More and more companies are providing their employees with smartphones or tablets. These devices ensure that employees are always within reach and can keep on top of their email even when out of the office. Sales representatives have access to the latest company data when visiting customers. For as useful as they are, smartphones and tablets carry risks for the company.

Should a device be left in a taxi or on the underground, email and other data stored on it can be accessed. Smartphones have a massive storage capacity, e.g. one iPhone 5 can hold more than six times the 250,000 Wikileaks “Cablegate” documents.

Every company has data that must be protected. These include company secrets, e.g. research findings, production methods, price calculations or email related to tender processes. In addition, the company has to protect confidential data entrusted to it by its clients, e.g. construction plans or other information subject to a non-disclosure obligation. Moreover, personal data – that is employee, client and supplier data -- must be safeguarded.

Loss of confidential data can quickly lead to severe consequences. The company puts itself at great risk if a competitor obtains confidential email, e.g. the price calculation for a bidding process. The company could face damage claims if client information, e.g. construction plans, fell into the wrong hands. When personal data is involved, the Data Protection Authority (DPA) can issue fines of up to €50,000, and in some cases even up to €300,000.

Should the data loss become publicly known, damage to the company’s reputation can be all the more serious. Banks and financial services providers, along with the healthcare industry, are specifically obliged to inform the DPA and the victims of the data loss. When such an event occurs, it can quickly find its way into the public eye. The detrimental results can plague a company for years to come.

Company executives or board members are chiefly responsible within the company. They have to ensure that an IT security strategy exists that takes smart devices into account.

The security strategy must contain particular security measures: central administration of all mobile devices, password protection to hinder unauthorised access and the possibility for remote wiping a lost or stolen device. The strategy must also cover how employees use these devices, either by setting this out in a specific IT policy or in an agreement that governs, among other things, which apps can be installed (blacklisting, whitelisting) and that prohibits jailbreaking and the use of iClouds. Finally, German companies with works councils (Betriebsrat) must seek the council’s approval before any regulation can be implemented.

It is also important to consider whether employees should be allowed to use company devices for private activities, such as personal emails or telephone calls. For a company it could be necessary to read employee email in the event of long-term employee absences or internal investigations.

When a company requires that its smart devices are to be used exclusively for business, the company will be entitled to full access to email as it has to normal business mail.

Therefore, the IT security strategy should include clear rules on the use of company smart devices. In addition, the company should not be content with mere regulations on paper, but should carry out random checks to ensure compliance.

However, the employer can allow the employee to use the device for personal telephone calls or emails within a reasonable scope. Such an approach tracks closer to workplace reality, but it also requires an agreement with the employee allowing the company access to the employee’s email. Alternative solutions are also possible, such as allowing webmail access for private use.

In practice, however, companies often act completely differently. Most companies have no rules on private use of company smart devices. Far from ensuring compliance, companies look the other way and tolerate private emails. As a result, employees are entitled to use email for private purposes. This makes it very difficult for the company to access even official email because private and business emails become indistinguishable.

The company faces a problem should it need to access email urgently, e.g. because an employee has been out sick for months or has left the company. Reading private email without consent could be a criminal offence under German law. Accessing email risks violating the law, while leaving the email unread in the inbox risks missing business-critical messages. It is a difficult situation which without clear solutions tends to put management and others in harm's way. A proper IT policy or reasonable agreements on smartphone usage can avoid this danger.

This issue comes up in companies that choose to make smart devices available to their employees. Some companies opt for a different approach by allowing their workers to use their own devices for business purposes (“Bring your own device”). This practice brings up yet more questions which we will address in a future article. 

Arnd Böken                                        Dr Holger Kühl LL.M.