Employers Demanding the Right to Remotely Wipe Employees’ Phones?
By Eric Goldman
I got the following email from one of my students (I edited a little to increase the anonymity):
Recently, my spouse’s company announced that it is going to implement a new policy regarding those employees using their mobile devices to check company email. These phones are personal phones, and not provided by the company. What they are proposing is that my spouse sign a release that states that the Company has the right to remotely wipe the phone (restoring it to factory settings) if they feel that any of their trade secrets have been compromised, or if the spouse loses/misplaces the phone.
My problem with this is that these are personal phones with personal information not connected to her work. Does her company have the right to wield such power, or is this over doing it?
This was the first time I’d ever heard of such a provision. Has this become a new standard, or is this company over-the-top hyper-protective of its trade secrets?
As an employee, I would not sign such a release. Further, if I were the employer, I would be reluctant to rely on the release, even if signed, to actually wipe a former employee’s phone. If the employee challenged the wipe in court, I would imagine many judges would be reluctant to enforce the release, motivating them to look for reasons not to do so. If nothing else, there’s a major due process problem (in the equity sense, not the legal sense). The company is the judge, jury and executioner without ever proving trade secret misappropriation, and carrying out the remote wipe could cause catastrophic data losses for the employee (and possibly for a subsequent employer). This just seems like a bad idea all around.
Please email me if you’ve seen a provision like this in the field before or if you know of any cases/statutes that address the situation. In the email, let me know if I can repost your email here.
UPDATE: I got this response: “For what it is worth, my firm has a similar policy, though as far as I know it is only enforced technologically (by installation of remote management software) rather than by written agreement. Of course, we can opt out by using a firm-provided blackberry instead of checking work email on our personal phones; perhaps mitigating the sting somewhat.”
UPDATE 2: Another response: “These are fairly common provisions to ensure the ability to protect company/client secrets if the phone is lost. Like your other commenter said, these agreements only are usually required for personal devices only when they are allowed as an option to company-provided devices. In that instance, you consent to the wipe in exchange for the convenience of carrying around only one device instead of two. The interesting legal question comes when the firm only pays for email, but retains the contract with the service provider, where you can get a Quon-like situation and potentially a claim against the company for accessing phone records even though they’re not paying for it (recall that the 9th Circuit’s SCA portions of Quon were not part of the Supreme Court’s opinion). But something to think about when you give your company access to your device.”
Eric’s additional thought: I’m still not seeing how the ability to remote-wipe the company-provided device prevents the leakage of trade secret info. I assume there are still ways to move trade secret information off the device…? I know some companies have developed blocking technology to prevent data leakage through forwarding emails and downloading to flash drives, and I assume this blocking technology would be on the company-issued device. But I have been skeptical that such blocking technology works very well.
UPDATE 3: Another response:
I know some employers believe they are making this ‘enforceable’ by requiring that the security settings be set on the phone in such a way that they can do the wipe (and effectively the employee hands the security PW of one’s personal phone over to one’s employer — which to me is even more dangerous than the notion of letting them wipe it).
It does seem rather silly though in a day when many of us have our entire phone content backed up regularly, either on our home computer or now on iCloud or its equivalents — and I know of no wiping system that would reach out to those backup copies. (And, since virtually all of our workplace emails are set up with a web-based reader anyway, or some other connection that bypasses the hyper-security of a direct connection to Exchange or whatever might be used, it’s all kind of moot in the end.)
Yours is the first example I’d heard of a piece of paper on top of it all — although I’m not surprised to hear of such. The ‘policy’ such as it is was often ad hoc created by the IT group, or at best a policy of the company without necessarily getting a firm OK from the employee for the right to mess up his whole life to protect the purported trade secrets. And, to be clear, apart from this piece of paper, I’ve been seing this going on for many years — essentially about the time BlackBerry introduced the ability to do such a thing.
Regardless, I’ve seen the consequences personally when I left my last job, where I had a personal phone (albeit one I had reimbursed by the employer) that was mixed use — job and personal — and the realization that as I left the only way to do it was to have it all wiped out. In new job I’ve gone the inconvenient path of carrying the work-owned BlackBerry, which is 100% work, and my own personal smartphone, which is 100% me. And, in doing so, I’ve actually discovered a new joy — There are many times I now leave the work phone at home, and I have a little more control over my life as a result as I’m not being pinged by workers 24/7. (They don’t all necessarily know I’m not paying attention, which is even better.)
UPDATE 4: Another response:
This is probably more common than you might think because remote wipe of phones is a standard feature that comes with Microsoft Exchange these days. I’ve worked at Hewlett-Packard, Microsoft and Amazon, and all of them were set up to where they could remotely wipe your phone via Exchange if you set it up to work with corporate e-mail, regardless of whether or not the phone was personal or company owned.
In my employment contracts, there was usually a clause that said that if I put company data on a device that I personally own, that the company has the right to audit and remove data from said machine, but I have no clue how enforceable that might be….Since I work with a lot of source code for my profession, this doesn’t seem that unreasonable to me.
UPDATE 5: Another response:
Such policies and the technology that enables them have become commonplace in large enterprises. Most businesses see such a policy as a trade off for not allowing the employee to use his phone for work at all. In other words, they allow the employee to use their personal phones for work purposes, but require that they submit to searches and remote wiping. Not only is there an element of trade secret protection, but also the issue of breach notification for loss of personal information under state breach notification laws, GLBA, or HITECH.
In fact, there are some applications out there that create a sandbox environment for the employer’s email, calendar, and other information and only allow partial deletion. Good for Enterprise is one such solution, though there are others. However, as you can imagine, there are a lot of issues to work through. The application on these devices can collect location information, IP address, unique device id, etc. Additionally, there are issues with employees giving consent for these types of policies in the EU. Though not impossible, most EU Data Protection Authorities view consent in workplace as coerced, therefore, not freely given. (more on that in the Article 29 Working Party documents WP48, WP114, and WP187)
When I looked into this issue, I did a brief search for cases on this issue but I was not able to find any. There are no statutes that I am aware of that would be directly on point.
UPDATE 6: Another response: “I was at a firm that did this and never thought it was a big deal. My firm gave attorneys two options for mobile devices: you could get a firm-owned Blackberry or receive your firm email on your own personal Blackberry/iPhone. If you brought your own device you agreed to allow them to remote wipe it if you reported the device as lost. I understood the intent to be preventing accidental release or discovery of confidential client information, not to prevent attorneys from deliberately leaking info; there were plenty of other ways to do that if someone wanted. I considered it a useful policy, since if I lost my phone I would want my information deleted anyway. (For what it’s worth, when I left they didn’t bother to/remember to wipe my phone.)”
Eric’s response: I wonder if lawyers acquiesce to this concept more willingly because we are so attuned to the protection of client confidences anyway.