Smartphones - can you be liable for company/organisation data loss?

BrianD

This came up in conversation recently and I thought I'd post it here to get a views on it.

Smartphones are now very commonplace and the reckon that 1 in 2 phones sold are now a smart or feature phone.

Many of us are using smartphones for both for work and private use and many of the applications popularily used mean that there is potentially a wealth of personal and corporate data on our phones. On most phones you can go directly into email or social media applications without passwords.

Here is the problem - should a phone end up in the hands of somebody else can the phone user be held liable for any subsequent events? There are data protection issues here that most of us don't consider.

Quite often a person may put their company email and/or social networks onto a personally owned phone. There could be a major headache to the company if the phone is lost.

Obviously, numbers can be cancelled and passwords changed to lock out a stolen phone but there's an opportunity for data to be compromised and extracted.

What would the personal liability be in the following situation where company or organisation data is accessed using a smart phone:

Company owned phone on a company paid phone plan

Company owned phone on a personally paid phone plan

Personally owned phone on a personally paid phone plan

drunkmonkey

I think the only one responsible is the owner of the phone. For example if I go down and buy a new bmw, I drive it home and write it off going in the front drive. Should bmw give me a new bmw because I didn't know how to use the first one?

If your talking about Android/Apple smartphones the onus would be on the user to make sure "their" data is backed up properly. These smart phones can also be shut down and all data erased remotely, again it's up to the user to make sure they have the right apps to protect themselves incase of loss or theft.

Apple offer the remote wipe and trace for free http://itunes.apple.com/us/app/find-my-iphone/id376101648?mt=8

There's also other apps for android which allow you to do the same.


Just my 2cent, I once was threatened with legal action by a customer. He done all his invoicing and kept all his job records he had done on this Nokia. The phone got destroyed and he never had it backed up. Suddenly it was my fault and I was liable for the invoices he had never created. He lost a fair whack of money but at the end of the day it was his responsibility. Nothing ever came of it. Lost him and all his family as customers over the incident.

Was it my fault? Vodafone's fault? Nokia's Fault? or his fault?

seamus

The problem is functionally identical to that of stolen or lost laptops. There are a number of minimum security things that a company must adhere to:
http://www.dataprotection.ie/ViewDoc.asp?fn=/documents/guidance/Guide_Data_Contollers.htm&CatID=90&m=y#4

So if the phone itself is password protected (and not just a SIM PIN) and staff are made aware of the exact process once a device is lost or stolen, then a company is mostly compliant with the data protection act.

In terms of liability, a client would have to show material loss as a result of this information having been lost or stolen and they would have to prove that the company (or staff member) were negligent in allowing the device to be lost or stolen.

It is the company who would always foot the bill to the client, because they are data controller with primary responsibility to the client. However, in the event that a member of staff acted in unauthorised manner (say, putting his business email on a phone despite being told that he should not), he could be disciplined, fired and/or sued by the company for his actions.

In our case, anyone is allowed connect their smartphone (personal or business) to the company email, but policy on the mail server denies access to any device which doesn't meet minimum security requirements, such as having an access password active.

BrianD

I suppose one of the issues that you have many people substituting their bog standard company supplied phone for the likes of an iPhone. Which creates a few data protection issues as the phone is no longer the company or organisations.