Faculty Q&A

CAN WE BORROW YOUR PHONE?

We asked William Smith about privacy issues and other pitfalls when employees use their personal computing devices at the office.

-How widespread is office use of personal devices?-

Processing power, functionality, and storage now sit comfortably in a person’s hand. Employees can collaborate and share data from any location and at any time. According to a 2015 report from the Poneman Institute, which conducts research on privacy, data protection and information security, 68 percent of IT managers reported their organizations support BYOD (bring your own device). A survey by Tech Pro Research found that 74 percent of organizations either were already using or planning to allow employees to bring their own devices to work. And Willis, an insurance firm, says that by 2017 half of all employers will require employees to provide their own devices as part of their job.

-What are the risks associated with using a personal device?-

Without a doubt, information security is one of the hazards of BYOD programs. A company’s proprietary information can now be copied, altered, transferred and deleted from a wide variety of non-company devices. Information on personal devices also becomes more vulnerable if the device is lost or stolen and may be particularly susceptible to malware and virus threats. Another dilemma is how to protect confidential information and trade secrets when employees leave the company.

-How can data be protected?-

Two common approaches of assuring information security are Mobile Device Management (MDM) and Mobile Application Management (MAM). MDM solutions involve registering and approving all devices with access to company information. MDM systems can also generate reports detailing the analytics of device use. A MAM solution installs a partition that restricts the use of applications based on the role of the user. Both systems should limit privacy compromises or unauthorized access of data.

-Do employees forfeit their right to privacy when using their own devices at the office?-

Employers retain some ability to access an employee’s device, so there is a need for clear boundaries. Personal data can be subject to  exposure, alteration or deletion when applications are shared with the employer. Sensitive information about employee location (GPS tracking), health or credit records also may be accessible to employers. Workers are already aware of this issue. Just 61 percent of the more than 3,500 mobile workers surveyed in 2015—respondents came from the United States, United Kingdom, France, Germany, Spain and Japan—said that they believed employers could keep employees’ personal information private.

“A modest degree of malfeasance may be all it takes before an employee’s or manager’s casual curiosity crosses a line into a serious intrusion.”

—William Smith

-can polices prevent in-appropriate use of devices by employees or employers?-

In most legal cases regarding email and text messaging, policies existed about appropriate use and monitoring.

Sometimes these policies were ignored; other times they presented a bit too much “wiggle room.” But policies are just that, a formal statement of expectations. Without serious enforcement and culture change, policies inevitably fall short of their desired effect.

A modest degree of malfeasance may be all it takes before an employee’s or manager’s casual curiosity crosses a line into a serious intrusion. The rapid pace of innovations makes it nearly impossible for managers to respond to, let alone anticipate potential liabilities. In the case of BYOD environments and employee privacy, we cannot predict how or where the thin membrane between employee privacy and problematic access might occur.

Are there any differences in privacy issues between for-profit companies vs. nonprofits or governmental organizations, such as TU?

Legally, there is little difference between the rights/duties of employers and employees in for-profit and nonprofit firms. For public sector/government organizations, like TU, things change a bit. Public employers, like Towson University, have duties to respect the constitutional rights of their employees. Specifically, fourth amendment protections from “unreasonable searches” place extra burdens on government employers not to invade their employees’ privacy and property with the exception of fraud or misconduct investigations.

Beyond just the legal considerations, public and nonprofit organizations answer to a broader range of stakeholders and over a broader range of issues. Towson University, for instance, is accountable to the state of Maryland, the Board of Regents, students, alumni, communities and various professional academies. These stakeholders expect a high degree of responsiveness and engagement with the university. Due to its mission and culture, an employer like TU probably grant a bit more respect to employee privacy claims than would a typical for-profit company.

-Will cloud-based computing affect data security?-

We should remain mindful when it comes to our conception of “device.” The vast majority of our information will be stored and accessed through cloud-based services. In the grand network of information, “devices”  are just clumsy conduits to our photos, personal history, communications, documents and other potentially sensitive data. Access into or through a device can open a pathway to virtual medicine cabinets, closets, and bookshelves (Dropbox or GoogleDrive). Though the risks of authorized access can be minimized, the consequences become more severe.

-What technological innovations are on the horizon?-

Devices of the future will be more powerful, more functional and more integrated into our surroundings. From fitness bands that can track our physical activity and monitor health data to smart watches that manage appointments, contacts and messages, data input will become less dependent on keyboards and driven more by voice and sensory monitors.

Devices will be connected to an expanding network containing other devices, also known as “IOT” or “internet of things”. Homes, automobiles, and household appliances will be connected, monitored and adjusted as part of larger network systems. There’s even a “smart toilet” that will monitor important health data from urine and stool. These trends point to expanding numbers of devices linked to data networks. For employees and employers that share platforms, it will be increasingly difficult to keep their information domains separate.

William Smith, professor of management, teaches business ethics and international business in the College of Business
and Economics. His research has evolved from studying Facebook tags and employee emails to examining the brave new world of policies that focus on the legal and ethical issues that employees and employers face when workers use their own devices in the workplace. The following is adapted from Smith’s paper, “Can we borrow your phone?

Employee privacy in the BYOD era” published in a forthcoming 2017 issue of the Journal of Information, Communication and Ethics in Society.