Page 1 of 2 12 LastLast
Results 1 to 15 of 28
  1. #1
    Star Lounger Techie's Avatar
    Join Date
    Dec 2009
    Location
    Philadelphia, PA, USA
    Posts
    62
    Thanks
    9
    Thanked 0 Times in 0 Posts

    Smartphone data policy when an employee leaves

    When an employee leaves or is terminated, what is your policy on the security of the email data on their phone, i.e. confidential emails and phone numbers? My organization doesn't give employees phones, they use their personal phones. I have an Exchange 2010 SP1 server, and have the ability to remote wipe any phone that connects to my corporate mail server.

    If I change their password when an employee leaves, is the email still readable on the Iphone/Android/Windows Phone, etc.? If it's not accessible to the user, is it still at risk to be read by someone with mailicious intent? Ex. someone who tries to scrape data off the smart phone by browsing through the raw files in the phone memory?

    Thank you,
    Peter
    IT Administrator
    Peter
    Support for a large nonprofit
    Projects

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Techie View Post
    If I change their password when an employee leaves, is the email still readable on the Iphone/Android/Windows Phone, etc.? If it's not accessible to the user, is it still at risk to be read by someone with mailicious intent? Ex. someone who tries to scrape data off the smart phone by browsing through the raw files in the phone memory?
    Unless you wipe the data on the device, everything that was on there prior to the password change would still be on there.

    Even if you wipe, there have been reports that it is difficult to truly erase flash memory the way you can usually overwrite magnetic media. However, someone might have to have considerable expertise to salvage the data.

    Obviously you are not alone in this situation. I think eWeek recently had a cover story on coping with user-supplied mobile devices.

  3. #3
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 577 Times in 480 Posts
    If you take the decision to wipe data from a device that doesn't belong to you and, deliberately or otherwise, delete data that doesn't belong to you but to the owner of the device, how do you then stand with your Data Protection laws?

    I've not yet tried to recovery data from a flash memory device but setting the smart phone to save data to the SD card or whatever is trivial - it's also quite trivial to recover the data from these cards.

  4. #4
    Star Lounger Techie's Avatar
    Join Date
    Dec 2009
    Location
    Philadelphia, PA, USA
    Posts
    62
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by jscher2000 View Post
    Unless you wipe the data on the device, everything that was on there prior to the password change would still be on there.

    Even if you wipe, there have been reports that it is difficult to truly erase flash memory the way you can usually overwrite magnetic media. However, someone might have to have considerable expertise to salvage the data.
    How hard would it be to retrieve those emails off the mobile device if the corporate password to access them was changed, but the device was not wiped?


    Quote Originally Posted by satrow View Post
    If you take the decision to wipe data from a device that doesn't belong to you and, deliberately or otherwise, delete data that doesn't belong to you but to the owner of the device, how do you then stand with your Data Protection laws?

    I've not yet tried to recovery data from a flash memory device but setting the smart phone to save data to the SD card or whatever is trivial - it's also quite trivial to recover the data from these cards.
    Satrow -
    Are you saying that I am, or am I not allowed to wipe the personal phone of an employee, I didn't follow your response, thanks.

    About saving data to SD cards in mobile phone - the remote wipe also erases all data on those. If a user didn't want to lose data on their SD card, they could take it out before the wipe. I read that on the Exchange 2010 remote wipe documentation on Microsoft Technet.

    -Peter
    Peter
    Support for a large nonprofit
    Projects

  5. #5
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Are you legally entitled to access a device that doesn't belong to you and wipe all the data?

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Techie View Post
    How hard would it be to retrieve those emails off the mobile device if the corporate password to access them was changed, but the device was not wiped?
    First, I'm assuming a person has access to the email client software on the device (i.e., they know or break pin/swipe security).

    Such a person could read the messages on the small screen, and they might be able to forward the messages out on a second account. I have an Exchange ActiveSync account and an IMAP account set up on an Android device. If I open a message in my Exchange inbox and tap forward, I then can tap the "From" button and set it to send the forward out on the IMAP account. This is pretty arduous for a large volume of messages, so a professional likely would have better techniques.

  7. #7
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Regarding the legal issue: companies should make clear what they might do to a lost or stolen device; under those circumstances, everyone might be happy with a wipe. The quit/termination scenario is more sensitive. Probably a good idea to consult an attorney in the employment field for up-to-date advice.

    Searching turns up lots of uncertainty:

    http://www.avvo.com/legal-answers/is...an-138166.html

    http://www.npr.org/2010/11/22/131511...ls-your-iphone

  8. #8
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 64 Times in 52 Posts
    Quote Originally Posted by satrow View Post
    Are you legally entitled to access a device that doesn't belong to you and wipe all the data?
    Yes. The assumtion is that the employer has clearly written and legally binding policy that allows employees to supply thier own phones with the understanding that the company owns its data and has the option to protect itself by remotely wiping the phone. Many companies already make users sign agreements when it comes to data usage, exclusivity, etc. I've worked for several companies that dealt with this very issue regarding other personal devices (laptops) and when terminations occurred the ex-employee was legally obligated to destroy the data. I know of at least 2 cases where charges were later filed against those ex-employees who used the data for their own purposes (sales data in their new sales job). As jscher2000 says, best to consult an attorney when making the policies.
    Chuck

  9. The Following User Says Thank You to Doc Brown For This Useful Post:

    Techie (2011-04-11)

  10. #9
    Star Lounger Techie's Avatar
    Join Date
    Dec 2009
    Location
    Philadelphia, PA, USA
    Posts
    62
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by jscher2000 View Post
    First, I'm assuming a person has access to the email client software on the device (i.e., they know or break pin/swipe security).

    Such a person could read the messages on the small screen, and they might be able to forward the messages out on a second account. I have an Exchange ActiveSync account and an IMAP account set up on an Android device. If I open a message in my Exchange inbox and tap forward, I then can tap the "From" button and set it to send the forward out on the IMAP account. This is pretty arduous for a large volume of messages, so a professional likely would have better techniques.
    Ok, that is helpful, thanks.
    One more clarifying question though: In my scenario, I had changed the Exchange email password for the user. Does that mean on some smartphones like your Andriod, changing the password just stops new email from flowing into the device, but doesn't prevent you from reading already sync'ed email?

    -Peter
    Peter
    Support for a large nonprofit
    Projects

  11. #10
    Star Lounger Techie's Avatar
    Join Date
    Dec 2009
    Location
    Philadelphia, PA, USA
    Posts
    62
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Doc Brown View Post
    Yes. The assumtion is that the employer has clearly written and legally binding policy that allows employees to supply thier own phones with the understanding that the company owns its data and has the option to protect itself by remotely wiping the phone. Many companies already make users sign agreements when it comes to data usage, exclusivity, etc. I've worked for several companies that dealt with this very issue regarding other personal devices (laptops) and when terminations occurred the ex-employee was legally obligated to destroy the data. I know of at least 2 cases where charges were later filed against those ex-employees who used the data for their own purposes (sales data in their new sales job). As jscher2000 says, best to consult an attorney when making the policies.
    Thank you Doc. That is just the information I needed to proceed.
    Cheers,
    Peter
    Peter
    Support for a large nonprofit
    Projects

  12. #11
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 64 Times in 52 Posts
    Quote Originally Posted by Techie View Post
    Thank you Doc. That is just the information I needed to proceed.
    Cheers,
    Peter
    You're welcome!
    Chuck

  13. #12
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Techie View Post
    In my scenario, I had changed the Exchange email password for the user. Does that mean on some smartphones like your Andriod, changing the password just stops new email from flowing into the device, but doesn't prevent you from reading already sync'ed email?
    That's what I would expect to happen, since I can read mail in airplane mode with all networks disconnected. I haven't tested by actually changing my password.

  14. #13
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Quote Originally Posted by Doc Brown View Post
    Yes. The assumtion is that the employer has clearly written and legally binding policy that allows employees to supply thier own phones with the understanding that the company owns its data and has the option to protect itself by remotely wiping the phone. Many companies already make users sign agreements when it comes to data usage, exclusivity, etc. I've worked for several companies that dealt with this very issue regarding other personal devices (laptops) and when terminations occurred the ex-employee was legally obligated to destroy the data. I know of at least 2 cases where charges were later filed against those ex-employees who used the data for their own purposes (sales data in their new sales job). As jscher2000 says, best to consult an attorney when making the policies.
    That doesn't sound right at all. "The assumption ... " what assumption and by whom is it assumed? If the employer does not have any such "clearly written and binding policy", they can still wipe all data from a machine that doesn't belong to them? If there really is such a policy and the employee was made aware of it before he agreed to allow the company partial use of his personal property and it's associated services (in return for appropriate fiscal or other compensation and/or tax breaks), then I see no problem allowing the destruction of any data on the 'phone related to the company - BUT NOT ALL DATA on the 'phone as some is clearly the property and under the legal ownership of the (ex-)employee.

  15. #14
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 64 Times in 52 Posts
    Quote Originally Posted by satrow View Post
    That doesn't sound right at all. "The assumption ... " what assumption and by whom is it assumed? If the employer does not have any such "clearly written and binding policy", they can still wipe all data from a machine that doesn't belong to them? If there really is such a policy and the employee was made aware of it before he agreed to allow the company partial use of his personal property and it's associated services (in return for appropriate fiscal or other compensation and/or tax breaks), then I see no problem allowing the destruction of any data on the 'phone related to the company - BUT NOT ALL DATA on the 'phone as some is clearly the property and under the legal ownership of the (ex-)employee.
    Please don't read into my post more than is really there. If you don't like the word assumption, then just ignore it. I'm talking about a hypothetical situation, so I used "assumption".

    If there is no policy and the end user has not agreed to anything, then the company has no right to wipe the phone. That doesn't mean they won't attempt it, but it seems to me that it opens them up to litigation. If there is in fact a policy that the user must agree to, then, yes, they are agreeing to allow their entire phone to be wiped. There is no option to wipe only certain data. Unfortunately its all or nothing with these devices. As a System Admin, I really hate the idea of company data on someone's personal device. My preference is to use the Citrix Access Gateway and force the user to log in to a web page and retrieve their e-mail via secure ICA connection. No data stored in the device, all the issues we're discussing here are non-existent. Its also device independent. Citrix has receivers for iPhone, Blackberry, Windows 7 Phone, and Android. This solution of course mean you have to have a Citrix farm, which today, most medium and large businesses often have. One solution we briefly looked at was Mobile Iron. http://www.mobileiron.com/. There is also another posibble solution coming down the pipe, Citrix is working on a hypervisor for smart phones. The inference is that you can run 2 virtual OSes, your own, and one dedicated to work. This keeps the two separate and offers greater protection for both the company and the end user.

    I'm not sure why this is such a big deal. If you're in this situation, either you agree to it, or you don't. If the company requires use of a smart phone, then they should be providing one. If they don't, its not a place I'd want to work for very long. As said above, this is really a legal issue, so anything I say really means squat. The company lawyer (and maybe your personal lawyer!) are the ones that have sort out the details.
    Last edited by Doc Brown; 2011-04-13 at 10:03.
    Chuck

  16. #15
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,490
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Doc, your latest reply seems in direct conflict with your earlier post.
    Quote Originally Posted by Doc Brown View Post
    Quote Originally Posted by satrow View Post
    Are you legally entitled to access a device that doesn't belong to you and wipe all the data?
    Yes. The assumtion is that the employer has clearly written and legally binding policy that allows employees to supply thier own phones with the understanding that the company owns its data and has the option to protect itself by remotely wiping the phone. Many companies already make users sign agreements when it comes to data usage, exclusivity, etc. I've worked for several companies that dealt with this very issue regarding other personal devices (laptops) and when terminations occurred the ex-employee was legally obligated to destroy the data. I know of at least 2 cases where charges were later filed against those ex-employees who used the data for their own purposes (sales data in their new sales job). As jscher2000 says, best to consult an attorney when making the policies.
    Please note that you appeared to answer my question with "Yes.".

    All I'm reading is what you had written.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •