This Wisdom of the Crowd (ACC member discussion) addresses a remote wipe waiver for employees who want to access company e-mail on their personal mobile device, under US law. This resource was compiled from questions and responses posted on the forum of the Small Law Departments ACC Network.*
I. Personal Mobile Device Remote Wipe Waiver and Policy
*(Permission was received from the ACC members quoted below prior to publishing their forum comments in this Wisdom of the Crowd resource.)
I. PERSONAL MOBILE DEVICE REMOTE WIPE WAIVER AND POLICY
Question:
Our IT department is currently drafting a personal mobile device acceptable use policy as well as a "personal mobile device remote wipe waiver". This waiver would be signed by an employee who wants to access company email on their personal mobile device (phone/tablet) and would state they agree with the policy and that the company could wipe the phone of data in certain instances. I was wondering if anyone has already created such a policy and/or waiver?
Wisdom of the Crowd
- Response #1: Below is a list of some problems with relying on remote wipe policies for mobile device data security:
- Employees generally hate these sorts of agreements.
- Practical experience shows that employees who misplace devices (which may or may not be "lost" or "stolen") often wait days before reporting the fact to IT. Employees do not want their devices wiped unnecessarily, so they are not going to report the missing device immediately.
- Containerization does not solve the above concerns, because employees routinely mix personal information in corporate containers and vice versa.
- An employee leaving the company can preemptively disable Exchange ActiveSync on the device and prevent a remote wipe.
- Wiping or resetting the device may not fully delete the data, which may remain recoverable. See the Mashable.com post Hard Proof That Wiping Your Phone Doesn't Actually Delete Everything.
- Thieves in commercial and financial centers now realize that the data on the phone may be more valuable than the device itself, so they have learned to block network access on stolen mobile devices until they can break the phone security. This can be done easily in a variety of ways, such as putting the phone in airplane mode, pulling the SIM card, or shielding the phone in a Faraday bag.
- The U.S. Supreme Court's June 25th majority opinion in the cellphone privacy case Riley v. California notes that:
- "Remote wiping can be fully prevented by disconnecting a phone from the network. There are at least two simple ways to do this.
- "So, even the SCOTUS Justices (who are self-admitted technology Luddites) know that you cannot rely on remote wipe to delete sensitive data from mobile devices.i
- Response #2: There are many pros and cons in this decision (and it's equally frustrating for all of us in the "conscious of the company" profession when we realize that the decisions to go forward with BYOD are often dictated by momentum versus consideration).
- James raises many interesting concerns, many of which are based on very recent developments. All should realize that this question and the considerations behind it probably need to be reconsidered on practically an hourly basis.
- Eating my own words (since this is from 2012), I do recommend a great paper (disclaimer -- a good friend of mine was one of the authors, but his firm doesn't work for us or any such stuff) from the Littler firm: http://www.littler.com/files/press/pdf/TheLittlerReport-TheBringYourOwnDeviceToWorkMovement.pdf. Its value is that it examines the problem from the perspective of a number of different specialties, including a few you might not have thought of. (E.g., Did you check your union contract first before rolling this policy out? Even if you're not a union shop today, have you seen what NLRB has said lately about efforts by employers to control employee communications, and the incredibly expanding definitions of what might be a 'concerted effort'? It's frightening out there folks... How are you dealing with your non-USA-based employees? Can you always depend on the waiver as an absolute defense against a CFAA claim where you've (inadvertently) destroyed your employees entire set of photographs of his kid's graduation from kindergarten?)
- You may well end up at the same point even after you read all of that, but at least you might be in a better position to advise management of the risks of BYOD.ii
- Response #3: Here's our policy. It is part of our Employee Handbook. We handle the notice and consent aspects of this by requiring an electronic signature from each employee agreeing to comply with and be bound by the policies in the Handbook each time it is updated or annually, at a minimum. You should also have an IT Security policy to address potential threats to your network that allowing these devices to connect to your servers might present.iii
- Response #4: We don't have a specific waiver, but we do have a BYOD policy in our employee handbook. Employees are required to sign the handbook.
- We were sure to fully explain the capabilities of our system when drafting this policy, including remote wipe capabilities. We laid out a few scenarios where the company would remote wipe a device. We required employees to password protect and regularly back up their phones. Password protections are a no-brainer. And since our system works by only wiping company data, the back ups ensure employees can recover most or all of their personal data in the event of a remote wipe.
- Our organization does not require a terribly complicated policy and I have seen BYOD policies nearly 30 pages long. Whatever your needs, I find that a transparent explanation of system capabilities (wiping, access to personal data like pictures), an explanation of wipe-worthy events (loss of phone, etc.), and requirements for personal responsibility (passwords and back ups) should cover the basics.iv
- Response #5: My company has a BYOD policy that includes the following language:Employees utilizing BYOD equipment agree to the installation of Mobile Device Management (MDM) software for remote administration and enforcement of security-related policies and procedures to protect Company information. Additionally, the MDM provides the capability for IS administrators to remote-wipe (delete) all company-related information in the event of lost or stolen equipment, or upon termination of employment.v
Employees utilizing BYOD equipment are required to immediately report lost or stolen devices to PCSupport, so that appropriate procedures for securing devices and deleting company information may be completed.
Acceptance/Signature
By signing below, I agree to the following terms:
- I have received and read a copy of the BYOD Policy and agree to follow the rules and regulations set forth in this document. I understand that MDM software will be installed on my device to remotely administer my device and to ensure policy compliance. I am responsible for supporting my device's hardware, software, and connectivity issues with my service provider. I understand that I'm responsible for backing up my personal data and applications. I understand that all data on my device will be wiped (deleted) after 8 wrong password attempts. I am responsible for any costs incurred for servicing and repairing my device. I understand and accept that BYOD access is an extension of (company's) corporate network and by having access via BYOD equipment, I am held to the same guidelines as stated in all applicable policies, including the Information Security Policy and the Remote Access Policy. I understand that IS has the right to disable BYOD equipment access privileges at any time.