Navigating Smartphone Liability: Corporate Liable v. Individual Liable
Personally owned, individual liable converged mobile devices are becoming commonplace in corporate environments and pose unique data protection threats.
Its a familiar scene played out in waiting lines, airport gates, and restaurants every day. Someone scrolls through their handheld device, scans some text, shakes their head worriedly or angrily then rushes to make a call to the office or a business colleague. While the finer points of whether or not checking messages in a restaurant constitutes proper etiquette is up for debate, the fact that many of us are working wherever and whenever we need to is not. Business has gone mobile and most corporate employees are keeping up by carrying around at least one converged mobile device (CMD) (e.g. an iPhone, a BlackBerry, or an Android smartphone) that is used to access corporate resources like email.
Although corporate email and other communications generally belong to the business itself, the device used to receive that data is often one that belongs to the individual employee. These devices are called individual liable or IL as opposed to corporate liable or CL. As personally owned equipment becomes more common in the workplace, the questions on many an IT, privacy, and risk management professionals mind are: does individual ownership make sense and how does device ownership impact liability for data loss, misuse, and breach?
Why Individually Owned Devices?
First, an organization must decide if access to corporate data over personally owned devices will be allowed at all. Individual liable devices are commonly defined as devices purchased by an employee and either not expensed back at all or not expensed via a formal policy. Corporate liable devices are those that the company purchases, or the employee purchases, but is reimbursed for under formal policy. But keep in mind that these are not yet legal terms proven by case law when it comes to CMDs. To this end, what liable means is also murky from a legal perspective. One area of liability is certainly financial: Who is liable for paying for the device? But other areas extend to use and misuse: What if the device is left in a taxi and sensitive corporate data is leaked as a result?
To avoid the topic of individual liable devices entirely, companies could buy the converged mobile devices themselves, distribute to employees on hire, and take back the devices at end of lifecycle. The advantage of this approach is more control over the device, but it has some serious drawbacks.
Cost is a big factor; if employees purchase their own devices, the organization saves money. More money can be saved if the employee also pays for his or her voice/data plan or at least a portion of it. Usability is another driver for individual ownership. CMDs are used for business and personal reasons, especially in the era of social networking and heartbeat communication technologies, such as Twitter and texting. Finally, employee preference often comes into the mix; if the CEO and CFO arent going to give up their iPhones, it could be difficult to pass corporate policy forbidding iPhone use. IDC predicts that over 50% of CMDs will be IL by 2013, which indicates that this is a trend companies need to be thinking about now even if they are still on a 100% CL model.
Ultimately, the decision of whether or not to allow IL CMDs rests with the companys executive leadership team but IT and risk can help ensure that decision is informed by providing supporting data and risk analysis that illustrates the pros and cons from the technical risk perspective.
Mitigating the Risk
If IL devices are approved for use, organizations should address the following as part of the IL risk mitigation plan.
- Define IL Approved Users Using an IL or a CL doesnt have to be a whole-organization decision; companies can limit who is allowed to use ILs or must use CLs based on policy. For example, a field worker may require a CL because use is mission critical while a desk-tethered customer support worker may be allowed to use an IL. Think about who needs a CMD and what that CMD will be used for: Will it store sensitive data? Will it be roaming? Will business be interrupted or impacted if the device is offline or stolen? Once youve thought about these points, generate a list of which users are approved for ILs, CLs, or neither.
- Define Must Have Devices What devices or platforms have been deemed essential? The iPhone comes up a lot, but Android platform phones are one of the fastest growing segments. And tablets (like the iPad) are extending the CMD market even more. Before looking at security features and functions, identify which platforms and devices are must haves for the company and pick solutions that work with them.
- Have users Sign Off and Opt In Companies should already have acceptable use policy sign-offs in place for CLs and they should extend the sign off to ILs. Acceptable use may have to be re-written, though, for the ILs to take into account different platforms and applications. For example, explicit language forbidding app download and install without approval by IT might be out of place in an IL scenario. Part of the sign-off process for ILs should also include explicit, written opt-ins that employees sign to show that they understand the use policy and are agreeing to adhere to it as part of their IL use.
- Manage: Encrypt, Lock and Wipe There are third-party and native options available for remote management features of CMDs. Most commonly enterprises employ full or file encryption, lock on password failure or loss, and complete wipe of everything on the device. Settings can be tuned to meet the sensitivity needs of information on the device for example, a full locally initiated wipe after three password fails, ten fails, or never. Smartphone management can also include control of applications installed and security settings, such as which type of network (any Wi-Fi, only approved Wi-Fi, only 3/4G, etc.) is approved for use.
- Limit Data Availability CMDs support a variety of applications and can VPN into a corporate network like laptops, but just because they can, doesnt mean they should. What is the absolute minimum amount of corporate information that an employee needs on his or her CMD? For many organizations, email is sufficient. If thats the case, look into technologies that enable the organization to tag, manage, and delete corporate mail only, which allows users to use one mailbox for both personal and business correspondence.
- Limit the choice After determining which features the organization wants to support on the ILs (for instance, lock and wipe, encryption, policy management), create a short list of supported phones, platforms, and possibly even carriers that are approved for ILs. In some cases that short list may not be a perfect match with the business requirements list (e.g. iPhones didnt make the cut, but the CFO has to have one). If thats the case additional management or control solutions may be needed.
Personally owned, individual liable CMDs are becoming commonplace in corporate environments for financial and usability reasons. While all CMDs pose unique data protection threats, organizations need to complete risk analysis specifically for ILs and implement IL-focused policies and controls to safeguard corporate data.
Keep up with mobile security news; follow eSecurityPlanet on Twitter: @eSecurityP.