Is your employee’s iPhone a ticking timebomb?

by. Henry Meier

This week marked the latest consumer frenzy accompanying the release of what feels like the twentieth version of the iPhone.  Whereas many of you may enjoy the sight of adults arriving at work with the eagerness of children going to school the day after their birthday to show off their newest toys, I am unabashedly part of a profession dedicated to protecting people against their over-exhuberance.  So, remember that every time your employee brings a new portable device to work, it raises important issues related to data protection that are particularly important for financial institutions to remember.

Surveys indicate that the vast majority of companies authorize employees to bring their own devices into the workplace (so called BYOD policies) as opposed to buying the gadgets for work use only.  Let’s be honest, an office that doesn’t have a WiFi hookup, let alone let their employees keep up with their “Facebook friends” during downtimes may be doing the right thing on paper, but isn’t exactly creating the type of environment to attract the best and the brightest, at least if they’re under 40.

But, as Pedro Pavon points out in an excellent article in the September issue of the ABA’s Business Law Today Journal, “BYOD policy presents companies with a myriad of risks and challenges . . .”  Lawyers advising clients need to emphasize that “the biggest risk with BYOD is data loss.”  I think this is particularly true of financial institutions irrespective of your size.  The line between work and home blurs every time an employee responds to an after work email; stores a password on his or her smartphone; or forwards a document to a co-worker while on the way to work.  Ask yourself a simple question:  if one of your employees misplaces her cell phone today, what information could a hacker have access to tomorrow?  If you don’t know the answer, or you do know the answer but think there is nothing you can do about it, then it is time to sit down with your IT people and your policy drafter and get to work.

According to the article, one option is to use technology specifically designed to monitor mobile hardware.  The software will, for example, allow you to wipe the data off a smart phone and track a smartphone’s whereabouts.  You could also mandate the use of PINS on someone’s personal smartphone.  The problem with all of this, of course, is that the company is seeking to take control of someone’s personal device.  When you wipe my cell phone clean and I find it in the laundry pile the next day, I am going to be less than amused that I have to reconstruct the contact list from my poker group just because my employer is justifiably paranoid.  The best bit of advice from Pavon is that as companies acquire tracking software and develop policies, employees are told exactly what information and capabilities employers want to give themselves in return for allowing employees to bring their own devices.

continue reading »