As more employees use mobile devices for work, IT departments are trying to develop policies to protect sensitive company information from new mobile security threats. But rules might also be needed to protect employee privacy as well.
Thanks to an increase in BYOD programs and the consumerization of IT, the lines between what’s personal and professional are becoming blurred.
Many employees are now using personal smartphones, tablets and computers to do their work. Likewise, users often access personal email, social networking accounts and other information with company-owned equipment.
As a result, a lot of employees are worried about their employers getting too much access to personal information, according to a recent survey from Aruba Networks.
Among the employees surveyed, close to half (45%) said they’re worried about their company’s IT staff having access to their information. In addition, 46% said they would feel “violated” if they found out IT had looked at their personal data.
And beyond making users uncomfortable, accessing personal information could get companies in legal trouble for violating employees’ privacy.
Company sued for reading personal email
In one recent court case, a company was sued after a manager read a former employee’s personal email using a corporate-owned smartphone.
The employee worked for Verizon and was issued a Blackberry phone that was owned by the company. When the employee resigned, she returned the device, believing that she had erased all personal information from the phone.
However, she had apparently stayed logged into her personal Gmail account using the phone’s Gmail app. Then, she said, her former boss used the phone to read messages for a year and a half, before the employee realized what was happening and changed the password. According to the employee, the supervisor had read about 48,000 personal messages that she had sent and received since leaving the company.
The employee sued Verizon and the manager for violations of privacy.
The company argued that the case should be thrown out because the emails were read using a company-owned device, and the employee forfeited her right to privacy when she failed to log out of the account.
However, the court disagreed and let the case move forward (Cite: Lazette v. Kulmatycki).
In other court cases, companies have been let off the hook for reading employees’ personal email if the messages were sent using a work computer connected to the company’s network.
However, those cases have typically involved current employees who had been notified that their computer use at work would be monitored — therefore, they couldn’t have expected the messages to stay private.
But in the case against Verizon, the ex-employee had no idea the manager could still read her personal email, the judge noted. Therefore, the court ruled the manager was reading the employee’s private messages without her knowledge or consent.
BYOD policy keys
While the case involved a company-owned smartphone, issues like this will only get more complicated as BYOD programs become more common.
When a personal device is used for work, it’s hard to tell where the lines are drawn regarding what companies can monitor and what they can’t. In some cases, it could even be possible to accidentally access an employee’s personal data during the course of a necessary investigation or other operations.
IT can take some steps to help keep the company out of legal trouble:
- Write a BYOD policy for managers and IT staff that includes restrictions on accessing employees’ personal information. That includes information and files stored on the phone, as well as personal email, social media and other accounts that can be accessed from the device.
- Train managers and IT employees on the dangers of accessing users’ personal information.
- Inform users of any monitoring the company will be able to conduct on the personal device, and have people sign off on that before they participate in the BYOD program.