By Justin HarveyThe standoff between mobile hardware giant Apple and the U.S. Department of Justice raises myriad privacy concerns regarding the government’s power to compel a company to unlock a mobile phone. In our Bring Your Own Device world, this case has raised concerns about a company’s legal and ethical obligations regarding employee data on both company-owned and private networks.
Companies eager to reap cost savings are embracing BYOD policies that allow employees to use their own phones, tablets and notebooks to work anytime, anyplace. Yet these cost-savings benefits quickly lose their luster. Companies are having a hard time controlling what they don’t own. BYOD can quickly mutate into a security nightmare.
So vendors came up with a solution called Mobile Device Management (MDM) that places a small agent, or app, on a phone to enforce policies, install and update software, manage configurations, and more.
It seems like a win-win: Companies don’t need to buy mobile devices for their employees, yet they gain control over the technology. This opens a Pandora’s box, however, because companies can monitor and “spy” on their users, whether by choice or by accident. From recording visited URLs or gaining control of the device and its data—including private files, settings and applications—companies are gaining power and must use it wisely.
Enhanced monitoring capabilities that can detect threats, coupled with easy access into an employee’s digital life, is a ticking privacy time bomb. Security tools can be used for good or evil. As BYOD-related technology becomes more widely adopted, expect to see lawsuits concerning information collected by the enterprise.
When it comes to BYOD, enterprises must educate users about the consequences of data loss and promote a culture of responsibility. They also must draft BYOD policies that protect employee privacy, while also protecting security. What remains to be seen is how the courts will rule on the role that companies play in collecting the personal information of their employees through BYOD devices. Will they rule in favor of the company, or the employee?
Today’s privacy issues are only amplified by the fact that the United States doesn’t have a legal definition of exactly what Personally Identified Information is. Perhaps the U.S. government should follow the European Union’s lead on privacy legislation, but only time will tell.
Justin Harvey, chief security officer at Fidelis Cybersecurity, contributed this guest essay, which originally appeared on ThirdCertainty.com.
More stories related to BYOD and data security:
Convenience of mobile computing comes at a security cost
Android flaw puts BYOD users, companies at risk
Corporate use of cloud apps spikes risk of breaches
Canada puts teeth into digital privacy law