The article, entitled “So You Want To Use Your iPhone For Work? Uh-Oh. How The Smartest Companies Are Letting Employees Use Their Personal Gadgets To Do Their Jobs,” notes several steps employers are taking to reduce privacy and information security risks. These steps include the following: (a) requiring that employees enable passwords, (b) sending a “kill command” to wipe business information from a lost or stolen device, and (c) walling off sensitive data into an “encrypted container.” While these steps are all useful, they comprise only a partial list of critical issues employers should consider before permitting employees to use a personal device for work.
Below are seven key steps that employers should consider taking before allowing employees to use a personal device for work:
1. Demand the Installation of Adequate Malware Protection: Personal devices may be used for activities — such as peer-to-peer file sharing, viewing pornography, or downloading games — that increase the risk of infection by malicious software. Yet, personal devices typically will not have protections against malicious software that are nearly as effective as those loaded on a company-issued device. As a result, the risk that the corporate network will be infected with malware can increase materially if inadequately protected personal devices are connected to the corporate network. One solution is to require that employees load an approved package of malware protection to any personal device that will be connected to the corporate network.
2. Get Consent Before Sending a Kill Command: The Journal article noted that it is illegal in South Korea and in China to send a kill command to an employee’s personal device. Although no U.S. court has yet addressed this specific issue, sending a kill command to an employee’s personal device without the employee’s prior consent runs the risk of violating the federal Computer Fraud and Abuse Act and state computer trespass laws. These laws generally prohibit unauthorized destruction of information stored on someone else’s computer. To avoid potential criminal and civil liability under these statutes, employers should obtain written consent to send a kill command to any personal device that is reported lost or stolen.
3. Get a Release Before Sending a Kill Command: Kill commands typically will wipe not only sensitive corporate information but also the employee’s personal collection of music, videos, photographs, books, and more. That collection often is backed up. If it is not, however, the employer could be facing a significant bill to replace the employee’s electronic library. To avoid such claims, employers should obtain a release from employees for any damage to personal files deleted by a kill command.
4. Prepare Ahead of Time for a Potential Security Incident: A lost or stolen personal device containing personal information, such as employees’ or customers’ Social Security numbers or credit card numbers, could trigger security breach notification obligations. Sending a kill command will not necessarily permit employers to avoid statutory notification obligations because a sophisticated thief might be able to access personal information on the device before the kill command is activated. Requiring that employees activate encryption on a personal device, when available, should eliminate the need for security breach notification because of the “encryption safe harbor” in all security breach notification laws. If encrypting the employee’s personal device is not feasible, the employer should at least require immediate reporting to its security incident response team of any loss or theft of a personal device used for work. In addition, all employees using a personal device for work should be provided with the contact information needed to immediately notify appropriate personnel of the loss or theft.
5. Get Consent to Access the Personal Device for Legitimate Business Purposes: Employers who permit widespread use of personal devices for work almost inevitably will need to access employees’ personal devices during the course of employment. Access may be necessary for a workplace investigation or to implement a litigation hold. Unlike company-issued devices, the employer has no right to access an employee’s personal device, even for a legitimate business purpose. Employers should notify employees up front that their refusal to comply with a reasonable and legitimate request for access to information stored on a personal device could result in discipline up to and including termination of employment.
6. Amend Your Organization’s Electronic Resources Policy to Address Monitoring of Personal Devices: Corporate electronic resources policies commonly speak only in terms of the corporate computer network and company-issued equipment. As a result, a court likely would find that warnings in an electronic resources policy that employees should have no expectation of privacy have no impact on employees’ privacy expectations with respect to information stored on their personal devices. Yet, when an employee connects a personal device to the corporate network, that device likely will be subject to the same invasive monitoring practices as company-owned devices, exposing the employer to privacy-based claims. To reduce this risk, it is suggested that the corporate electronic resources policy be modified to warn employees that the policy applies with equal force to personal devices that are connected to the corporate network.
7. Think About How Your Organization Will Retrieve Business Information When Employment Ends: Having a cache of confidential business information on a personal device provides one of the easiest vehicles for misappropriating trade secrets. Upon termination of employment, the employee can misappropriate simply by keeping his or her personal device. To reduce this risk, employer should consider incorporating the review of information stored on an employee’s personal device used for work into the standard exit interview process. For hostile partings, sending a kill command may be the only feasible way to prevent misappropriation of trade secrets. However, without the consent and release noted above, those actions could strengthen the hand of a hostile former employee in pending or threatened litigation with the employer.
Photo credit: damircudic