BYOD, Personal Data and Immediate Termination
By Jack Rosenberger
If an IT person deliberately accesses a coworker’s personal data on their smartphone or computer, should the punishment be immediate termination?
This question is prompted by a just-published Aruba Networks survey, “Employees Tell the Truth About Your Company’s Data,” which concerns the heady mixture of bring your own device (BYOD) and employees’ personal data. The survey found that nearly half of U.S. workers “worry about IT department access to their personal data.” When asked how they would feel if their personal information was accessed by IT, 20 percent of U.S. workers said they would react with “anger.” And 46 percent said they would feel “violated.”
The study suggests that the blending of employees’ personal and company data on work-related devices could lead to “a culture of mistrust” between IT and employees. In fact, 17 percent of U.S. workers have not told their employer that they use a personal device for work because, in part, they’re afraid of their privacy being invaded.
What the Aruba Networks summary doesn’t mention is a single known instance of an IT person deliberately accessing an employee’s personal data. That’s not to say it doesn’t happen, for it must, given the large number of people involved. Nonetheless, every IT leader needs to understand that most employees are very concerned about someone in IT to snooping through their private emails, downloading their photo collections or destroying all of their personal data.
“Trust” is the key word here. Employees must be able to trust their IT department with the bits and bytes of their personal lives. Trust, however, is inherently fragile. And once it’s lost, it can be very difficult, if not impossible, to regain.
If your organization lacks a formal BYOD policy or its policy doesn’t address the protection of employees’ personal data, please consider these three ideas:
1) For IT, a commitment to protecting employees’ personal data must be a top priority. And from the start, IT needs to make it absolutely clear to the rest of the organization that it takes its role as the guardian of employees’ personal data very seriously.
2) IT needs to constantly reassure employees that their personal data is safe. An easy-to-remember and direct message that basically says “Your personal data is safe with us” or “We’ve got your back” needs to reiterated until it becomes the accepted institutional message about IT’s performance vis-à-vis employees’ personal data.
3) The CIO, and the IT department, must make it widely known that an IT person who deliberately accesses an employee’s personal information will be prompted fired. Everyone in the company needs to know that the act is unacceptable and results in immediate termination.
Why immediate dismissal? A punishment should always match the crime, and in this instance, the offense strikes at the very core of an individual as the crime is an irreversible and permanent invasion of a person’s private world. Even if the personal information that was viewed is not private or sensitive in nature, the offense itself warrants the strictest penalty. And when the issue involves company culture, departmental reputation and an employee’s right to privacy, the only appropriate punishment is immediate termination.
About the Author
Jack Rosenberger is the managing editor of CIO Insight. You can follow him on Twitter via @CIOInsight.