Though BYOD programs are becoming commonplace, some IT departments have held off on allowing personal devices on the corporate network because they’re worried it could expose sensitive company information to the wrong people. And apparently, users have similar worries about their own data.
Employees who bring in personal devices as part of a BYOD program are concerned about mobile privacy and that their employer may see too much of their personal information, according to a recent study from mobile device management (MDM) vendor Fiberlink.
BYOD programs often require personal devices to be turned over to IT to be configured or have MDM software installed, and users are afraid that will give the company the ability to view their data or tamper with their files. Among the 2,243 U.S. adults surveyed:
- 86% are concerned about the company deleting photos, music and other files from their personal smartphones and tablets
- 85% are concerned that their employer will track their location during non-work hours
- 82% are worried about their employers monitoring the websites they visit on their personal devices, and
- 76% would not want to give their employer the ability to see what apps they’ve installed on a personal device.
Is mobile privacy protected by law?
BYOD is still new, and so many legal questions remain, especially regarding issues of mobile privacy. When employees only use equipment supplied by the company, the right to monitor activity is more clear, but things get trickier as the lines between what’s personal and what’s business start to blur.
In one case, the Supreme Court ruled a company had a right to read personal text messages sent from company-issued phones through a cellular plan paid for by the employer — however, it’s unclear what level of access companies have when the employee buys the device and phone service.
Regardless of where the law will stand, experts warn that IT should take care to respect users’ mobile privacy rights and avoid any unnecessary access to non-work-related info or files on a personal smartphone or tablet.
IT should set BYOD policies and configure MDM software and other tools to keep certain information off limits, including location data (including during work hours, unless there’s a good reason), personal email, texts and other messages, and web browsing history when the phone is off the corporate network.
Organizations can also protect themselves from legal trouble — and avoid angering users — by having people who participate in a BYOD program sign off on a clearly written policy stating what IT can and can’t do with someone’s personal device.
Companies should try to minimize their access to non-work-related information, but it’s not always possible. For example, if the phone is used to send both work-related and personal messages, there may not be a way to divide the two during an investigation. But warning users beforehand what may be done, and having them sign the policy, should help minimize complaints about invasions of privacy.