by ·0 Comments

Digital privacy versus national security. That’s how scores of articles have framed the controversy over Apple Inc.’s refusal to cooperate with the FBI in bypassing the security features of an iPhone used by Syed Farook, one of the deceased shooters in the San Bernardino terrorist attack. Largely overlooked is the fact that Farook’s employer could’ve prevented the whole controversy had it installed common software on the phone.

Syed worked for the County of San Bernardino as a health inspector. The county issued the iPhone in question to Farook to help him do his job. Farook signed an agreement giving the county the right to search the contents of the phone, but the county did not take measures to ensure its could enforce that right. Employers who allow their employees to use mobile devices for work typically install mobile device management (MDM) software on the device. MDM allows the employer to unlock a mobile device phone remotely, wipe the contents of the device, push software updates, and track the device’s location. According to an AP report, the county had a contract with a MDM provider, but it never installed the MDM software on Farook’s phone. The MDM service costs $4 per month per phone.

There are HR and IT lessons to be learned from this incident. One lesson is that employees should be required to grant their employers access to their mobile devices as a condition of using them for work-related purposes. Specifically, management should obtain an employee’s signed written agreement authorizing the company to access the contents of a mobile device that is connected to the company network. The County of San Bernardino did it at least obtain this kind of authorization.

A second lesson is that the right to access an mobile device is useless if you have no practical way of gaining access. This is where technology like MDM software is useful. Installation of MDM controls should be standard operating procedure in any Bring Your Own Device program. MDM software doesn’t have to be expensive either. Popular email server platforms like Microsoft Exchange have MDM controls built in. For more robust functionality, consider investing in specialized MDM solutions.

It shouldn’t take the prospect of a terrorist attack to highlight the importance of taking these lessons seriously.

Related articles

by ·0 Comments

Supervisor snoops into former employee’s personal Gmail account after she returns company-issued BlackberryLazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)

Verizon BlackBerry Tour 9630The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets.   Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns.  The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.

Verizon issued a Blackberry smartphone to its employee, Sandi Lazette.  Lazette set up a personal Gmail account on the phone with Verizon’s permission.  Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee.  Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not.  Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.

Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy.  A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions.  The court also allowed Lazette’s privacy claim to move forward.

LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.

1.  Don’t read your employees’ personal messages—even if they are readily accessible.  Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent.  A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA.  Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry.  Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails.  The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.

2.  Construe grants of access narrowly.  If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account.  In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account.  Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him.  Years later, the supervisor logged into the account to read emails about the status of the company.  In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial.  Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.

3.  Thoroughly purge personal data from company-issued electronic devices before reusing them.  Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired.    Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like.  Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.

4.  Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools.  One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised.  MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device.  To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.

Related articles

Enhanced by Zemanta