Wednesday, November 21, 2018

Who Owns the Business Smartphone? Mobile Device Liability

Today's enterprises have already learned how to deal with the complexities of their mobile employees and the information carried in their laptop computers. After all, the information in those laptops is confidential and owned by the corporation. Those same complexities-and many more-now arise from the employees' use of smartphones. Often, the data in a smartphone is just as sensitive and critical to the company as data in computers. Issues of security, compliance, legality, trust, and of course cost all need to be addressed.

All of these issues give rise to the biggest question of all-who should own the enterprise smartphone-the employee or the corporation? Smartphone use among U.S.-based information workers is expected to triple by 2013, according to Forrester Research. It seems that the decisions and strategies surrounding the control and ownership of these devices should be made sooner than later.

The cost of ownership is perhaps the easiest aspect to calculate. It might seem like just reimbursing an employee for a flat percentage of the bill from their own phone would be a quick and easy way to go. But there are hidden costs to consider, including the support costs of accounting, billing, and asset management, and for controlling things like overseas roaming charges. Not to mention keeping track of how and where the connection charges are occurring in the company, this can yield valuable information on the true costs of enterprise mobility.

Corporate-owned phones come with their own set of problems, like supporting the plethora of different phones and carrier types. Think again if you believe that you can just issue the same phone to everyone to control that complexity. It's usually the best performers, the hardest employee-type to recruit, who insists on having his or her own type of phone, "because it's worked for me in the past."

Even though it seems obvious that there is need to control employees' equipment and use-after all, there are hundreds of emails, calendars, documents, and confidential customer information stored on these smartphones-an increasing number of companies are loosening their hold on employee-owned handheld devices that are used for business purposes.

Today, half of the smartphones in use among U.S. and Canadian businesses are not company-issued equipment, according to a recent report from Forrester Research. Most companies are still grappling with the question of who should be liable for these devices. In this debate, there are still many unanswered questions and hidden trapdoors, including: What is meant by "liability"? What are the legal aspects that must be considered? How can I start to build a strategy that is meaningful and balances the needs of both the company and the employee?

What Is Meant by "Liability"?

There are many types of liability associated with owning and using a smartphone, including financial, regulatory, compliance, privacy, and legal liability, to name just a few. Financial liability is perhaps the easiest to understand. It would seem obvious that paying for individual liable (IL) carrier plans would be the responsibility of the employee. But what if the employee racks up a $5000 bill on a three-week business trip to Europe? And what if that employee uses a corporate liable (CL) phone to conduct an illegal activity with large financial consequences, like using the camera feature to take a picture of a competitor's confidential documents?

If you are in an industry with stiff regulatory and compliance considerations, it would be more likely that stronger controls and CL smartphones would be the norm. Of course, it is the data on that phone, and not the phone itself, that needs to be managed. In a larger company with adequate IT staffing, keeping sensitive data away from the phone with specialized software and firewalls is relatively easy. But what about smaller companies that allow phone access to company records on the company's private intranet?

Financial services and medical companies can have very high financial and legal ramifications for misuse of private data that might end up on a smartphone. Many of these companies require all corporate data to go through company-issued computers (and not phones) that have elaborate encryption and other data protection mechanisms. But "privacy" can have another definition. How about protection of employee-owned information that resides on a CL smartphone? Does the employer have the right to look at ALL of the data on the phone they own, even if they might happen upon some embarrassing photos?

And here's a hypothetical "who's liable" question. What if an employee happens to lose a next-generation prototype smartphone that is later found and sold to a technology magazine, so that the new features and technology can be "outed" to an interested public? What kind of insurance/risk management liability plan will cover THAT?

Legal Aspects of Data Ownership and Control

There is a distinct lack of legal clarity about what a company can and cannot control when it comes to smartphones. With case law lagging behind technology, how do you factor legal issues into the equation of who should own the smartphone?

Some generally accepted practices are starting to emerge. Corporate email messages and company data are owned by the company, regardless of where they reside. The company has unrestricted access to the information and can set usage policies that must be adhered to by the employee. On the other hand, courts have ruled that once this data is sent via the Webmail through a service like AOL out into the cloud, employers can lose the rights to confidentiality! The problem is multiplied exponentially if you are an international firm, because in the E.U., Japan, and Canada, all email is regarded as private to employees if it was authored by them.

Can an employer mandate control over CL or IL phones used for business purposes? One way that seems to hold up legally is through the use of employment agreements. Even if the phone is owned by the employee located in (let's say) Canada, a well-crafted employment agreement will trump the local laws about employee privacy of business email and text messages. Of course, the employment agreement will not hold up if it is only selectively or randomly enforced, which makes the employer the bad guy if it is strictly enforced with a heavy hand. It is generally agreed upon that any policy must be well understood and "bought into" through consensus to be able to avoid lawsuits over privacy issues.

Start with a Strategy

There are too many variables in the equation to go about randomly managing your policy for smartphone use, ownership, and control. At the core, you need to define your strategy upfront. What are the business goals you want to accomplish? How do you balance the needs of BOTH the employee AND the company? Since every function and level of a company-not just sales and marketing Road Warriors-is affected by this plan, the strategy must be well thought out.

Segmentation of user types is generally the first step of the strategy. Forrester analyst Ted Schadler recommends dividing your information workers into several groups based on how their mobile enablement benefits the company:



  • Those who use the most sensitive data get company-paid, company-managed smartphones


  • Those who work extensively away from their desks receive subsidies for most or all of their personal smartphone charges


  • Those who work away from their desks occasionally receive a partial subsidy for their personal smartphone use


  • Those who rarely work away from their desks receive no subsidy, and you may consider locking their smartphones out of your systems altogether.


Conclusion

So who should own the smartphone? There is no perfect answer. Sometimes it's the employee, sometimes the employer. Times have changed and employee expectations are different. The workforce today is demanding to choose their own devices. The locked down, two-year old corporate device just doesn't cut it anymore.

Planning for this dynamic is the new reality. Forrester's Schadler says, "The secret to smartphone management is treating employees like grown-ups and using a 'trust and verify' model for policy control. You have to stop treating it as an IT policing issue, and instead treat it as a business risk management question."

More and more companies are already starting to make this shift in their thinking. A balance needs to be found between issuing smartphones as an IT-controlled management tool, to letting a certain subset of employees own the responsibility for their own devices. That balance point will vary for every company. One thing is certain-the IL/CL debate will rage on for a quite a while to come.