New security questions arise as businesses struggle to control BYOD

As more employees use their own devices for company work, liability for data loss is a concern

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The stand­off between mobile hard­ware giant Apple and the U.S. Depart­ment of Jus­tice rais­es myr­i­ad pri­va­cy con­cerns regard­ing the government’s pow­er to com­pel a com­pa­ny to unlock a mobile phone. In our Bring Your Own Device world, this case has raised con­cerns about a company’s legal and eth­i­cal oblig­a­tions regard­ing employ­ee data on both com­pa­ny-owned and pri­vate net­works.

Ed note_Fidelis_Justing HarveyCom­pa­nies eager to reap cost sav­ings are embrac­ing BYOD poli­cies that allow employ­ees to use their own phones, tablets and note­books to work any­time, any­place. Yet these cost-sav­ings ben­e­fits quick­ly lose their lus­ter. Com­pa­nies are hav­ing a hard time con­trol­ling what they don’t own. BYOD can quick­ly mutate into a secu­ri­ty night­mare.

So ven­dors came up with a solu­tion called Mobile Device Man­age­ment (MDM) that places a small agent, or app, on a phone to enforce poli­cies, install and update soft­ware, man­age con­fig­u­ra­tions, and more.

It seems like a win-win: Com­pa­nies don’t need to buy mobile devices for their employ­ees, yet they gain con­trol over the tech­nol­o­gy. This opens a Pandora’s box, how­ev­er, because com­pa­nies can mon­i­tor and “spy” on their users, whether by choice or by acci­dent. From record­ing vis­it­ed URLs or gain­ing con­trol of the device and its data—including pri­vate files, set­tings and applications—companies are gain­ing pow­er and must use it wise­ly.

Enhanced mon­i­tor­ing capa­bil­i­ties that can detect threats, cou­pled with easy access into an employee’s dig­i­tal life, is a tick­ing pri­va­cy time bomb. Secu­ri­ty tools can be used for good or evil. As BYOD-relat­ed tech­nol­o­gy becomes more wide­ly adopt­ed, expect to see law­suits con­cern­ing infor­ma­tion col­lect­ed by the enter­prise.

When it comes to BYOD, enter­pris­es must edu­cate users about the con­se­quences of data loss and pro­mote a cul­ture of respon­si­bil­i­ty. They also must draft BYOD poli­cies that pro­tect employ­ee pri­va­cy, while also pro­tect­ing secu­ri­ty. What remains to be seen is how the courts will rule on the role that com­pa­nies play in col­lect­ing the per­son­al infor­ma­tion of their employ­ees through BYOD devices. Will they rule in favor of the com­pa­ny, or the employ­ee?

Today’s pri­va­cy issues are only ampli­fied by the fact that the Unit­ed States doesn’t have a legal def­i­n­i­tion of exact­ly what Per­son­al­ly Iden­ti­fied Infor­ma­tion is. Per­haps the U.S. gov­ern­ment should fol­low the Euro­pean Union’s lead on pri­va­cy leg­is­la­tion, but only time will tell.

More sto­ries relat­ed to BYOD and data secu­ri­ty:
Con­ve­nience of mobile com­put­ing comes at a secu­ri­ty cost
Android flaw puts BYOD users, com­pa­nies at risk

Cor­po­rate use of cloud apps spikes risk of breach­es
Cana­da puts teeth into dig­i­tal pri­va­cy law