Before smartphones there were cameras. Businesses precluded the use of cameras within their premises by policy to protect intellectual property and privacy. Now, mobile devices have changed the rules (or at least bent them).
Smartphones and tablets have become standard tools for our every day business and personal lives. Unlike cameras, the use of these devices is usually not banned in the workplace. In fact in many cases their use is being encouraged. The flexibility of these mobile devices, including the ability to take pictures, record voices, or take credit card charges, add risk to the protection of privacy (personal information for customers / employees and intellectual property for the business).
Cameras and privacy
Let’s take the easy one first: cameras. For years business security standards have said “no picture taking” providing privacy protection for a business. Items such as documents, prototypes, and whiteboard contents (and blackboards before them) could easily be photographed and used for “evil” purposes.
I remember Man from U.N.C.L.E., Mission Impossible, and other televisions shows and movies where a miniature camera comes out and classified information is photographed leaving the originals in place, in tact, and seemingly undisturbed. Today, there is no need to sneak in a camera. Simply bring in your mobile device, maybe the one issued to you by the company, and you are good to go.
I have seen the use of a smartphone by an employee trying to do the “right thing” to help a customer result in a company’s internal documents scattered across bloggers’ web sites. Similarly we have all heard of pictures of products in development showing up and the web before a company was ready to release information about the new product.
You may not be able stop the distribution of this information by a Data Loss Prevention solution because the employee’s device may not be on the corporate network. In fact, if it is a personal device, the company may not even know the employee has it.
Recording apps and privacy
It is unusual for meetings and conversations to be taped. How often do you wish you could record a meeting instead of having to take notes? Maybe even leverage technology to translate the conversation to text?
Those spy shows used a recorder in a pen to discretely make a recording. Today apps like iTalk, Tape-a-Talk, and Voice Recorder allow someone to breach privacy without being noticed. Bring out your tablet to take notes and start the recording app or act like you are checking a message on your mobile phone and no one is the wiser.
Breaching customer privacy
In the past few months I have read about several instances where an employee, using their personal mobile device, swiped a customers credit card and then used the customer’s account for their own purposes. One person used a customer’s business credit card to pay for their car lease; it went unnoticed for at least three months.
At a restaurant you can imagine how easily this could be done. On a recent episode of Mystery Diners there was a waiter that swiped a card in front of a customer explaining that it was a new service being offered to protect the customer’s privacy since the credit card never left the customer’s sight. In this case not only was the credit card information taken, but the restaurant lost over $200 in revenue.
Mobile device policies can help
Many of the mobile device policies I see focus on responsibilities when connected to a corporate network, what data may reside on the device, and what to do if the device is lost. Few policies have identified how the device may or may not be used. It is possible be that the drafter of the policies knew (or assumed) that prohibitions about photography, recording, or misappropriation of personal information is covered elsewhere.
While rules for good corporate behavior may be covered in existing policies, it is never a bad idea to remind employees about these restrictions. As the use of mobile devices continue to pervade our everyday life, what is acceptable in an employee’s personal life creeps into the workplace even when these practices are contrary to good business practices including privacy protections.