Who should own the enterprise mobile device?
Today’s enterprises have learned to deal with the complexities of supporting mobile employees and the information carried in their laptop computers. After all, the information in those laptops is confidential and owned by the corporation. Those same complexities and many more now arise from employees’ use of smartphones and tablets. Often, the data on those devices is just as sensitive and critical to the company as data on laptop hard drives. Issues of security, compliance, legality, trust, and cost all must be addressed within the enterprise mobility strategy.
These issues give rise to one of today’s most challenging questions for IT: who should own the enterprise mobile device, the employee or the corporation? Smartphone use among US-based information workers is expected to triple by 2013, according to Forrester Research, and the use of tablets for work is also rising at a steep rate. Most analysts recommend that the decisions surrounding the control and ownership of these devices be made sooner rather than later.
Today, half of the smartphones in use among US and Canadian businesses are not company-issued equipment, according to Forrester. Although there is need to control employees’ equipment and use—there are emails, calendars, documents, and confidential customer information accessed by and stored on these devices—many companies are loosening their hold on employee-owned handheld devices that are used for business purposes.
What is meant by “liability”?
Many liability issues are associated with the ownership of mobile devices, including financial, regulatory, compliance, privacy, and legal liability. It might be considered obvious that employees should pay for individual liable (IL) carrier plans. But what if an employee racks up a $5,000 data access bill on a business trip? Or what if an employee uses a corporate liable (CL) device to conduct an illegal activity with large financial consequences, such as using the camera feature to take a picture of a competitor’s confidential documents?
In industries with regulatory and compliance considerations, it’s likely that stronger controls and CL devices would be the norm to protect confidential data. Financial services and health care companies can have very high cost and legal ramifications for misuse of private data that may be on a mobile device. Many of these companies require all corporate data to go through company-issued computers (and not mobile devices) that have sophisticated data protection mechanisms. But “privacy” can have another definition. Do protections extend to employee-owned information that resides on CL devices? Do employers have the right to look at all of the data on the devices they own, even if that includes some personal information?
Cost of ownership
Some companies centralize management of mobile device costs and pay the monthly charges. Others subsidize the charges for personal devices used for work. But more and more companies are decentralizing the responsibility for cost and mobile device management. And when mobility costs are diffused across different company budgets it can be very difficult to account for the true costs of enterprise mobility.
Legal aspects of data ownership and control
There is a lack of legal clarity about what companies can and can’t control when it comes to mobile devices. With case law lagging behind technology, how do you factor legal issues into the device liability equation? Some generally accepted practices are starting to emerge. Corporate data and email are owned by the company, regardless of where they reside. Companies have unrestricted access to the information and can set usage policies that employees are required to follow. But courts have ruled that once this data is sent via webmail, employers can lose the rights to confidentiality! And it’s more complicated for international firms: in the European Union, Japan, and Canada, all email is regarded as private to employees if it was authored by them.
Start with a strategy.
Your mobile device strategy will help you address the liability issue in a way that balances the needs of employees and the company. Segmentation of user types is often the first step. Forrester analyst Ted Schadler recommends dividing your information workers into several groups and supporting them based on how their mobile enablement benefits the company:
Planning for mobile device liability is the new reality. Forrester’s Schadler says the secret to mobile device management is “treating employees like grown-ups and using a ‘trust and verify’ model for policy control. You have to stop treating it as an IT policing issue, and instead treat it as a business risk management question.” Your strategy can help you achieve the right balance between issuing mobile devices as an IT-controlled management tool, and letting some groups of employees own the responsibility for their own devices.
Want to learn more?