Can One Device Serve Two Competing Agendas?
When employer and personal information get mixed together, you don’t end up with a pumpkin latté.
Photo by Code Shady on Unsplash
The problem
Recently, a news story about Apple®, Inc. centered on a person separated from employment from that company. The former employee is purported to be one of two leaders of the #AppleToo movement. News reports suggest that the employee was “terminated for deleting files off of her work devices during an internal investigation.” This was reported by The Verge, on Oct 15, 2021, 11:48 am EDT.
When a company provides you with a computer or mobile phone, they will require you to sign a Provisioning form. The words in that form are words woven together by degreed lawyers with years of experience. That document is like your anesthesiologist’s form you sign right before the nurses wheel you into surgery. It’s one of those, sign it or we call the whole thing off, kind of forms.
The process
Because these Provisioning forms are as dense as lead — not gold — often HR crafts a document that references the OFFICIAL document but attempts to answer practical questions that somehow were missed (cough, avoided) by the attorneys. Personal information of any kind is always at the top of HR’s list, as it should be.
The HR document is always legal and binding, though made more palatable by a short, memorable name: “Stuff You Need to Know…” The HR document legally sits on top of the official form, “Authorization, Use, Replacement, and Decommissioning Policy for Company Provided Electronic Devices or Electronic Devices Used in the Course of Company Business but Owned by Employees, Contractors, Consultants, and other Designated Personnel.” Often, the lawyers try to mangle these words into some less-threatening acronym that only they find entertaining.
Most employees have no idea their laptop can be decommissioned; they never even knew it was commissioned! Who cracked a bottle of Champagne over it?
If the device in your possession was used in the course of company business, it’s common practice for companies to require administrative rights to the device that enables them TO WIPE your computer or phone after they finish downloading all the data. This policy varies, depending upon how draconian your employer is.
The pitfalls
This action is what you agreed to. It becomes painful when you mix company activities with personal activities on the same device. And here comes the thought that every employee has when preparing to exit a company.
If my employer has the right to wipe my devices, shouldn’t I have the right to first wipe my stuff off? I know full well that once they wrap their tentacles around my phone, all will be lost. And I know that a simple “delete” doesn’t get that email or text message removed.
The answer to your imagined question is to ask for a copy of the form you signed back when you were a happy, new hire. What you signed may prevent you from legally deleting anything before returning the device to IT.
The fault of management
Here is where management often fails. Think back: You are a new employee. You sign out your exciting new laptop and phone. You’re eager to get to work and show your value to your new employer. In passing, you ask your manager if it’s okay if you install Spotify to your company phone. Your manager says, “Sure. Most employees have a few personal apps on their phones. Just don’t overdo it and don’t install any janky apps that will get everyone in trouble.”
If you install that app, you’ve made a mistake because you didn’t verify your manager’s guidance with the formal document you signed. But that is a tiny error. Your manager, on the other hand, should be required to go back and review all company authorized practices. Managers are expected to know their company’s policies and be brave enough to say, “Let me get back to you on that.”
The good news
I’ve on both sides of this problem. I know the company that I work for not only has the legal right, but they also have the moral right to wipe all devices I’ve used that contain company data. It’s in my best legal interest for them to do so. The last thing I need is my laptop to get hacked, and it still has sensitive cost information about a client.
I once discovered on a laptop that was ready to be decommissioned that it had the public and private keys and associated details to a credit card payment gateway. That problem went all the way up to the company president.
It’s not wise for any former employee to have in their possession any information or data from their former employer. At a minimum, it’s sloppy; more likely, it’s theft.
The way forward
You may be thinking, I’ve read this far, but I still don’t know what to do about sharing devices with my employer. The simple answer is to simply not do it. It’s a constant battle. Nobody wants to carry two phones and two laptops: that’s crazy. Yet, if the attorneys had their way, that’s exactly what we all would be doing.
A more pragmatic answer is to be fanatically fastidious. On your laptop, sandbox your stuff. On Macs, Windows, and Linux, it’s easy to password-protect a set of folders. Do that to make it difficult for you to use the devices, even if you own them, for personal reasons.
Create a walled garden. Keep only your stuff in the garden — even if it’s your laptop. If you want a gaming machine, buy one, don’t allow your computer to get messy. When it comes time to decommission it, delete the garden and turn in the laptop.
But wait! That’s what the Apple employee was fired for doing, wasn’t it? Let’s review the quote from The Verge, on Oct 15, 2021, 11:48 am EDT. The quote states that the deletions were done, “during an internal investigation.”
I don’t know Apple’s policies and procedures that address activities performed “during an internal investigation” but when you challenge your employer, you will have battle royal on your hands. It is difficult to sway enough employees earning six and seven-figure salaries to put their livelihoods at risk to rally around your cause.
The danger of outlook
Some mobile phones provide the ability to maintain separate profiles. Even if you don’t have that feature, you can easily keep your personal contacts with a different provider from your company contacts. When it’s time to turn in your phone, remove the Gmail® Internet account on the phone (as an example). Your personal email, contacts, and calendar are instantly gone.
Don’t let Outlook woo you into letting it manage all your contacts, emails, and calendars. If you go down that road, you will have a mess on your hands.
What about spreadsheets? On an iPhone or Mac, use Numbers for your personal activities and Excel for company work. This makes it easy to remove your stuff without deleting company data. Even easier is if your employer allows you to connect to Google®. Then you can keep personal data in web-based Google Docs, Sheets, and Calendar.
Employers rarely approve personal Google Drive, OneDrive®, Dropbox®, and other cloud storage services. These services are major sources for leaking company information. When I was the director over IT, we had a large clients do a security audit. One outcome was that they required us to prevent the use of these services. We had started this process, but our client accelerated the effort. Another outcome was that, for one of our locations, we had to change our exterior doors, so the hinges were located on the inside rather than outside of the building.
An ironic side note from our security audit: Our HR department purchased a bunch of USB drives with our company’s logo on them. They were to be part of a welcome package for new hires. Just as they kicked off this program, my department disabled access to all USB ports. It wasn’t much of a welcome!
The way to share
Remember, at any moment, for any reason, any device that is listed on the form you signed may get wiped or bricked. Live that way, and you have no worries. That old saying is true, “False expectations lead to disappointments.”
Note: All trademarks are the property of their respective owners.
