Technology & Innovation

The open corporation: Privacy in a new app culture

January 21, 2013

Global

January 21, 2013

Global
Our Editors

The Economist Intelligence Unit

_____________________

Privacy in a new app culture

As the app culture continues to spread, more and more companies are allowing their employees to use their own smartphones, tablets and other mobile devices in the workplace. The benefits of the trend are many, including potentially lower IT costs and more satisfied employees, who are keen to bring their sleek new tools to the office as quickly as they can acquire them.  However, the advent of consumer technologies in the workplace is causing a new dilemma for employers – how to avoid privacy-related disputes with their employees.

Lawyers say they are beginning to see conflicts arise over companies’ ability to access and control proprietary information housed on an employee’s smartphone, tablet or laptop -- especially when that information is mingled with personal data, such as family photographs, emails or financial information. Philip Gordon, a shareholder at labor law firm Littler Mendelson in Denver, Colorado and chairman of the firm’s privacy and data protection practice, says two of his clients have received demand letters from former employees, claiming that irreplaceable family photos were lost when the personal devices they used for work were wiped clean when they left their jobs.

For employers, it is a delicate balancing act: they need to protect their data from being corrupted, lost or ending up in the wrong hands while also respecting their employees’ privacy. In order to do that, lawyers are urging their clients to design comprehensive “Bring Your Own Device,” or BYOD, policies. These should clearly communicate to employees the privacy risks inherent in using their own devices at work. Such risks may include having to turn over their devices – and all of the content stored on them -- as evidence in a lawsuit. Companies may also claim the right to wipe all data – personal and corporate -- from an employee’s device if it is lost or stolen.

While BYOD policies may help protect employers in privacy-related disputes, communicating privacy risks can render BYOD programs less appealing to the very same employees who clamored for them in the first place, says Cynthia Larose, partner at Mintz Levin Cohn Ferris Glovsky & Popeo. Once informed that their employers may be able to access and even delete information stored on their personal devices, employees may no longer want to use those gadgets in the office. “Employees feel there’s a ‘Big Brother’ aspect to this,” Ms. Larose says.

A recent poll conducted via Twitter by mobile software provider Globo Plc bears this out. Asked what they would do if their IT departments clearly stated that they could access an employee’s personal information, such as emails and contacts, 93% of the survey’s respondents said they would not participate in a BYOD program. However, employees continue to use their devices despite these concerns—a 2012 report by the consulting firm McKinsey & Company found that 80% of workers report that they are using their own smartphones for work-related tasks.

To make BYOD policies more palatable to employees, “It’s important not to be too grabby,” says Evan Brown, senior counsel at InfoLaw Group. It’s one thing for a company to claim rights to all the data on a personal device; it’s another to claim actual ownership of these data. “Why would a company need to claim ownership of photos of your kid’s birthday party?” Mr. Brown asks. Today’s employees are attuned to data-ownership issues as disputes over content ownership on social media sites like Facebook continue to make headlines, he adds.

At the very least, specifying ownership of company information is essential to an effective BYOD policy, Ms. Larose says. So is spelling out the company’s right to remove these data when an employee leaves his or her job, as well as its right to remove all data – personal and corporate -- if a device is lost or stolen. John Marsh, a partner at Hahn Loeser in Columbus, Ohio, acknowledges that some employees might bristle at such a policy. “But the reality is that if a phone is lost, it’s lost. It’s gone, baby, gone,” he says. “Employees have to accept the fact that if they want the convenience and benefits of having a personal device at work, they have to be prepared to accept the consequences.”

Still, many companies take steps to ensure that they leave the employee’s information intact if they must delete data from his or her device, though the technology involved in BYOD security may not always be perfectly refined. Indeed, some of the systems that companies adopt in order to segregate personal from corporate data on employee-owned devices can be expensive, unwieldy and invasive. Some employers, for example, install “mobile device management” software directly onto an employee’s device, which may even include GPS tracking capabilities. Other companies, however, have simply implemented remote access systems that do not allow employees to fully download company data to their phones in the first place. Regardless of the technology put in place, making employees aware of the system’s components and possible ramifications will help companies avoid potential privacy challenges.

Lawyers familiar with the conflicts that can arise around data security and employment emphasize that the design of an effective BYOD policy should not be left solely to IT. To help avoid privacy-related disputes, they say, the human resources, finance and legal departments all need to be involved.

Although risks must be taken into account, there are many positive factors for organizations to consider when adopting BYOD. “The wild card is the benefit that employees experience when they can use their own devices,” says Mr. Brown. “It’s more fun.”

Enjoy in-depth insights and expert analysis - subscribe to our Perspectives newsletter, delivered every week