[pasbesoin]

I suggest that anyone considering sharing a personal device with work activity (other than basic phone calls and messaging, e.g. "I'll be in late") think twice.

Comes a security concern or conflict, someone's probably going to want access to the whole thing.

If you want me to do "your work" on a phone -- particularly as an employee as opposed to as an independent contractor utilizing their own resources as defined in the contract -- then give me a phone. A hassle, but on the other hand some protection, in exchange for a few additional ounces (phone weight) of prevention, as it were.

Just like I don't want to use my own computer to host their work/data. Nope. When the relationship ends, I turn in their equipment and there is no question as to whether all relevant data has been expunged. They have the entire device.

[click170]

I'm a stickler about this. Beyond answering the odd phone call or message, I have a hard time seeing it as anything but the company unfairly attempting to externalize costs onto their employees.

Just like you give me a work computer to do work related tasks on, the same should go for mobile devices.

My employer used to be rather liberal but recently started clamping down on security. They wanted us communicating in the company chat on our phones so we installed the chat app. But now with the security clamp down they want to set security requirements on anything that accesses potentially sensitive information, meaning they want to dictate the security policy used on our personal devices. I told them to go stuff it, if its a choice between no work stuff on my phone and letting them set the policy on my devices, I'll go without access to work stuff. I'm not going to play that game with you, yes I'm willing to be That Guy that takes a stand on this.

The real irony is that my security policy at home is more strict than the one at work, but they conflict somewhat and I'm not willing to reduce my home security to accommodate them.

[wyldfire]

> Just like you give me a work computer to do work related tasks on, the same should go for mobile devices.

I'm issued a mobile phone by my employer. Today I don't have any option to "carve out" a niche for my personal activity on my phone. AFAIK they can know anything and everything. Google Play for Work sounds like it would help out here.

[Sanddancer]

I was issued a work phone too. I decided it was much more worth it to carry around two phones, with my work phone in my bag for the .01% of the time they actually needed to get in touch with me. Work only needs to know my work number, they shouldn't, nor needn't, care what I do on the 80+% of the time I'm not on their clock.

[blazespin]

This is right, theoretically, but I'd love to see the stats on how many people carry two phones everywhere. It's either BYOD or someone using COPE for personal stuff. Not sure which is worse.

[regularfry]

I've worked in several places where this was the norm. More than one work-supplied phones on occasion, too.

[freehunter]

Where I work, they told us upfront "you can have your work email on your personal phone, but if we need to do an investigation for any reason, we're taking your personal phone". And they happily handed out work phones.

Of course, I've worked in security in other companies where employees had their work email and data on their personal devices, and in the event of a security incident we were not allowed to touch their personal devices even though there was work data on it. So it goes both ways.

[r00fus]

Would secure-wiping the phone if involved in a legal discovery process be considered destruction of evidence?

Does your advice apply when you're only using, say Exchange, as your only entry point (e.g. on iOS devices?) - in this case, all discovery can be done server-side.

I find it hard pressed to think this issue hasn't been covered more rigorously.

[pasbesoin]

Part of my argument is that, when you as an individual are on one end of an argument about this with a substantial business/corporation and/or the government, you are going to have a rather difficult time, regardless of what is "right" and "lawful".

Better to be able to hand the device over and say, "Have at it."

Also, if there is some breach of security and a question about whether you facilitated it, through activity or through negligence, better to be able to say/demonstrate to the other party: "It's the organization's device, and the organization's / the organization's IT department's responsibility to maintain it."

[pjc50]

Would secure-wiping the phone if involved in a legal discovery process be considered destruction of evidence?

Yes, if it's not part of a routine process.

[rhino369]

If you are already in litigation there is almost always a litigation hold, and you can't even wipe it as part of a routine process.

[dredmorbius]

However if prior to receiving notice of the hold you'd wiped it as part of a documented data retention policy, odds are far smaller of falling afoul of legal process.

Sudden change of policy in conjunction with other shady events, harder time.