Manage Learn to apply best practices and optimize your operations.

How to ensure security and privacy in mobile device management policy

In this Ask the Expert, attorney Jeffrey Ritter discusses why clear data privacy and security rules are essential to mobile device management policy.

Personal mobile devices have become an essential work-related tool for many employees, and companies are benefitting from the improved productivity stemming from the mobile revolution. When incorporating mobile device management policy, however, companies must be careful to balance employee data privacy with mobile information security precautions.

In this Ask the Expert, Jeffrey Ritter, Esq., founder of the Ritter Academy, explains how access stipulations in mobile device management policy influence data privacy and ensure security, and the role employees play in mobile information protection.

What are some of the stipulations that must be included in a mobile device management policy to ensure both data privacy and adequate organizational data protection? What role do employees play in their own personal data privacy protection when using consumer devices in the corporate setting?

When we talk about mobile device management policy, understand that essentially we are putting in place terms and conditions -- rules -- that are between the company and the user/operator of those mobile devices.

These rules become vital to the corporate confidence in the users' use of these mobile devices. First, understand that if employees are using their own device to access corporate records, the corporation has the right to access those devices. This is vital to how corporations protect themselves from the use of personal devices, and it's important from the company's perspective that those devices are accessible.

You can imagine that, from a user perspective, this is very uncomfortable. Corporations traditionally fought very hard against general regulator access to their information systems and information assets, and there are reasons for that. For example, an agency may be conducting investigations about competitive behavior that may violate antitrust laws but, if they have broad access rights, perhaps they will find Foreign Corrupt Practices Act violations. This kind of broad access makes users very uncomfortable, but it's important that users have little expectation of data privacy.

Companies should also focus on e-discovery, because they are responsible for transaction data and communications that involve employees. Those records, or metadata related to them, could be stored on mobile devices. Companies need access to that.

Another feature that companies want to be able to conduct is to reset devices and potentially delete data, particularly if devices are being recycled. The challenge is the archiving features on personal devices don't easily distinguish between personal and corporate data.

All of these areas -- privacy, e-discovery, device resets and data deletion -- are ones where stipulations need to be very clear about where the corporation can extend and execute their legal duties and access information being stored on those devices.

I have a simple rule that I usually share: You are being monitored, and behave accordingly. If an individual is using a device that is subject to corporate access for any reason, the reality is that is not a device that you want to use for behavior that -- while it may be perfectly legal -- is something that you do not want your boss to be aware of.

So I ask people, "Will you be comfortable with your boss seeing what you access, create or display on your device that you use for business?" If the answer is "yes," than you really don't have a data privacy concern. If there is behavior that is digitally based that you believe is private, the simple rule is, don't use the device to engage in the activity.

As told to Ben Cole, site editor.

Dig Deeper on Information technology governance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization's mobile device management policy ensure company data protection/security and employee privacy?
Our organization's mobile device management policy ensures that company data is secure and protected, with a particular focus on privacy. The data is stored in different locations for added security, and the access controls on the network are well thought out and verified. An automated backup system is also in place. 
Some companies are going pretty far afield with this, though. I do some consulting and I had one of my consulting clients tell me that they wanted to be able to wipe my phone if I was reading company email on it! So I stopped reading company email on it, which means that sometimes my responses are delayed. Sorry, if you want immediate response but also want to wipe the phone, then buy me a phone and I'll use it just for you.
The simplest way to get compliance and security for mobile devices is to provide the people who need them with devices and then make sure that we do not put unnecessary roadblocks in the way of them accomplishing their objectives. People don't typically flout security rules just to spite IT, they do them because IT puts onerous burdens on them and get in the way of them doing the work they need to do. Start with workflows and objective work, then design policies that get out of the way of as much objective work as possible.
BYOD seems on the face to be a movement that will allow for more productivity. People get to do their job no matter what day or time it is, no matter where they are. The company wins because they pay a person for 37 hours and they get 24/7 from them because they carry a mobile device that has been connected to the great corporate giant.

There has to be balance, though. And training. And understanding from both parties that all the same security steps need to be in place whether you're in the La-Z-Boy watching football and tending to your work, or if you're on a secure Intranet AT the office on a workstation that's scanned constantly for breaches and unauthorized access.

Do we want speed? Do we want security? You can't really have both until EVERY SINGLE USER is made secure and EVERY SINGLE DEVICE is made secure. This isn't ever going to happen. So can we live with some breaches? Can we live with some hacks?

If no, then take away BYOD and deal with the loss in extra access and productivity. I believe if you can't get your work done in the 37 hours allotted, then someone misrepresented the job or the role.