Skip the navigation

Evan Schuman: What to include in your mobile privacy policy

If your company doesn't yet have a mobile-specific privacy policy, it's time to get to work

By Evan Schuman
January 7, 2014 06:53 AM ET

Computerworld - It's well known that mobile devices are compact storehouses of vast amounts of data that they seem eager to broadcast to the world, which makes it all the more baffling that few companies have discussed -- much less implemented -- mobile-specific privacy policies. Putting off such a move ("procrastination" is such a negative word) may have made sense up to now to give us all time to get a handle on what the limits should be, but you really will regret waiting much longer. This new year we have entered may be a good time to craft a mobile privacy policy. If you've decided to do that, here are some things to consider.

You do really need a policy. Your employees expect IT to protect them, and your company's executives expect you to make sure that corporate data is protected from the things that employees do with their mobile devices. But your customers also want to know what you're doing with their data, and various contractors, distributors, suppliers and anyone else in your network need to know what they aren't allowed to do.

It's bad enough that a mobile device brings the same IT threats as any other network-connected device. It has full access to your LAN and can piggyback on whatever permissions you gave its owner. And of course, if it's being accessed by a naughty user, it can try to exceed that access.

But you really need a mobile-specific policy because mobile devices can be careless with all the data they store. They theoretically can track all movements. The microphone and camera can be activated remotely. Apps can access every phone call, email or text sent or received, as well as every site visited and every tweet tweeted. Some can even send messages under your name without your knowledge (No kidding. Even the Starbucks app has demanded the ability to tweet on customers' behalf). And some apps can identify every other app being used, along with a host of tech specs, like OS version, browser, serial number of phone, Wi-Fi particulars, carrier, etc.

Although it's important for any privacy policy to regulate what employees can and cannot do, it may be even more critical to delineate what your company will permit third-party vendors to do with its data under its name. Some of this will involve the public privacy limits your company will set for itself. Marketing craves data about customers. Without a policy that sets limits, your marketing people are likely to issue any number of mobile apps that can grab just about any kind of customer data and report it back to them. You have to decide whether the short-term gains that sort of thing might bring outweigh the long-term hit to the company's reputation that could result from a general outcry against such data harvesting. In the calm of day, you and your top executives need to discuss what kind of company you're running and what limits you want to set for yourselves and your customers. You really do not want this to be decided on a case-by-case basis by various rank-and-file marketers in the middle of some urgent deadline.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!