How to ensure security and privacy in mobile device management policy

In this Ask the Expert, attorney Jeffrey Ritter discusses why clear data privacy and security rules are essential to mobile device management policy.

Personal mobile devices have become an essential work-related tool for many employees, and companies are benefitting...

from the improved productivity stemming from the mobile revolution. When incorporating mobile device management policy, however, companies must be careful to balance employee data privacy with mobile information security precautions.

In this Ask the Expert, Jeffrey Ritter, Esq., founder of the Ritter Academy, explains how access stipulations in mobile device management policy influence data privacy and ensure security, and the role employees play in mobile information protection.

What are some of the stipulations that must be included in a mobile device management policy to ensure both data privacy and adequate organizational data protection? What role do employees play in their own personal data privacy protection when using consumer devices in the corporate setting?

When we talk about mobile device management policy, understand that essentially we are putting in place terms and conditions -- rules -- that are between the company and the user/operator of those mobile devices.

These rules become vital to the corporate confidence in the users' use of these mobile devices. First, understand that if employees are using their own device to access corporate records, the corporation has the right to access those devices. This is vital to how corporations protect themselves from the use of personal devices, and it's important from the company's perspective that those devices are accessible.

You can imagine that, from a user perspective, this is very uncomfortable. Corporations traditionally fought very hard against general regulator access to their information systems and information assets, and there are reasons for that. For example, an agency may be conducting investigations about competitive behavior that may violate antitrust laws but, if they have broad access rights, perhaps they will find Foreign Corrupt Practices Act violations. This kind of broad access makes users very uncomfortable, but it's important that users have little expectation of data privacy.

Companies should also focus on e-discovery, because they are responsible for transaction data and communications that involve employees. Those records, or metadata related to them, could be stored on mobile devices. Companies need access to that.

Another feature that companies want to be able to conduct is to reset devices and potentially delete data, particularly if devices are being recycled. The challenge is the archiving features on personal devices don't easily distinguish between personal and corporate data.

All of these areas -- privacy, e-discovery, device resets and data deletion -- are ones where stipulations need to be very clear about where the corporation can extend and execute their legal duties and access information being stored on those devices.

I have a simple rule that I usually share: You are being monitored, and behave accordingly. If an individual is using a device that is subject to corporate access for any reason, the reality is that is not a device that you want to use for behavior that -- while it may be perfectly legal -- is something that you do not want your boss to be aware of.

So I ask people, "Will you be comfortable with your boss seeing what you access, create or display on your device that you use for business?" If the answer is "yes," than you really don't have a data privacy concern. If there is behavior that is digitally based that you believe is private, the simple rule is, don't use the device to engage in the activity.

As told to Ben Cole, site editor.

This was last published in April 2014

Dig Deeper on Information technology governance



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.
Related Discussions

Jeffrey Ritter asks:

How does your organization's mobile device management policy ensure company data protection/security and employee privacy?

1  Response So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: