Friday, October 4, 2013

Your Employer Wants To Erase Your Personal Cell Phone And Computer

The concept of BYOD is all the rage in management-side circles right now. BYOD stands for Bring Your Own Device. Basically, the idea is that companies let employees do work for them on their own cell phones, laptops, tablets and other devices. Lots of dark-side, er, management-side lawyers are blogging about employer risks in having employees use their personal devices at work, and I don't necessarily disagree with them. Some of my management-side colleagues even offer sensible advice on the issue, and even offer advice on how to reassure employees about their privacy concerns. I'm all for employers getting advice on how to get things right.

Then I saw this advice in a recent blog post:
Address what happens when the employee stops working for your company: As noted above, employers have a duty to safeguard sensitive company data. Therefore, when an employee terminates his or her relationship with the employer, the employer must ensure that all of its data is permanently erased from the employee’s personal devices. Yet, it is often impossible to separate relevant company data from personal employee information when “wiping” a device. Therefore, employers should require that their employees acknowledge and agree that all of the data on their devices will be erased when the employee stops working for the company.
Come again? Let me get this straight. Your boss is too cheap to buy you a laptop and a company cell phone. Instead, he "lets" you use your own device. You need them for work, so don't hesitate to use your own laptop, cell phone and tablet to get the job done.

Of course, you also used the cell phone to take pictures of your son's wedding, your daughter's school play, and your last vacation. You uploaded those photos to your laptop too. You use your laptop to email your friends from high school, to send out party invitations, and to remind your spouse to pick up the dry cleaning. Your music library that took you three straight days to copy from your old CDs is in the cell phone and laptop. Plus, your manuscript for your first novel in progress is stored in the laptop.

Now that you're leaving the company, they want you to let them erase all your photos, personal info, writing, everything just because you were dumb enough to volunteer to use your personal devices so they didn't have to buy you separate company devices? Have they lost their fricking minds?

Even worse, some employers want you to let them install a program that will allow them to remotely wipe your devices and track your usage.  The technology does exist for companies to remotely wipe only the business data and not your personal data:
Devices get lost or employees leave a company, and suddenly all that corporate information on a smartphone becomes a security threat. In the past, a company could use “remote wipe” technology to delete all data, but with a personal device, this method also trashed family photos, personal contacts, apps, music and anything else that’s stored. Fortunately, remote deletion capability is much more sophisticated these days, and a company can remove just enterprise-related data from a device and leave all the other content intact.
If employees ever do rise up against their corporate masters, it's this kind of overbearing nonsense that will have caused it.

What's an employee to do?

Say no: If your company wants you to use your device for company purposes, say no. Keep your business and personal stuff separate. If they demand you use it, then get something in writing assuring you that they will not demand you erase your device when you leave. If they want to install a remote wiping program, get something in writing stating that none of your personal data will be erased, and that the company will be liable for damages if they erase your personal data.

Say hell no: If they spring this demand on you when you leave, tell them to pound sand. There are less intrusive ways to assure you've erased business data. For instance, the company could hire a computer tech to delete only the company data while you are present to assure that nothing personal is being copied or erased.

Prosecute: If your employer accesses your personal data without your permission, press criminal charges. It's a violation of the Computer Fraud and Abuse Act and the Stored Communications Act to access your personal data without your permission. They'd prosecute you if you accessed their info. Turnabout is fair.

In general, it's best to use the company devices only for work. Use your personal devices for personal stuff. Don't trust your employer to be reasonable when you leave. Big Employer has lost it's fricking mind.




6 comments:

  1. So what's the big deal you can stop this by encrypting a password up to 128 bits which is impossible to crack.

    Thanks
    Silvester Norman

    Change MAC Address

    ReplyDelete
    Replies
    1. You are incorrect on two counts. Firstly, even a high bit encryption password is not impossible to crack, even tough it's harder to do so.

      More importantly, most wipe technologies bypass the whole thing the password. So, that's totally of no use.

      Delete
  2. Not to mention that many are using cloud storage like iCloud, Evernote and Dropbox which will probably not be reached by such a draconian step. And, if you are backing up your devices to remote servers or services, the data has long ago jumped out of the employer's grasp. It is like a TSA pat down--it looks like something is being accomplished and it may make the less thoughtful members of the public feel some measure of security, but it really does very little to prevent the undesired outcome. Just make sure that you are backing up your data a few different ways and this sort of silly move by a past employer will amount to nothing more than an annoyance.

    ReplyDelete
    Replies
    1. It's beyond annoying Jennifer. First of all, most employees aren't that technologically savvy. Second, I've seen employers send out nastygram demand letters that threatened to sue unless employees gave them access to their cloud-stored emails and documents to delete, turned over their backup drives, and allowed a complete forensic inspection. Most employees can't afford to fend off a trade secrets lawsuit, so they end up giving in to these bullying tactics.

      Delete
  3. Thanks for sharing this great post! credit score really matters as far as I know, but even having a poor credit scores, there are lenders personalizing personal loans for bad credit. You can check your credit history with Bad Credit Phones.

    ReplyDelete
  4. If I worked for a company that had a policy of completely wiping my personal devices, I'd likely respond by maintaining regular partition backups. Since it's easier and less time intensive to copy the hard drive partition than manually backup individual files that's what I'd do. In which case, after the device is wiped, I'd have everything restored within a few hours after.

    That will, unfortunately, mean that none of the company data will be wiped. It will get restored with my personal data. It's their fault for deciding on a policy which encourages employees to backup. I mean, they aren't going to pay me to backup my personal data manually or pay someone else to destroy just their data, so it's the natural consequence.

    If I was going to hire someone as an actual employee where I actually care about company data, it would be on a work device because I will have no way of knowing how many backups they have maintained.

    ReplyDelete

I appreciate your comments and general questions but this isn't the place to ask confidential legal questions. If you need an employee-side employment lawyer, try http://exchange.nela.org/findalawyer to locate one in your state.