Leaving A Job? Better Watch Your Cellphone
In early October, Michael Irvin stood up to leave a New York City restaurant when he glanced at his iPhone and noticed it was powering off. When he turned it back on again, all of his information -- email programs, contacts, family photos, apps and music he had downloaded -- had vanished.
The phone looked 'like it came straight from the factory,' said Mr. Irvin, an independent health-care consultant.
It wasn't a malfunction. The device had been wiped clean by AlphaCare of New York, the client he had been working for full-time since April. Mr. Irvin received an email from his AlphaCare address that day confirming the phone had been remotely erased.
As more companies allow and even encourage employees to use their own phones and tablets for work activities, often referred to as 'bring your own device,' or BYOD, an unexpected consequence has arisen for workers who have seen their devices wiped clean -- remotely and with little or no advance warning -- during or after employment by firms looking to secure their data. Twenty-one percent of companies perform remote wipes when an employee quits or is terminated, according to a July 2013 survey by data protection firm Acronis Inc.
Joel Landau, AlphaCare's chairman, declined to confirm whether Mr. Irvin's phone had been erased. He provided a copy of AlphaCare's BYOD policy, effective as of July, which includes a reference to remote wiping. Mr. Irvin said he was never given a copy of the policy.
Phone wiping is just another example of the complications that emerge when the distinctions between our work and personal lives collapse. Employers increasingly expect workers to be available 24/7 but don't always provide company equipment to make that possible, leaving workers in a bind: Expose themselves to losing personal information when a phone is erased, or refuse to use a personal device and risk looking disengaged.
The practice hangs in legal limbo at the moment, say employment lawyers and privacy advocates, thanks to the inability of legislation and case law to keep pace with innovation. The Society for Human Resource Management in November warned its members that phone wiping 'will likely be tested through the courts in the days and months ahead.'
If erasing a phone is necessary from a data-protection standpoint, employers should give workers advance notice so they can back up personal information, said Lewis Maltby, founder of the National Workrights Institute, a nonprofit group that monitors workplace issues, including privacy. Instead, many are simply 'following the path of least resistance without thinking about the consequences' for employees.
Many employers have a pro forma user agreement that pops up when employees connect to an email or network server via a personal device, he added. But even if these documents explicitly state that the company may perform remote wipes, workers often don't take the time to read it before clicking the 'I agree' button.
Phone wiping has become the most common complaint received in recent months by his organization, Mr. Maltby said.
Philip Gordon, chairman of employment law firm Littler Mendelson's Privacy and Background Check group, has heard from two clients whose ex-employees complained after their devices were erased, each demanding compensation.. (In one case, the employee had lost photos of a relative who had died.). Though neither pressed charges, Mr. Gordon expects legal remedies for workers may be found under state computer-trespass statutes, which were originally designed to prosecute hackers.
A former employee of Hopkinton, Mass.-based cloud-computing firm EMC Corp. who requested anonymity, said his phone was wiped a few years ago after he was terminated for not hitting sales quotas. The employee started the job without a smartphone, and EMC didn't provide one, but he said he was missing late-night notices of meeting changes and other important information, so he purchased an Android device.
On midnight of the day he was terminated, the phone went blank. 'I was completely surprised,' he said. 'I know it's so they can protect their data assets, but if that's such an important policy, we shouldn't be mixing business with personal.' He has no memory of signing a release or user agreement, though he concedes that a dialogue box may have appeared when he first connected to EMC's server 'and like everyone else, I was like 'OK, check.''
In a statement, EMC declined to comment on individual personnel matters but said it doesn't, 'as a matter of standard practice, remove personal information from departing employees' personal cellphones.'
Since the BYOD trend started gaining momentum about two years ago, most large companies have adopted mobile device management systems to cover the expanding number of tech products that workers tote around, said Lawrence Pingree of technology research firm Gartner. The latest versions of the software allow IT staff to surgically remove work-related material from a smartphone or computer, a feature that is becoming a best practice in the field, he said.
Mr. Gordon of Littler Mendelson counsels clients to have a BYOD user agreement that tells employees what will happen to their phones if they separate from the company. 'If the employer is deliberate about letting employees use their personal devices for work, they can eliminate the risk,' he said.
And employees, he added, should back up devices regularly to a cloud program or personal computer. That can still create data protection issues for employers, and companies should forbid workers from backing up corporate data -- or at least have a policy saying that. 'Whether or not people will follow that policy is hard to say,' he said.
这并不是手机故障，而是手机数据被他从4月份开始全职服务的客户AlphaCare of New York进行了远程清除。欧文当天收到一封来自他AlphaCare地址的电子邮件，确认手机数据已被远程擦除。
如今有更多的公司允许甚至鼓励员工用自己的手机和平板电脑办公（通常被称为“自带设备办公”或BYOD），一种意外后果也随之产生。员工会发现自己设备上的信息在工作期间或离职后被寻求保护数据的公司全部清除（远程操作，而且几乎或者根本没有提前警告）。数据保护公司Acronis Inc 2013年7月份的一项调查显示，21%的公司会在员工辞职或者被解雇时进行远程清除。
AlphaCare的董事长乔尔·兰多(Joel Landau)拒绝确认是否清除了欧文的手机信息。他提供了一份有关AlphaCare BYOD政策的文件，该政策从7月份开始生效，其中包括涉及远程清除的规定。欧文说，公司从未向他提供该政策相关文件。
劳动法律师和隐私权倡导者称，由于立法和判例法没能跟上创新的脚步，这种做法目前尚处于法律的灰色地带。美国人力资源管理协会(Society for Human Resource Management) 11月份警告其成员，清除手机数据之举“今后一段时间可能会在法庭上接受考验”。
美国工作权利学会(National Workrights Institute)创始人刘易斯·莫尔特比(Lewis Maltby)表示，如果从数据保护角度来说有清除手机信息的必要性，那么雇主应该提前告知员工，好让员工备份个人信息。但许多雇主只是“按阻力最小的方式来，而不考虑给员工造成的后果”。美国工作权利学会是一家监控隐私权等职场问题的非盈利组织。
劳动法律师事务所Littler Mendelson旗下隐私和背景调查(Privacy and Background Check)集团董事长菲利普·戈登(Philip Gordon)曾听两名客户说起过类似纠纷。这两家公司的前雇员曾在设备数据被清除后进行投诉，每位员工都要求赔偿……（在其中一起案例中，员工丢失了一位已故亲人的照片）。尽管两起案例都没有正式起诉，但戈登认为也许可以根据州电脑侵入法规（原本是为起诉黑客而设计的）为这些员工找到法律救济。
科技行业研究公司Gartner 的劳伦斯·平格里(Lawrence Pingree)表示，BYOD趋势从大约两年前开始兴起以来，多数大公司都采用了移动设备管理系统，以管理不断增加的便携式科技产品。他说，最新版的软件允许IT员工从智能手机或电脑上有针对性地清除工作相关材料，这种功能正成为业界的最佳做法。