iPhone Risk: Your Employer and Personal Devices
So, you go to work every day with your iPhone, Android phone or even an iPod. You bring it with you because you like having the convenience of people being able to reach you or because you listen to music. Let’s get started so you can understand your risks.
Employment Agreements
We all know these agreements. We typically sign one whenever we start a new job. Employers want to make sure that each employee remains responsible all during employment and some even require that employee to remain responsible even after leaving the company for a specified (or sometimes unspecified) period of time. That is, these agreements make you, as an employee, personally responsible for not sharing things that shouldn’t be shared. Did you realize that many of these agreements extend to anything on your person and can include your iPhone, iPod, Android Phone, Blackberry or any other personal electronic device that you carry onto the property? Thus, the Employment Agreement may allow your employer to seize these devices to determine if they contain any data they shouldn’t contain.
You should always take the time to read these agreements carefully and thoroughly. If you don’t or can’t decipher the legalese, you should take it to an attorney and pay the fee for them to review it before signing it. You might be signing away too many of your own personal rights including anything you may be carrying on your person.
Your Personal Phone versus Your Employer
We carry our personal devices to our offices each and every day without really thinking about the consequences. The danger, though, is that many employers now allow you to load up personal email on your own personal iDevices. Doing this can especially leave your device at risk of legal seizure or forfeiture under certain conditions. So, always read Employment Agreements carefully. Better, if your employer requires you to be available remotely, they should supply you with all of the devices you need to support that remote access. If that support means you need to be available by phone or text messaging, then they should supply you with a device that supports these requirements.
Cheap Employers and Expensive Devices
As anyone who has bought an iPhone or an Android phone can attest, these devices are not cheap. Because many people are buying these for their own personal use, employers have become jaded by this and leech into this freebie and allow employees to use their own devices for corporate communication purposes. This is called a subsidy. You are paying your cell phone bill and giving part of that usage to your employer, unless your employer is reimbursing you part or all of your plan rate. If you are paying your own bill without reimbursement, but using the device to connect to your company’s network or to corporate email, your device is likely at high risk should there be a legal need to investigate the company for any wrong doing. This could leave your device at risk of being pulled from your grasp, potentially forever.
If you let the company reimburse part or all of your phone bill, especially on a post-paid plan, the company could seize your phone on termination as company property. The reason, post-paid plans pay for the cost of the phone as part of your bill. If the company reimburses more than 50% of the phone cost as part of your bill, they could legally own the phone at the end of your employment. If the company doesn’t reimburse your plan, your employer could still seize your device if you put corporate communication on your phone because it then contains company property.
What should I do?
If the company requires that you work remotely or have access to company communication after hours, they need to provide you with a device that supports this access. If they are unwilling to provide you with a device, you should decline to use your personal device for that purpose. At least, you should decline unless the employment agreement specifically states that they can’t seize your personal electronics. Although, most employers likely won’t put a provision in that explicitly forbids them from taking your device. Once you bring your device on the property, your employer can claim that your device contains company property and seize it anyway. Note that even leaving it in your car could be enough if the company WiFi reaches your car in its parking space.
Buy a dumb phone and use that at work. By this I mean, buy a phone that doesn’t support WiFi, doesn’t support a data plan, doesn’t support email, doesn’t support bluetooth and that doesn’t support any storage that can be removed. If your phone is a dumb phone, it cannot be claimed that it could contain any company file data. If it doesn’t support WiFi, it can’t be listening in on company secrets. This dumb phone basically requires your company to buy you a smart phone if they need you to have remote access to email and always on Internet. It also prevents them from leeching off your personal iPhone plan.
That doesn’t mean you can’t have an iPhone, but you should leave it at home during work days. Bring your dumb phone to work. People can still call and text you, but the phone cannot be used as a storage vehicle for company secrets (unless you start entering corporate contacts into the phone book). You should avoid entering any company contact information in your personal phone’s address book. Even this information could be construed as confidential data and could be enough to have even your dumb phone seized.
If they do decide to seize your dumb phone, you’ve only lost a small amount of money in the phone and it’s simple to replace the SIM card in most devices. So, you can probably pick up a replacement phone and get it working the same day for under $100 (many times under $30).
Request to Strike Language from the Employment Agreement
Reading through your Employment Agreement can make or break the deal of whether or not you decide to hire on. Some Employment Agreements are way overreaching in their goals. Depending on how the management reacts to your request to strike language from the Employment Agreement may tell you the kind of company you are considering. In some cases, I’ve personally had language struck from the agreement and replaced with an addendum to which we both agreed and signed. In another case, I walked away from the position because both the hiring and HR managers refused to alter the Employment Agreement containing overreaching language. Depending on how badly they want to fill the position, you may or may not have bargaining power here. However, if it’s important to you, you should always ask. If they decline to amend the agreement, then you have to decide whether or not the position is important enough to justify signing the Agreement with that language still in place.
But, I like my iPhone/iPad/iPod too much
Then, you take your chances with your employer. Only you can judge your employer for their intent (and by reading your employment agreement). When it comes down to brass tacks, your employer will do what’s right for the company, not for you. The bigger the company gets, the more likely they are to take your phone and not care about you or the situation. If you work in a 1000+ employee company, your phone seizure risk greatly increases. This is especially true if you work in any position where you have may access to extremely sensitive company data.
If you really like your device, then you should protect it by leaving it someplace away from the office (and not in your car parked on company property). This will ensure they cannot seize it from you when you’re on company property. However, it won’t stop them from visiting your home and confiscating it from you there.
On the other hand, unlike the dumb phone example above, if they size your iPhone, you’re looking at a $200-500 expense to replace the phone plus the SIM card and possibly other expenses. If you have synced your iPhone with your computer at home and data resides there, that could leave your home computer at risk of seizure, especially if the Federal Government is involved. Also, because iCloud now stores backups of your iDevices, they could petition the court to seize your Apple ID from Apple to gain access to your iDevice backups.
For company issued iPhones, create a brand new Apple ID using your company email address. Have your company issued phone create its backups in your company created Apple ID. If they seize this Apple ID, there is no loss to you. You should always, whenever possible create separate IDs for company issued devices and for your personal devices. Never overlap this personal and company login IDs matter how tempting it may be. This includes doing such things as linking in your personal Facebook, Google, LinkedIn, Yahoo or any other personal site accounts to your corporate issued iPhone or Apps. If you take any personal photographs using your company phone, you should make sure to get them off of the phone quickly. Better, don’t take personal pictures with your company phone. If you must sync your iPhone with a computer, make sure it is only a company computer. Never sync your company issued iPhone or iPad with your personally owned computer. Only sync your device with a company issued computer.
Personal Device Liabilities
Even if during an investigation nothing is turned up on your device related to the company’s investigation, if they find anything incriminating on your device (i.e., child porn, piracy or any other illegal things), you will be held liable for those things they find as a separate case. If something is turned up on your personal device related to the company’s investigation, it could be permanently seized and never returned. So, you should be aware that if you carry any device onto your company’s premises, your device can become the company’s property.
Caution is Always Wise
With the use of smart phones comes unknown liabilities when used at your place of employment. You should always treat your employer and place of business as a professional relationship. Never feel that you are ‘safe’ because you know everyone there. That doesn’t matter when legal investigations begin. If a court wants to find out everything about a situation, that could include seizing anything they feel is relevant to the investigation. That could include your phone, your home computer, your accounts or anything else that may be relevant. Your Employment Agreement may also allow your employer to seize things that they need if they feel you have violated the terms of your employment. Your employer can also petition the court to require you to relinquish your devices to the court.
Now, that doesn’t mean you won’t get your devices, computers or accounts back. But, it could take months if the investigation drags on and on. To protect your belongings from this situation, here are some …
Tips
- Read your Employment Agreement carefully
- Ask to strike language from Agreements that you don’t agree with
- Make sure agreements with companies eventually expire after you leave the company
- NDAs should expire after 5-10 years after termination
- Non-compete agreements should expire 1 year after termination
- Bring devices to the office that you are willing to lose
- Use cheap dumb phones (lessens your liability)
- Leave memory sticks and other memory devices at home
- Don’t use personal devices for company communication (i.e., email or texting)
- Don’t let the company pay for your personal device bills (especially post-paid cell plans)
- Prepaid plans are your friend at your office
- Require your employer to supply and pay for iDevices to support your job function
- Turn WiFi off on all personal devices and never connect them to corporate networks
- Don’t connect personal phones to corporate email systems
- Don’t text any co-workers about company business on personal devices
- Ask Employees to refrain from texting your personal phone
- Use a cheap mp3 player without WiFi or internet features when at the office
- Turn your personal cell phone off when at work, if at all possible
- Step outside the office building to make personal calls
- Don’t use your personal Apple ID when setting up your corporate issued iPhone
- Create a new separate Apple ID for corporate issued iPhones
- Don’t link iPhone or Android apps to personal accounts (LinkedIn, Facebook, etc)
- Don’t take personal photos with a company issued phone
- Don’t sync company issued phones with your personally owned computer
- Don’t sync personal phones with company owned computers
- Replace your device after leaving employment of a company
Nothing can prevent your device from being confiscated under all conditions. But, you can help reduce this outcome by following these tips and by segregating your personal devices and accounts from your work devices and work accounts. Keeping your personal devices away from your company’s property is the only real way to help prevent it from being seized. But, the company could still seize it believing that it may contain something about the company simply because you were or are an employee. Using a dumb prepaid phone is probably the only way to ensure that on seizure, you can get a phone set up and your service back quickly and with the least expense involved. I should also point out that having your phone seized does not count as being stolen, so your insurance won’t pay to replace your phone for this event.
Amazon Kindle: Buyer’s Security Warning
If you’re thinking of purchasing a Kindle or Kindle Fire, beware. Amazon ships the Kindle pre-registered to your account in advance while the item being shipped. What does that mean? It means that the device is ready to make purchases right from your account without being in your possession. Amazon does this to make it ‘easy’. Unfortunately, this is a huge security risk. You need to take some precautions before the Kindle arrives.
Why is this a risk?
If the package gets stolen, it becomes not only a hassle to get the device replaced, it means the thief can rack up purchases for that device from your Amazon account on your registered credit card without you being immediately aware. The bigger security problem, however, is that the Kindle does not require a login and password to purchase content. Once registered to your account, it means the device is already given consent to purchase without any further security. Because the Kindle does not require a password to purchase content, unlike the iPad which asks for a password to purchase, the Kindle can easily purchase content right on your credit card without any further prompts. You will only find out about the purchases after they have been made through email receipts. At this point, you will have to dispute the charges with Amazon and, likely, with your bank.
This is bad on many levels, but it’s especially bad while the item is in transit until you receive the device in the mail. If the device is stolen in transit, your account could end up being charged for content by the thief, as described above. Also, if you have a child that you would like to use the device, they can also make easy purchases because it’s registered and requires no additional passwords. They just click and you’ve bought.
What to do?
When you order a Kindle, you will want to find and de-register that Kindle (may take 24 hours before it appears) until it safely arrives into your possession and is working as you expect. You can find the Kindles registered to your account by clicking (from the front page while logged in) ‘Your Account->Manage Your Kindle‘ menu then click ‘Manage Your Devices‘ in the left side panel. From here, look for any Kindles you may have recently purchased and click ‘Deregister’. Follow through any prompts until they are unregistered. This will unregister that device. You can re-register the device when it arrives.
If you’re concerned that your child may make unauthorized purchases, either don’t let them use your Kindle or de-register the Kindle each time you give the device to your child. They can use the content that’s on the device, but they cannot make any further purchases unless you re-register the device.
Kindle as a Gift
Still a problem. Amazon doesn’t recognize gift purchases any differently. If you are buying a Kindle for a friend, co-worker or even as a giveaway for your company’s party, you will want to explicitly find the purchased Kindle in your account and de-register it. Otherwise, the person who receives the device could potentially rack up purchases on your account without you knowing.
Shame on Amazon
Amazon should stop this practice of pre-registering Kindles pronto. All Kindles should only register to the account after the device has arrived in the possession of the rightful owner. Then, and only then, should the device be registered to the consumer’s Amazon account as part of the setup process using an authorized Amazon login and password (or by doing it in the Manage devices section of the Amazon account). The consumer should be the sole responsible party to authorize all devices to their account. Amazon needs to stop pre-registering of devices before the item ships. This is a bad practice and a huge security risk to the holder of the Amazon account who purchased the Kindle. It also makes gifting Kindles extremely problematic. Amazon, it’s time to stop this bad security practice or place more security mechanisms on the Kindle before a purchase can be made.
Security tip: Don’t sign-up for sites without ‘delete account’ function
As security of data becomes more and more important and as security breaches become more and more frequent, the ‘delete account’ link becomes very important. So many sites today allow you to import information such as credit cards, birth dates and other sensitive information, but many times they don’t allow you to delete that information (or your account) easily. In some cases, you can’t delete your data at all. It’s important to understand why it’s critical to have the option to delete your account (and all data associated with it). Let’s explore.
Account Security
Few people consider account security when signing up for an internet service like Facebook, Twitter, MySpace or even Yahoo or Google. As more and more sites become victims of security breaches, without deletion of old dormant accounts, your data is sitting out there ripe for the picking. In some cases, these accounts may have stored credit card, social security or other potentially sensitive or revealing data. So, when you begin that sign-up process, it’s a good idea to check the help pages on how to delete your account information before you sign up.
Old Dormant Accounts
We all have them. We signed up for a site 4 years ago and then either never used it or used it only a few times. Don’t leave old dormant accounts sitting unattended. Delete them. You don’t need some random hacker gaining access to the account or, worse, obtaining the password through a break-in to that site. If they obtain an old password, it’s possible that they may now have access to all of your accounts all over the net (assuming you happen to use a single password at all sites).
If you are using a single password, change them to all be unique. If you can’t do this, then find the delete button on all these old accounts. If you can’t remember what you’ve signed up for, then that’s beyond the scope of this article. Still, deletion is the best option at avoiding unintended intrusion into other important accounts, so delete old accounts.
No Delete Function?
Two ways to handle this one.
- Delete all data that you can from the account, then find a random password generator and change the password to a randomly generated password. Do not keep a copy of the password and never use it again. Basically, you have locked the account yourself. If someone does access the account through the web, they won’t get anything. If they break into the site and gain access to the passwords, they will get a randomly generated password that leads them nowhere.
- Contact the site administrator and ask to have the account completely deleted without a trace. Sometimes they can, sometimes they can’t. Depends on how the site was designed. It’s always worth asking.
New Accounts at New Sites
When signing up with new accounts, if you cannot find a way to delete the account, then contact the administrator and explain that you would join the site, but you cannot find a way to delete the account when you no longer wish to have one. If they state that there isn’t a deletion function, explain to them that until they implement this function, you can’t use the site.. and walk way. Note that there is nothing more important than your own personal data security and you have to be the champion of that security because no one else will. If sites refuse to implement deletion functionality, then don’t use the site. There is no site functionality that is more important than your data security.
No Reason for Lack of Delete Function
In fact, there is absolutely no reason, other than sheer laziness, to not implement a delete function in any internet web site. If it can be added, it can be deleted. It’s very simple. I know, some developers are going to say, “Well, it’s not that easy”. That’s a total crock. It is that easy. If you have developed software that is incapable of deleting user account information, then you are either seriously inept as a programmer or you simply don’t understand what you are doing. There is no excuse at all for not adding a delete function to any site (including deletion of a user account). To my knowledge, there is no operating system or database that does not have the ability to delete data. Not adding this feature is just not acceptable. Always demand this feature if you cannot find it.
Pre-existing Site Accounts
I know that some of you may have joined sites ages ago when data security breaches were less common than today. Back then, account delete functions may not have been available. This may have been carried forward and these sites may still not have delete functions. Demand that the developers add this functionality. If you are an avid user, you should always demand this functionality. You never know when something may change that may require you to delete your account at that site… like a data breach. Security is important and your personal ability to delete your account is your right and should not be undermined. Again, always demand this feature from the sites you frequent if it is not present.
I challenge you to visit all of the sites you regularly use and locate the delete account function. I’ll bet that more than 50% of the time, it’s not there. Demand that this feature be implemented if, for nothing else, than your own personal peace of mind in case you need it. It’s like that insurance policy you buy, this is the same. The delete account feature is your insurance policy to prevent unauthorized access whenever you need to exercise this option. However, you cannot delete your data if the functionality is not there, so always make sure the delete feature exists before you sign-up.
Random Thoughts - Randocity! 
leave a comment