Smartphone data policy when an employee leaves

Topic

New Reply

When an employee leaves or is terminated, what is your policy on the security of the email data on their phone, i.e. confidential emails and phone numbers? My organization doesn’t give employees phones, they use their personal phones. I have an Exchange 2010 SP1 server, and have the ability to remote wipe any phone that connects to my corporate mail server.

If I change their password when an employee leaves, is the email still readable on the Iphone/Android/Windows Phone, etc.? If it’s not accessible to the user, is it still at risk to be read by someone with mailicious intent? Ex. someone who tries to scrape data off the smart phone by browsing through the raw files in the phone memory?

Thank you,
Peter
IT Administrator

Reply | Quote

Replies

If I change their password when an employee leaves, is the email still readable on the Iphone/Android/Windows Phone, etc.? If it’s not accessible to the user, is it still at risk to be read by someone with mailicious intent? Ex. someone who tries to scrape data off the smart phone by browsing through the raw files in the phone memory?

Unless you wipe the data on the device, everything that was on there prior to the password change would still be on there.

Even if you wipe, there have been reports that it is difficult to truly erase flash memory the way you can usually overwrite magnetic media. However, someone might have to have considerable expertise to salvage the data.

Obviously you are not alone in this situation. I think eWeek recently had a cover story on coping with user-supplied mobile devices.

Reply | Quote

If you take the decision to wipe data from a device that doesn’t belong to you and, deliberately or otherwise, delete data that doesn’t belong to you but to the owner of the device, how do you then stand with your Data Protection laws?

I’ve not yet tried to recovery data from a flash memory device but setting the smart phone to save data to the SD card or whatever is trivial – it’s also quite trivial to recover the data from these cards.

Reply | Quote

Unless you wipe the data on the device, everything that was on there prior to the password change would still be on there.

Even if you wipe, there have been reports that it is difficult to truly erase flash memory the way you can usually overwrite magnetic media. However, someone might have to have considerable expertise to salvage the data.

How hard would it be to retrieve those emails off the mobile device if the corporate password to access them was changed, but the device was not wiped?

If you take the decision to wipe data from a device that doesn’t belong to you and, deliberately or otherwise, delete data that doesn’t belong to you but to the owner of the device, how do you then stand with your Data Protection laws?

I’ve not yet tried to recovery data from a flash memory device but setting the smart phone to save data to the SD card or whatever is trivial – it’s also quite trivial to recover the data from these cards.

Satrow –
Are you saying that I am, or am I not allowed to wipe the personal phone of an employee, I didn’t follow your response, thanks.

About saving data to SD cards in mobile phone – the remote wipe also erases all data on those. If a user didn’t want to lose data on their SD card, they could take it out before the wipe. I read that on the Exchange 2010 remote wipe documentation on Microsoft Technet.

-Peter

Reply | Quote

How hard would it be to retrieve those emails off the mobile device if the corporate password to access them was changed, but the device was not wiped?

First, I’m assuming a person has access to the email client software on the device (i.e., they know or break pin/swipe security).

Such a person could read the messages on the small screen, and they might be able to forward the messages out on a second account. I have an Exchange ActiveSync account and an IMAP account set up on an Android device. If I open a message in my Exchange inbox and tap forward, I then can tap the “From” button and set it to send the forward out on the IMAP account. This is pretty arduous for a large volume of messages, so a professional likely would have better techniques.

Reply | Quote

First, I’m assuming a person has access to the email client software on the device (i.e., they know or break pin/swipe security).

Such a person could read the messages on the small screen, and they might be able to forward the messages out on a second account. I have an Exchange ActiveSync account and an IMAP account set up on an Android device. If I open a message in my Exchange inbox and tap forward, I then can tap the “From” button and set it to send the forward out on the IMAP account. This is pretty arduous for a large volume of messages, so a professional likely would have better techniques.

Ok, that is helpful, thanks.
One more clarifying question though: In my scenario, I had changed the Exchange email password for the user. Does that mean on some smartphones like your Andriod, changing the password just stops new email from flowing into the device, but doesn’t prevent you from reading already sync’ed email?

-Peter

Reply | Quote

Thank you Doc. That is just the information I needed to proceed.
Cheers,
Peter

You’re welcome!

Reply | Quote

In my scenario, I had changed the Exchange email password for the user. Does that mean on some smartphones like your Andriod, changing the password just stops new email from flowing into the device, but doesn’t prevent you from reading already sync’ed email?

That’s what I would expect to happen, since I can read mail in airplane mode with all networks disconnected. I haven’t tested by actually changing my password.

Reply | Quote

Are you legally entitled to access a device that doesn’t belong to you and wipe all the data?

Reply | Quote

Regarding the legal issue: companies should make clear what they might do to a lost or stolen device; under those circumstances, everyone might be happy with a wipe. The quit/termination scenario is more sensitive. Probably a good idea to consult an attorney in the employment field for up-to-date advice.

Searching turns up lots of uncertainty:

http://www.avvo.com/legal-answers/is-it-legal-for-my-employer-to-remotely-wipe-clean-138166.html

http://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphone

Reply | Quote

Are you legally entitled to access a device that doesn’t belong to you and wipe all the data?

Yes. The assumtion is that the employer has clearly written and legally binding policy that allows employees to supply thier own phones with the understanding that the company owns its data and has the option to protect itself by remotely wiping the phone. Many companies already make users sign agreements when it comes to data usage, exclusivity, etc. I’ve worked for several companies that dealt with this very issue regarding other personal devices (laptops) and when terminations occurred the ex-employee was legally obligated to destroy the data. I know of at least 2 cases where charges were later filed against those ex-employees who used the data for their own purposes (sales data in their new sales job). As jscher2000 says, best to consult an attorney when making the policies.

Reply | Quote

Yes. The assumtion is that the employer has clearly written and legally binding policy that allows employees to supply thier own phones with the understanding that the company owns its data and has the option to protect itself by remotely wiping the phone. Many companies already make users sign agreements when it comes to data usage, exclusivity, etc. I’ve worked for several companies that dealt with this very issue regarding other personal devices (laptops) and when terminations occurred the ex-employee was legally obligated to destroy the data. I know of at least 2 cases where charges were later filed against those ex-employees who used the data for their own purposes (sales data in their new sales job). As jscher2000 says, best to consult an attorney when making the policies.

Thank you Doc. That is just the information I needed to proceed.
Cheers,
Peter

Reply | Quote

Yes. The assumtion is that the employer has clearly written and legally binding policy that allows employees to supply thier own phones with the understanding that the company owns its data and has the option to protect itself by remotely wiping the phone. Many companies already make users sign agreements when it comes to data usage, exclusivity, etc. I’ve worked for several companies that dealt with this very issue regarding other personal devices (laptops) and when terminations occurred the ex-employee was legally obligated to destroy the data. I know of at least 2 cases where charges were later filed against those ex-employees who used the data for their own purposes (sales data in their new sales job). As jscher2000 says, best to consult an attorney when making the policies.

That doesn’t sound right at all. “The assumption … ” what assumption and by whom is it assumed? If the employer does not have any such “clearly written and binding policy”, they can still wipe all data from a machine that doesn’t belong to them? If there really is such a policy and the employee was made aware of it before he agreed to allow the company partial use of his personal property and it’s associated services (in return for appropriate fiscal or other compensation and/or tax breaks), then I see no problem allowing the destruction of any data on the ‘phone related to the company – BUT NOT ALL DATA on the ‘phone as some is clearly the property and under the legal ownership of the (ex-)employee.

Reply | Quote

That doesn’t sound right at all. “The assumption … ” what assumption and by whom is it assumed? If the employer does not have any such “clearly written and binding policy”, they can still wipe all data from a machine that doesn’t belong to them? If there really is such a policy and the employee was made aware of it before he agreed to allow the company partial use of his personal property and it’s associated services (in return for appropriate fiscal or other compensation and/or tax breaks), then I see no problem allowing the destruction of any data on the ‘phone related to the company – BUT NOT ALL DATA on the ‘phone as some is clearly the property and under the legal ownership of the (ex-)employee.

Please don’t read into my post more than is really there. If you don’t like the word assumption, then just ignore it. I’m talking about a hypothetical situation, so I used “assumption”.

If there is no policy and the end user has not agreed to anything, then the company has no right to wipe the phone. That doesn’t mean they won’t attempt it, but it seems to me that it opens them up to litigation. If there is in fact a policy that the user must agree to, then, yes, they are agreeing to allow their entire phone to be wiped. There is no option to wipe only certain data. Unfortunately its all or nothing with these devices. As a System Admin, I really hate the idea of company data on someone’s personal device. My preference is to use the Citrix Access Gateway and force the user to log in to a web page and retrieve their e-mail via secure ICA connection. No data stored in the device, all the issues we’re discussing here are non-existent. Its also device independent. Citrix has receivers for iPhone, Blackberry, Windows 7 Phone, and Android. This solution of course mean you have to have a Citrix farm, which today, most medium and large businesses often have. One solution we briefly looked at was Mobile Iron. http://www.mobileiron.com/. There is also another posibble solution coming down the pipe, Citrix is working on a hypervisor for smart phones. The inference is that you can run 2 virtual OSes, your own, and one dedicated to work. This keeps the two separate and offers greater protection for both the company and the end user.

I’m not sure why this is such a big deal. If you’re in this situation, either you agree to it, or you don’t. If the company requires use of a smart phone, then they should be providing one. If they don’t, its not a place I’d want to work for very long. As said above, this is really a legal issue, so anything I say really means squat. The company lawyer (and maybe your personal lawyer!) are the ones that have sort out the details.

Reply | Quote

Doc, your latest reply seems in direct conflict with your earlier post.

Are you legally entitled to access a device that doesn’t belong to you and wipe all the data?

Yes. The assumtion is that the employer has clearly written and legally binding policy that allows employees to supply thier own phones with the understanding that the company owns its data and has the option to protect itself by remotely wiping the phone. Many companies already make users sign agreements when it comes to data usage, exclusivity, etc. I’ve worked for several companies that dealt with this very issue regarding other personal devices (laptops) and when terminations occurred the ex-employee was legally obligated to destroy the data. I know of at least 2 cases where charges were later filed against those ex-employees who used the data for their own purposes (sales data in their new sales job). As jscher2000 says, best to consult an attorney when making the policies.[/QUOTE]Please note that you appeared to answer my question with “Yes.”.

All I’m reading is what you had written.

Reply | Quote

Doc, your latest reply seems in direct conflict with your earlier post.Please note that you appeared to answer my question with “Yes.”.

All I’m reading is what you had written.

Actually, no, it is not in conflict. You have chosen to take it out of context. I wrote more than just “yes”. Read the rest, “The assumption is that the employer has clearly written and legally binding policy”. Read it as a whole please, not one or two words and then put your own spin on it. I’m really not clear what you are looking for here, or why you are trying to nit pick my posts. As I already said, “this is really a legal issue, so anything I say really means squat. The company lawyer (and maybe your personal lawyer!) are the ones that have sort out the details”. That said, you can view the right and wrong of this issue any way you like, but I’m done with the discussion.

Reply | Quote

I think one of the issues in this thread MAY be the differences in the Laws of the land that the posters are from.

When ever one starts using ” assumptions” then they can go in a completely different direction.
Bottom line, seek “Legal Advice”.

DaveA I am so far behind, I think I am First
Genealogy....confusing the dead and annoying the living

Reply | Quote

I always get around this issue by making it company policy that people cannot access company data or networks from non-company owned equipment. If they have a direct need to have 24/7 access to their email (for example) the company should own & supply the equipment to do so. They then have no grounds to complain if a remote wipe is done and the lose personal data. It’s just like telling someone “Bummer dude, you shouldn’t have been storing that important sales forecast on your desktop instead of in your redirected My Documents” when his laptop hard drive dies. 🙂

Reply | Quote

You guys don’t seem to live in the real world.

First of all, if I have the account set up on my phone, I can set it up on my PC, and copy all e-mails to a storage folder that exists only on the PC. And of course I do that to preserve my e-mails against the vagaries of corporate IT nuts.

Second, you are making important legal decisions without the benefit of competent legal advice. Even if there was a “policy” in place, and you had proof that the ex-employee was aware of it, have you committed a trespass in your enforcement of the company’s rights? You may need a court order to wipe the phone. And then you still can’t be assured that the ex-employee doesn’t have a copy of the data.

The moral is that if the ex-employee is not allowed to use the data, you must resort to the courts if s/he does misuse the data. The situation is the same with copies of paper documents. If the employee copied documents before leaving, or declined to return some documents, can you break into the employee’s home to retrieve them?

Reply | Quote

We currently do not allow personal devices to be used for company data but things with phones and pads are changing that landscape quickly. Many companies are allowing their employees to use personal equipment so they don’t have to carry multiple devices for personal and business. As we are moving from Blackberry phones to some DroidsIphones I’ve been looking at mobile management software. Nearly all of the companies in this area have the ability to seperate personal and business data on the phone. So if the employee leaves or the phone is lost the company data can be wiped off the phone and the personal data is left untouched.

Reply | Quote

It has already been said, GET LEGAL ADVICE specific to your location.

Most of the articles I’ve read on this subject (Canada, US, Great Britain, Europe, Australia) agree that if you do not have “proper” policies in place you do NOT have any right to do things like snoop on email or network traffic or wipe an (ex)employee’s smart phone. Even with policies you still may not have the right to those things depending on the specific legislation and legal precedent in effect in your location.

Think of proper policies (publicized, education sessions, periodic reviews, employee signature that they have read it etc) as part of the employment contract between the employer and employee.
[INDENT]”In this situation, we expect you to do this that or the other thing. If you do (or don’t) we will do the following: smack on wrist, written “traffic ticket”, unpaid “vacation” or even termination (with extreme prejudice).”
[/INDENT]
Back to the original question, volunteer organizations are a mixed bag of experience. They are rarely at the leading edge of computing best “anything” (practices, equipment etc). They make do with what they can get. So it is not surprising that they would have “employees” with better computing equipment than the organization can afford, such as smart phones and laptops. It is also not surprising that they do not know about need for securing these devices, or the need for good policies in general. I’m not taking a shot at them, I just see it as a reflection of the reality they live in. IT is totally a subsidiary support service that has less visible need than the janitor. If the janitor is not there the garbage piles up, floors get dirty. If IT is not there, what happens or doesn’t is not always immediately visible.

Reply | Quote

Bottom Line:

ANY program, document, email or any other correspondence is legal property of the company you work for. Period.
It’s their equipment being use to produce company documents, so they have complete right to deal with the imformation produced in any manner they choose. There is NO debate here. That’s why you are hired, to produce meaningful data to have the company be competitive.

Nothing is yours.. it’s theirs.

Reply | Quote

Bottom Line:

ANY program, document, email or any other correspondence is legal property of the company you work for. Period.
It’s their equipment being use to produce company documents, so they have complete right to deal with the imformation produced in any manner they choose. There is NO debate here. That’s why you are hired, to produce meaningful data to have the company be competitive.

Nothing is yours.. it’s theirs.

Excuse me but did you actually read any of the thread?

Reply | Quote

Excuse me…
do you not understand that anything you create while employed is NOT your property ? IT has every legal right to confiscate any and all documents, phone calls etc.

No reply necessary

Reply | Quote

Excuse me…
do you not understand that anything you create while employed is NOT your property ? IT has every legal right to confiscate any and all documents, phone calls etc.

No reply necessary

Not necessary?!

The major point here is the fact that the phone is the property of the (ex)employee – not of the employer, as such, it contains data which belongs to the (ex)employee, not to the employer.

Reply | Quote

This isn’t just a smart phone issue. A company has just two real options:

A) Heavy. Only company supplied equipment is used to access company systems and data. Anything stored on that equipment is presumed to be the property of the company. Everything is surrendered before leaving.

B) Light. Employees can use their own smartphone/laptop/usb stick to access company systems and data. You can’t legally do anything once the employee leaves because unlike the HMRC (IRS) you don’t have any legal rights to an ex-employee’s personal equipment, whether or not you have a clause in your employment contract. All you can do is apply for a court order or sue if they attempt to mis-use the data.

Many companies use the heavy route, which tends to stifle innovation and remote working but does keep a lid on support costs. Many other companies use the friendly route because either they don’t have a policy or they trust their employees. They may also recognise that determined data thieves can easily subvert company owned equipment once it is out of the company’s physical control. They may regret their choice when a key employee walks off with the plans to the next great product, but lets face it, most of that stuff was in their head anyway or you wouldn’t have employed them in the first place.

Ian

Reply | Quote

You can’t legally do anything once the employee leaves because unlike the HMRC (IRS) you don’t have any legal rights to an ex-employee’s personal equipment, whether or not you have a clause in your employment contract. All you can do is apply for a court order or sue if they attempt to mis-use the data.

A remote wipe fires when a device connects to the Exchange Server. Why is a former employee connecting to the Exchange Server? A court might conclude that attempting to check email after termination justifies wiping the device. Or not. Different countries may well have very different results.

(Obviously the best thing a terminated employee can do to prevent a wipe is to immediately delete their Exchange account from the device. Don’t even take the risk of leaving it on “manual” sync.)

Reply | Quote

When an employee leaves or is terminated, what is your policy on the security of the email data on their phone, i.e. confidential emails and phone numbers? My organization doesn’t give employees phones, they use their personal phones. I have an Exchange 2010 SP1 server, and have the ability to remote wipe any phone that connects to my corporate mail server.

If I change their password when an employee leaves, is the email still readable on the Iphone/Android/Windows Phone, etc.? If it’s not accessible to the user, is it still at risk to be read by someone with mailicious intent? Ex. someone who tries to scrape data off the smart phone by browsing through the raw files in the phone memory?

Thank you,
Peter
IT Administrator

Who cares what you can do? If you don’t have an explicit legal agreement that permits you to interfere with data on a device I owned, you would find yourself in considerable legal difficulties. I would not hesitate to sue under the DMCA or any other law I could find.

Reply | Quote