There is an interesting exchange on Eric Goldman’s Technology and Marketing Law Blog re corporate policies requiring employees to submit to their mobile phones being wiped in the event the phone is lost or stolen or the employee is suspected of compromising trade secrets. The intriguing part of the policy is that it applies to personal phones used for company purposes, such as checking company email. We have discussed the use of corporate and personal devices in the past in relation to what a company can control; however, this discussion raises more questions about what companies are allowed to do or even should do in relation to an employee’s personal phone.
Perhaps the line between personal and company can blur in instances where an employee is offered a corporate phone but opts to use his/her own personal phone to avoid carrying two mobile devices. But what about instances where no corporate phone is offered but the employee still opts to check email on a personal device? Regardless of whether or not a court would view company-owned email in a different light when read on a personal phone, keeping company confidential information secure is an important concern. Certainly, a security breach can occur not just from unauthorized access to a company server but also from lost laptops, documents that were disposed of without proper shredding, misplaced back-up tapes and, of course, an employee’s mobile phone that is lost or stolen. As noted by a commenter in Goldman’s blog, maybe an employee who lost his or her phone wouldn’t even object to the wiping due to his/her own concerns over the personal information being hijacked as well. Now, having the phone wiped due to suspected trade secret compromise by the employee is probably a whole other issue since it’s not a matter of an employee reporting a phone lost or stolen but of an employee being accused of an illegal activity.
Clearly, in terms of security, a company must consider all of the places data could reside. This is true for a security insurance policy as well.