As more companies allow, and even encourage, employees to use their own devices for work activities, a troubling consequence has arisen for some workers who have seen their entire device wiped clean. WSJ’s Lauren Weber joins digits. Photo: Andrew St. Clair for The Wall Street Journal.
In early October, Michael Irvin stood up to leave a New York City restaurant when he glanced at his iPhone and noticed it was powering off. When he turned it back on again, all of his information—email programs, contacts, family photos, apps and music he had downloaded—had vanished.
The phone looked “like it came straight from the factory,” said Mr. Irvin, an independent health-care consultant.
It wasn’t a malfunction. The device had been wiped clean by AlphaCare of New York, the client he had been working for full-time since April. Mr. Irvin received an email from his AlphaCare address that day confirming the phone had been remotely erased.
As more companies allow and even encourage employees to use their own phones and tablets for work activities, often referred to as “bring your own device,” or BYOD, an unexpected consequence has arisen for workers who have seen their devices wiped clean—remotely and with little or no advance warning—during or after employment by firms looking to secure their data. Twenty-one percent of companies perform remote wipes when an employee quits or is terminated, according to a July 2013 survey by data protection firm Acronis Inc.
Joel Landau, AlphaCare’s chairman, declined to confirm whether Mr. Irvin’s phone had been erased. He provided a copy of AlphaCare’s BYOD policy, effective as of July, which includes a reference to remote wiping. Mr. Irvin said he was never given a copy of the policy.
Phone wiping is just another example of the complications that emerge when the distinctions between our work and personal lives collapse. Employers increasingly expect workers to be available 24/7 but don’t always provide company equipment to make that possible, leaving workers in a bind: Expose themselves to losing personal information when a phone is erased, or refuse to use a personal device and risk looking disengaged.
The practice hangs in legal limbo at the moment, say employment lawyers and privacy advocates, thanks to the inability of legislation and case law to keep pace with innovation. The Society for Human Resource Management in November warned its members that phone wiping “will likely be tested through the courts in the days and months ahead.”
If erasing a phone is necessary from a data-protection standpoint, employers should give workers advance notice so they can back up personal information, said Lewis Maltby, founder of the National Workrights Institute, a nonprofit group that monitors workplace issues, including privacy. Instead, many are simply “following the path of least resistance without thinking about the consequences” for employees.
Many employers have a pro forma user agreement that pops up when employees connect to an email or network server via a personal device, he added. But even if these documents explicitly state that the company may perform remote wipes, workers often don’t take the time to read it before clicking the “I agree” button.
Phone wiping has become the most common complaint received in recent months by his organization, Mr. Maltby said.
Philip Gordon, co-chairman of employment law firm Littler Mendelson’s Privacy and Background Check group, has heard from two clients whose ex-employees complained after their devices were erased, each demanding compensation. (In one case, the employee had lost photos of a relative who had died.) Though neither pressed charges, Mr. Gordon expects legal remedies for workers may ultimately be found under state computer-trespass statutes, which were originally designed to prosecute hackers.
A former employee of Hopkinton, Mass.-based cloud-computing firm EMC
who requested anonymity, said his phone was wiped a few years ago after he was terminated for not hitting sales quotas. The employee started the job without a smartphone, and EMC didn’t provide one, but he said he was missing late-night notices of meeting changes and other important information, so he purchased an Android device.
On midnight of the day he was terminated, the phone went blank. “I was completely surprised,” he said. “I know it’s so they can protect their data assets, but if that’s such an important policy, we shouldn’t be mixing business with personal.” He has no memory of signing a release or user agreement, though he concedes that a dialogue box may have appeared when he first connected to EMC’s server “and like everyone else, I was like ‘OK, check.'”
In a statement, EMC declined to comment on individual personnel matters but said it doesn’t, “as a matter of standard practice, remove personal information from departing employees’ personal cellphones.”
Since the BYOD trend started gaining momentum about two years ago, most large companies have adopted mobile device management systems to cover the expanding number of tech products that workers tote around, said Lawrence Pingree of technology research firm Gartner. The latest versions of the software allow IT staff to surgically remove work-related material from a smartphone or computer, a feature that is becoming a best practice in the field, he said.
Mr. Gordon of Littler Mendelson counsels clients to have a BYOD user agreement that tells employees what will happen to their phones if they separate from the company. “If the employer is deliberate about letting employees use their personal devices for work, they can eliminate the risk,” he said.
And employees, he added, should back up devices regularly to a cloud program or personal computer. That can still create data protection issues for employers, and companies should forbid workers from backing up corporate data—or at least have a policy saying that. “Whether or not people will follow that policy is hard to say,” he said.