by Philip L. Gordon, Esq.
As more employees buy smartphones, more of them are using those versatile devices to perform work. That can seem like a win-win for employers. Employees can use their own equipment to stay in touch with office email and download company documents to carry with them and work on at home. The employer avoids a technology expense.
But employees’ use of personal smartphones (and tablets such as iPads) raises risks not present when employees use company-issued devices. When you provide a laptop or phone, IT probably loads it with software to protect its contents from corruption and keep hackers from compromising your network when employees connect to it. You may provide encryption systems to keep sensitive data secure. Plus, you can demand access to the device at any time and require the employee to return it upon termination.
There’s no guarantee your employees’ personal devices are so well-protected. To ensure the safety of employee-owned smartphones and continued access to your company’s information, take these six steps before allowing employees to use them for work.
1. Demand the installation of adequate IT protections. Employees often fail to activate controls that enhance their devices’ security. These include encryption, password protection, automatic lockdown after a period of inactivity, automatic deletion after several failed log-in attempts, remote wipe capability and anti-virus protection.
Require employees to load an approved security package to any personal device they will connect to the corporate network.
2. Get consent to issue a “kill” command. If an employee’s smartphone is lost or stolen, your organization’s data could be at risk. One way to ensure sensitive information doesn’t fall into the wrong hands is to issue a kill command, in which a remote signal wipes clean the phone’s memory. For a small fee (paid in advance), most smartphone manufacturers and service providers offer such a service.
Sending a kill command to a personal device without the employee’s prior consent could violate the federal Computer Fraud and Abuse Act and state computer trespass laws, which generally prohibit unauthorized destruction of information stored on someone else’s computer. That’s why you should obtain employees’ written consent to send a kill command to any personal device.
You should also have employees sign a release absolving you of liability for any damage to personal files—such as music, photos and e-books—deleted by a kill command.
3. Prepare in advance for a potential security threat. If an employee’s lost or stolen smartphone contains personal information—such as employees’ or customers’ Social Security numbers or credit card numbers—you must be prepared to notify affected parties that there has been a security breach.
A kill command may not prevent a security breach, because a sophisticated thief might be able to access personal information on the device before the command is activated.
Requiring employees to activate encryption on their personal devices, when available, should eliminate the need for security breach notification because of the “encryption safe harbor” in all security breach notification laws.
If encryption isn’t feasible, at least require employees to immediately report loss or theft to your security staff.
4. Get consent to access the device for legitimate business purposes. Employers that permit use of personal devices for work may sometimes need to access them—for example, during a workplace investigation or to implement a litigation hold. Unlike company-issued devices, an employer has no right to access an employee’s personal device, even for legitimate business purposes.
Notify employees up front that refusing to comply with a reasonable and legitimate request for access to information stored on a personal device could result in discipline.
5. Amend your policies to address monitoring of personal devices. Corporate electronic resources policies commonly speak only in terms of the organization’s own computer network and equipment. Your existing policy’s warning that employees should have no expectation of privacy when using company systems will not apply to their own personal devices.
Amend your policy to warn employees that it applies with equal force to personal devices that are connected to the corporate network.
6. Plan to retrieve business information upon termination. Having a portable cache of confidential business information makes it easy for former employees to misappropriate trade secrets. To reduce this risk, consider incorporating the review of information stored on an employee’s personal device used for work into the standard exit interview process.
For hostile terminations, sending a kill command may be the only feasible way to prevent misappropriation of trade secrets. However, without the consent and release noted above, those actions could strengthen the hand of a former employee in pending or threatened litigation against you.
____________________________________________
Author: Philip L. Gordon is a Littler Mendelson shareholder and chair of the firm’s Privacy and Data Protection Practice Group.
