Defining “Liability” for enterprise smartphones
Wednesday, May 19th, 2010 Karen Ambrose Hickey, Editor
What Is Meant by “Liability”?
There are many types of liability associated with owning and using a smartphone, including financial, regulatory, compliance, privacy, and legal liability, to name just a few. Financial liability is perhaps the easiest to understand. It would seem obvious that paying for individual liable (IL) carrier plans would be the responsibility of the employee. But what if the employee racks up a $5000 bill on a three-week business trip to Europe? And what if that employee uses a corporate liable (CL) phone to conduct an illegal activity with large financial consequences, like using the camera feature to take a picture of a competitor’s confidential documents?
If you are in an industry with stiff regulatory and compliance considerations, it would be more likely that stronger controls and CL smartphones would be the norm. Of course, it is the data on that phone, and not the phone itself, that needs to be managed. In a larger company with adequate IT staffing, keeping sensitive data away from the phone with specialized software and firewalls is relatively easy. But what about smaller companies that allow phone access to company records on the company’s private intranet?
Financial services and medical companies can have very high financial and legal ramifications for misuse of private data that might end up on a smartphone. Many of these companies require all corporate data to go through company-issued computers (and not phones) that have elaborate encryption and other data protection mechanisms. But “privacy” can have another definition. How about protection of employee-owned information that resides on a CL smartphone? Does the employer have the right to look at ALL of the data on the phone they own, even if they might happen upon some embarrassing photos?
And here’s a hypothetical “who’s liable” question. What if an employee happens to lose a next-generation prototype smartphone that is later found and sold to a technology magazine, so that the new features and technology can be “outed” to an interested public? What kind of insurance/risk management liability plan will cover THAT?
Legal Aspects of Data Ownership and Control
There is a distinct lack of legal clarity about what a company can and cannot control when it comes to smartphones. With case law lagging behind technology, how do you factor legal issues into the equation of who should own the smartphone?
Some generally accepted practices are starting to emerge. Corporate email messages and company data are owned by the company, regardless of where they reside. The company has unrestricted access to the information and can set usage policies that must be adhered to by the employee. On the other hand, courts have ruled that once this data is sent via the Webmail through a service like AOL out into the cloud, employers can lose the rights to confidentiality! The problem is multiplied exponentially if you are an international firm, because in the E.U., Japan, and Canada, all email is regarded as private to employees if it was authored by them.
Can an employer mandate control over CL or IL phones used for business purposes? One way that seems to hold up legally is through the use of employment agreements. Even if the phone is owned by the employee located in (let’s say) Canada, a well-crafted employment agreement will trump the local laws about employee privacy of business email and text messages. Of course, the employment agreement will not hold up if it is only selectively or randomly enforced, which makes the employer the bad guy if it is strictly enforced with a heavy hand. It is generally agreed upon that any policy must be well understood and “bought into” through consensus to be able to avoid lawsuits over privacy issues.
Coming next: Strategy for Mobile Devices
Tags: smartphone
