Personal mobile devices have become an essential work-related tool for many employees, and companies are benefitting from the improved productivity stemming from the mobile revolution. When incorporating mobile device management policy, however, companies must be careful to balance employee data privacy with mobile information security precautions.
In this Ask the Expert, Jeffrey Ritter, Esq., founder of the Ritter Academy, explains how access stipulations in mobile device management policy influence data privacy and ensure security, and the role employees play in mobile information protection.
What are some of the stipulations that must be included in a mobile device management policy to ensure both data privacy and adequate organizational data protection? What role do employees play in their own personal data privacy protection when using consumer devices in the corporate setting?
When we talk about mobile device management policy, understand that essentially we are putting in place terms and conditions -- rules -- that are between the company and the user/operator of those mobile devices.
These rules become vital to the corporate confidence in the users' use of these mobile devices. First, understand that if employees are using their own device to access corporate records, the corporation has the right to access those devices. This is vital to how corporations protect themselves from the use of personal devices, and it's important from the company's perspective that those devices are accessible.
You can imagine that, from a user perspective, this is very uncomfortable. Corporations traditionally fought very hard against general regulator access to their information systems and information assets, and there are reasons for that. For example, an agency may be conducting investigations about competitive behavior that may violate antitrust laws but, if they have broad access rights, perhaps they will find Foreign Corrupt Practices Act violations. This kind of broad access makes users very uncomfortable, but it's important that users have little expectation of data privacy.
Companies should also focus on e-discovery, because they are responsible for transaction data and communications that involve employees. Those records, or metadata related to them, could be stored on mobile devices. Companies need access to that.
Another feature that companies want to be able to conduct is to reset devices and potentially delete data, particularly if devices are being recycled. The challenge is the archiving features on personal devices don't easily distinguish between personal and corporate data.
All of these areas -- privacy, e-discovery, device resets and data deletion -- are ones where stipulations need to be very clear about where the corporation can extend and execute their legal duties and access information being stored on those devices.
I have a simple rule that I usually share: You are being monitored, and behave accordingly. If an individual is using a device that is subject to corporate access for any reason, the reality is that is not a device that you want to use for behavior that -- while it may be perfectly legal -- is something that you do not want your boss to be aware of.
So I ask people, "Will you be comfortable with your boss seeing what you access, create or display on your device that you use for business?" If the answer is "yes," than you really don't have a data privacy concern. If there is behavior that is digitally based that you believe is private, the simple rule is, don't use the device to engage in the activity.
As told to Ben Cole, site editor.
Dig Deeper on Information technology governance
Related Q&A from Jeffrey Ritter
In this Ask the Expert, IT governance expert Jeffrey Ritter discusses his formula to successfully align new technology with ITSM compliance standards... Continue Reading
What can IT professionals learn from Bitcoin and other cipher block chaining technologies about improving the value of digital information? Continue Reading
Attorney Jeffrey Ritter discusses mobile management processes to help companies protect both their data assets and employees' personal information. Continue Reading