What rights do employees have to protect their personal data on a cell phone, laptop, or tablet that they own and use for both personal and business purposes? What rights to employers have to protect their own corporate data on these personally owned devices?
And whose rights win when the employee quits, is fired, or loses the mobile device, and the company wants to remove its proprietary information from the mobile device before it can fall into the wrong hands?
Those were the questions in a Texas court case that holds several simple but important lessons for implementing BYOD (bring your own device or mobile) policies for employers and employees alike. In Rajaee v Design Tech Homes et al., (Dist. Court, SD Texas, 2014), Saman Rajaee sued his employer, Design Tech Homes, for remotely wiping personal data from his iPhone shortly after he resigned. Rajaee cited violations of both federal and state law. The courts ruled against Mr. Rajaee, but several important points were made during the case that can help employers and employees avoid these problems in the future.
My friend Shawn E. Tuma is an amazing lawyer, and a recognized expert on the legal issues surrounding BYOD (bring your own device), cyber security, hacking and related matters. He’s fond of saying that preventing a cyber risk is cheaper than the very first day of litigation.
Of course, he’s right – and that advice applies to employers and employees. His recent article on the Rajaee case focuses on the advice business owners need to follow, and answers the question “Can a company remotely wipe an ex-employee’s device?” with a resounding “Maybe – under certain conditions.”
Remotely wiping the company’s data along with the rest of the mobile device’s data – as Design Tech did in this court case — is one option. It can be the least expensive option for a small business. But it’s the cybersecurity equivalent of using a sledgehammer instead of a scalpel to remove the at-risk data. Most of the EMM (enterprise mobility management) solutions available to corporations can remove company data from a mobile device without affecting the employee’s personal data. Remote wiping restores the mobile device to its factory settings – removing everything stored on it, including all contacts, images, videos, and so on.
I have a problem with an employer taking the position that remote wiping is an appropriate solution to mobile device security, when there are dozens of proven technology solutions on the market that can protect company data without compromising employee privacy.
When Can a Company Remotely Wipe an Employee’s Device?
Shawn Tuma says that it is lawful for a company to remotely wipe an employee or former employee’s device if there is a binding agreement with the owner of the device, such as an effective BYOD (bring your own device) policy that authorizes the remote wiping. Without it, only costly and time-consuming litigation can answer the question.
Tuma says that Rajaee v. Design Tech Homes, Ltd. illustrates this point. The company did not provide a mobile device, but required employees to have constant access to email in order to do their jobs. Rajaee used his own personal iPhone 4.
There were a number of points where the employer and employee disagreed in this case, including whether or not connecting the device to the company’s network was ever authorized, who actually connected it, and whether there was a binding policy in place. The litigation stretched out over 14 months, and was surely costly for both sides.
Tuma says that the case shows that other companies can avoid similar litigation in the future by taking a series of steps to prevent it.
- Have a conversation between the company’s management, appropriate IT and security leaders, and legal counsel to discuss the company’s position on BYOD. Answer the question: Will workers be allowed to use their own devices at work? Whether the answer is yes or no, develop appropriate policies and procedures.
- When developing policies and procedures for a BYOD strategy, address the specifics on how the company will manage devices. Tuma recommends a policy like this that employees must agree to before they are allowed to connect a personally owned mobile device to the company network: By connecting the device to the company network or using it for company business, the user would expressly agree that he or she authorized, and would permit, the company to access the device and securely remove its data at any time the company deemed necessary, either during the relationship, or after. In addition, he says that if the user did not make the device available within a certain period of time after demand, the policy employees must accept should authorize the company to remotely wipe the entire device and restore it to its factory settings in order to ensure that its data was securely removed from the device.
- Once a policy has been written, it’s time for training. Every current and future employee has to be made aware of the policy, understand the risk to their personal data if the company does include remote wiping of the entire device as part of the policy, and agree to abide by the company’s policies and procedures.
While I agree with my friend that clear policies and ongoing training are critical, I think the key lesson for employers is to implement an EMM solution that allows separation of personal data from business data (including selective wipe as a feature of its mobile device management capability). Shawn Tuma is correct, however, that if you are not going to implement a technology solution that protects the company and the employee, then your business absolutely must have a clear policy and take the time to secure the consent of every employee, with ongoing training. (A clear policy is important even with an EMM solution.)
But I fail to understand why any business would go to all that trouble when the technology to protect company data without wiping personal data is readily available. I would think that the potential loss of talent, as tech-savvy employees refuse to accept the risk of having their personal data wiped (and monitored, which is a separate issue that goes hand in hand with giving your employer access to your personal mobile devices), would make the investment in EMM attractive.
Add in the reduced possibility of litigation, and the fact that more and more countries and states are requiring that employers protect personal data as well as company data, and I think that EMM with selective wiping is rapidly becoming a business necessity.
What Can Employees Do to Protect Their Personal Data?
Personally, I’d never accept a job that requires me to allow my employer to monitor my personal mobile device or remotely wipe it, and I would urge other people to refuse as well.
However, if you need the job and your employer is insistent on it, make sure that you take steps to back-up your personal data and protect yourself.
The most important step is to know and understand your employer’s BYOD policies. Exactly what permissions are you giving your employer? Can he/she back-up everything on your personal mobile device whenever you connect to the network? This is critical: do you really want your personal email, text messages, photos, videos, and contacts backed up on your employer’s servers? Who has access to those back-ups? There have been cases where such back-ups have been viewed by co-workers, including a case still in litigation where an IT employee of a city government here in Texas pulled text messages off a supervisor’s cell phone as part of a back-up of the phone, and then published the texts in a “name and shame” campaign after a department layoff. (The texts had nothing to do with the supervisor’s job; they were personal texts between the supervisor and their significant other.)
Can the employer monitor your mobile device usage? The answer to this one is likely to be “yes” – once you’re connected to the company network for business purposes like email, the network is likely to be able to “see” what other applications and online sites you connect to, regardless of whether there is a business purpose for the connection or not. More than one employee has been cited for “abusing company network resources” because they connected to Tinder, eBay, or a game site during work hours – or for connecting to a prohibited site after house, if the company’s policies prohibit connecting to certain types of sites.
Perhaps most importantly, employees need to know and understand an employer’s policies regarding remote wiping of mobile devices. If a device is lost, how long will the company wait until it is wiped? What’s the company’s policy when you upgrade your phone, and are required to “trade in” your old phone before getting your new one?
I know one person who worked as a consultant to one of the major phone companies – he’d been there three years, full-time, although he wasn’t on the company’s payroll. His cell service is provided by the company where he “worked”. He signed an acceptable use policy on the first day he came to work which required him to give the company 7 days notice and submit his phone for selective data wiping before he “disposed of” the phone. One Friday during lunch, he walked through the lobby of the building, saw that the company was offering a great deal on a new phone he wanted, and impulsively purchased the new phone.
He did not have to “trade in” his phone to get the new one. So he didn’t think the acceptable use policy applied. The company thought otherwise – and his “old” phone was remotely wiped over the weekend. Think about that. The company he worked for wiped his phone because he bought a new phone from the company he worked for, because his name was on a list of employees who were “high risk” and should have their phones wiped immediately when the phone was lost, stolen, or replaced. Yikes. (His plan, he says, was to take the phone to work on Monday, turn it in for selective wiping, then give it to his daughter with all of the family photos, music he’d purchased, and the games she’d been playing on “his” phone intact.)
Most importantly, back up your personal data.
Regardless of whether you use your smartphone, tablet, or laptop for business or not, it’s important to regularly back up personal data as a matter of preserving it against any form of unexpected loss (not just an unanticipated employer wipe).
Apple devices can be automatically backed up to iCloud, and there are many other low-cost, simple ways to backup mobile devices. Most Android phones can be backed up to your computer or to an online service, and so can iPhones or Windows phones. It’s very easy to lose your personal data on a mobile device, but regular backups can turn that into an annoyance rather than a catastrophe.
Here are some tutorials on how to backup an iPhone to a Windows PC, an iPhone or iPad to iCloud, an Android phone to a Windows PC, or an Android Phone to the Cloud. Or, if you prefer, YouTube has dozens of step-by-step videos on how to backup your phone or tablet. However you do it, just do it.