Wednesday, January 4, 2012

Employee privacy and corporate liability...

I just read this blog post from

@CesareGarlati 


http://bringyourownit.com/2011/12/19/consumerization-101-employee-privacy-vs-corporate-liability-2/

It's a great, thought provoking post. Here's my take on it, for what it's worth. Also thanks to my friend Mark Townsend for pointing me to the blog. Lots of great stuff.

If you are too lazy to read the above, basically a company wiped a users iphone that was connected to the corporate email system. She had signed an acceptable use policy but it had a picture of her son that had just passed away from cancer. She sued and collected 5M...

Cesare asked about that, as well as the company's right to track location and what the company should do about questionable content...

We tell people if they want to use their personal device to get their corporate email. that they need to be aware that we have the right to wipe. if you don't like it, we will get you a corporate device.... but... not sure that this will protect us since in this case, she had signed an AUP, which I assume had the same sort of language in it that we use in ours. Which basically says, if you connect it to us you give us the right to wipe all data off of it.

Now I feel bad about it, but if she had lost the photo because she dropped the iphone would she have sued apple? Would the building owner be responsible for having too hard of a floor? Would the flooring people be responsible? At some point people need to be responsible for backing up data that they want to keep. I mean she had the picture for a few weeks...

Regarding tracking location. If you don't want the company to do that, don't use it to connect to corporate, turn it off, or leave it on your desk. After all we aren't tracking the user, we are tracking a device that is accessing corporate resources. Is that much different than tracking IP's on a website? Other than the granularity I would say no... 

As far as accessing questionable websites while at work. I would say if it was done using the corporate LAN (or WLAN) the company has the right to monitor. If on your personal cell phone plan then no.  My network, my rules. IMHO

The trickier piece is if we let you bring your device to work and it already has questionably, or even illegal content on it (piracy, inappropriate etc) is the company liable? Do we have the right or obligation to report it if we see it? We had a case many years ago where a field guy sent his laptop in for repair and it had illegal files on it. Our policy was not to look. but if we saw something illegal to report it. Clear enough if it is a company owned machine, but if it's not what should we do??? I mean if someone has a bag of pot in their car in our parking lot are we liable?

Tricky issues and while I think my answers make sense, that doesn't mean the law will agree. I would not want to be the test case...





2 comments:

  1. I feel for the person who lost their files but to your point above about backup, it is probably still the one single thing that most people are not doing well. For Pete's sake, if you set the right options on any number of free cloud storage services the phone will automatically upload any picture taken. It seems silly to award someone $5M for loosing data they could have easily backed up and agreed to the fact that the device could be wiped. That being said, I will take any menial low paying job with a company that wants to wipe my super precious pictures off my personal phone without warning me, I could use a few extra million backs right about now.

    ReplyDelete
  2. Thanks. Yes things like icloud, gdrive etc make lack of backup seem pretty silly. That said, I need to go check and see if my phone is backing itself up or not. :)

    ReplyDelete