Who Should Own Your Smartphones?
Navigating the smartphone's dual-use nature One argument for allowing employees to use their own smartphones for work purposes is that carrying two devices and having two mobile phone numbers is a pain.
Sure, people have long had personal phones at home and office phones at work, but because people carry their smartphones with them most of the time, it can be an employee-friendly policy to let them use just one device for both purposes. It could be a personal device that's subsidized for work usage or a work device that allows personal usage to a certain cost limit.
People take care of personal issues on their work phones and take work calls at home, so allowing for the same mix on a cell phone isn't a stretch. Data capabilities, however, provide a new wrinkle, and the fact that employees' smartphones can store and access company information such as emails, contacts, calendars, and documents is enough to make many IT and security pros wince at the thought of dual use.
This problem is not unique to smartphones. Many employees work at home -- and even at the office -- on personal computers. A December 2009 Gartner survey estimates that 10 percent of midsize businesses allow employees to use their own personal laptop at work, a figure expected to rise to 14 percent this year. Also, some users play games, check personal email, or run iTunes or Windows Media Player at work to listen to their personal music on their work computers.
"The focus is on mobile, but the problem is universal. What's the demarcation? There is none," says Telwares' Voellinger. "By owning the asset [the smartphone or PC], is the prevention [of abuse or breach] any different? The risk is still the same."
That's why the "secret" to smartphone management is "treating employees like grown-ups and using a 'trust and verify' model for policy control," Forrester's Schadler says. "You have to stop treating it as an IT policing issue and instead treat it as a business risk management question."
More and more companies are making this shift in their thinking, Schadler says, not just for smartphones but also for bring-your-own PCs (and Macs) and other user-facing technologies.
Yet for smartphones, the dual-use bar for managing access and data security is quite different, given that most smartphones don't yet offer PC-level security and management capabilities.
For example, it's fairly straightforward to require the use of encryption, certificates, and other security tools on Windows PCs, no matter who owns them, thereby allowing IT to ensure that a home PC is secured the same way as a work one. (For Macs, it's not quite as easy, but still largely possible.) But for smartphones, security and management capabilities vary greatly from device to device. BlackBerrys and Windows Mobile devices can enforce PC-level security and data management if the business has the right policy servers in place. But for iPhones, only some policies can be enforced. Even fewer are enforceable on Palm Pres and Nokia Symbian devices, and almost none are enforceable on Google Android devices. Third-party tools are beginning to change that reality, but by and large it's fair to say that you can't control the data and access on these newer devices at the same level you can a home PC.
"You need to strike a balance between an IT-controlled management tool set such as you have built for desktop management and employee-led management, where employees are responsible for their own devices," says Schadler. "That balance point will vary based on your industry and culture."
Surprise: You probably can't control as much as you may want Further complicating this issue are the legal ramifications of dual-use devices.
The laws on what employers can do with employees' personal equipment and accounts haven't caught up to today's mix of devices and cloud services, notes Peter Vogel, an attorney at Gardere Wynne Sewell who specializes in Internet, computer, and e-discovery issues. There are plenty of misunderstandings as to what a business can and can't control.
Despite the legal ambiguity from conflicting court decisions and the lack of precedent in many areas, patterns have developed in cases involving home PCs and other personal technology that may influence your smartphone ownership strategy.
For example, corporate email belongs to the company, and the company has full access to it, no matter where the employee accesses it. Plus, the company can set policies for what is transmitted through corporate email.
"But email issues are complicated by employees who use Webmail services such as Gmail, AOL, and Hotmail to conduct company business. Many courts have ruled that employers lose confidentially and potentially valuable trade secrets when employees send confidential information via Webmail," Vogel says. That reasoning could easily be applied to the use of personal smartphones.
International issues also pop up, Vogel notes: "Generally in the U.S. emails are private to employers, while in the E.U., Canada, and Japan emails are private to employees. Furthermore, in the E.U. there are data privacy laws for individuals called the 1995 Data Directive that permits citizens of the E.U. to access any computer that contains data about them and change that data. The U.S. has nothing like this at all, and when there is communications between the E.U. and U.S., determining which law applies gets very complicated."
In a 2008 case, a federal court ruled that text messages on police department-paid pagers belonged to the police officers, not the police department, because the messages were stored by a carrier. The department wanted the messages to see which were personal so that they could calculate how much the officers owed the department for personal use. Vogel says this case was decided on very narrow grounds -- the fact that the messages were stored at the carrier, which is subject to different laws than a company that stores its own records -- but nonetheless raises the kind of ambiguity sure to surface as smartphones are used increasingly for both personal and corporate activities.
You might try to deal with these and other issues through employment agreements, Vogel suggests.
"Generally employees are bound to the terms of employment agreements," he explains. "So if the employment agreement states that the employees provide their own PDAs or smartphones but the employer pays a monthly allowance, one would have to look at the terms of the employment agreement to see if the employee is entitled to privacy."
But "generally just having a corporate policy is not enough without some affirmation of the employees to agree," Vogel notes. "Companies run the risk that courts will conclude that even though corporate policies are in place, they are either unenforced or selectively enforced. As a result, without rigid enforcement, a company cannot depend on the courts to adopt these corporate policies regarding who owns emails and text messages and who is entitled to privacy."
Another issue: What information on these devices is discoverable in a court case?
"Every state is wrestling with this," says Telwares' Voellinger. "Pennsylvania, for example, assumes that the moment information goes out onto public networks, it's discoverable." That could cover anything delivered through the Internet, for example, which smartphones and PCs use routinely.