Evan Schuman: What to include in your mobile privacy policy

If your company doesn't yet have a mobile-specific privacy policy, it's time to get to work

It's well known that mobile devices are compact storehouses of vast amounts of data that they seem eager to broadcast to the world, which makes it all the more baffling that few companies have discussed -- much less implemented -- mobile-specific privacy policies. Putting off such a move ("procrastination" is such a negative word) may have made sense up to now to give us all time to get a handle on what the limits should be, but you really will regret waiting much longer. This new year we have entered may be a good time to craft a mobile privacy policy. If you've decided to do that, here are some things to consider.

You do really need a policy. Your employees expect IT to protect them, and your company's executives expect you to make sure that corporate data is protected from the things that employees do with their mobile devices. But your customers also want to know what you're doing with their data, and various contractors, distributors, suppliers and anyone else in your network need to know what they aren't allowed to do.

It's bad enough that a mobile device brings the same IT threats as any other network-connected device. It has full access to your LAN and can piggyback on whatever permissions you gave its owner. And of course, if it's being accessed by a naughty user, it can try to exceed that access.

But you really need a mobile-specific policy because mobile devices can be careless with all the data they store. They theoretically can track all movements. The microphone and camera can be activated remotely. Apps can access every phone call, email or text sent or received, as well as every site visited and every tweet tweeted. Some can even send messages under your name without your knowledge (No kidding. Even the Starbucks app has demanded the ability to tweet on customers' behalf). And some apps can identify every other app being used, along with a host of tech specs, like OS version, browser, serial number of phone, Wi-Fi particulars, carrier, etc.

Although it's important for any privacy policy to regulate what employees can and cannot do, it may be even more critical to delineate what your company will permit third-party vendors to do with its data under its name. Some of this will involve the public privacy limits your company will set for itself. Marketing craves data about customers. Without a policy that sets limits, your marketing people are likely to issue any number of mobile apps that can grab just about any kind of customer data and report it back to them. You have to decide whether the short-term gains that sort of thing might bring outweigh the long-term hit to the company's reputation that could result from a general outcry against such data harvesting. In the calm of day, you and your top executives need to discuss what kind of company you're running and what limits you want to set for yourselves and your customers. You really do not want this to be decided on a case-by-case basis by various rank-and-file marketers in the middle of some urgent deadline.

You also need to specify what the company can do with mobile devices' tracking capabilities. They might seem like a boon when you need to locate employees, and they're even helpful for building security, such as when needing to make sure every employee is located during an emergency evacuation. They're also an easy way for new employees to find some far-off conference room on a large campus.

But it doesn't take much imagination to see how tracking could get creepy. Are you going to let managers use tracking data in performance reviews? ("Well, Rebecca, I see that you spend more than an hour every day in the lavatory." "Scott, the average length of your lunch hour over the past six months has been 85 minutes.") Will you track employees when they leave your facility but are still on company time? What about when they are not on company time? What if someone phones in sick and you find his company-issued Android at the racetrack or a bar -- or a competitor's headquarters?

In last week's column, I discussed the implications of BYOD policies, where employees use their own mobile devices. I suggested that some form of partitioning will be needed to separate corporate- and employee-owned data, so that you aren't backing up employees' private data or deleting it when the employee leaves the company. Your mobile privacy policy is going to have to address who owns the device: the company or the employee -- or a third party? Do you have the same rights to justify monitoring your corporate data if it resides on a device your employee owns? Or a contractor owns? Or a partner (some other company's employee) owns?

You need to discuss and agree on where your company wants to place those limits. It's light-years easier to discuss this calmly and professionally when there is no immediate specific situation staring you in the face -- with personalities attached. Whatever is agreed to must be ironclad. You don't want emotional situations to trump the calm thinking made at an offsite executive meeting back in January. Clearly, exceptions can always be made, but they should be rare.

Something else to consider: Deciding these things isn't enough; the policy should also dictate how those decisions will be communicated to all of your audiences, especially to customers. In this case you can take a lesson from Nordstrom, which recently conducted a mobile location trial with shoppers. It posted a sign at the entrances to its stores, alerting customers to what was being done. It wanted the sign to be succinct and understandable, but it ended up with a program description that was a little inaccurate and incomplete. That caused confusion and anger among shoppers, who envisioned the program being far more invasive than it was.

This incident highlights another problem that a good mobile privacy policy should address. The chain's mobile vendor for the trial was collecting a lot of customer-specific data. In an attempt to avoid customer backlash, the agreement stated that the vendor would not share that data with Nordstrom. Unintended consequence: It made the backlash much worse. Nordstrom was getting the heat for accessing data that it was never able to access.

The moral of that story: If mobile data is collected, you will get blamed, no matter whether you see the data or not.

Your mobile policy has to address what you will allow vendors to collect about your customers, your employees and your partners. It should spell out how much of that your company should see. It should lay to rest the question of whether third parties will be allowed to collect data that you won't see. It needs to establish how you will inform your customers, employees and partners about this data collection, if at all. (There are legitimate arguments on both sides.) And you need to make your policy precise enough to be useful while not being so detailed that it is incomprehensible to people who aren't that technical.

There are few areas that are more complex, more controversial and more politically dangerous than mobile data collection. You may find that simply having these conversations will change not merely your policies, but your strategy and how you approach it.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile/WirelessNetworkingsecuritywirelessmobileprivacy

More about LANNordstromScott CorporationStarbucksTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place