Asset Disposal in “BYOD”: How Do You Control Disposal If You Don’t Control the Device?


Lapses in judgment by IT professionals, however unintentional, can often have catastrophic consequences. Consider the 2010 case of a major American university which disposed of over 300 smartphones, but failed to wipe the devices before selling them to a wholesaler. The phones bore a treasure trove of data—private telephone numbers, sensitive university records, passwords and personal information—and were a considerable source of embarrassment to the university.

This example vividly illustrates how un-sanitized devices expose organizations to substantial risk, especially when highly proprietary information is stored on them. In this case, the devices actually belonged to the university, meaning the institution was responsible for managing and securing the devices throughout their lifecycle. But what if the devices came from elsewhere?

Asset disposal is tricky enough when the devices are yours, but when devices are introduced by external third parties, things can get really dicey. “Third-party devices” used to refer to technology owned and operated by contracted third parties who conduct business and process data on your organization’s behalf, e.g., auditors or consultants. In most cases, these third parties are contractually bound to safeguard proprietary data and purge that data when the relationship is dissolved. It’s an imperfect relationship. Things can (and do) fall through the cracks, primarily because you don’t control the devices.

Enter the New Era of BYOD, or “Bring Your Own Device.”

Worried? You probably ought to be. The explosive proliferation of new mobile devices and form factors is radically altering the landscape of IT and is fundamentally changing the meaning of “third-party device.” More and more of your employees are introducing their own devices (Blackberry’s, Androids, iPhones, iPads, etc.) into your organization’s computing environment. They’re installing applications, storing and manipulating proprietary data, and accessing your network. But the devices belong to them.

Add a little device churn, and things get really hairy. What happens when that “new device smell” wears off the fancy gadget they brought to work, and how do you control what happens to it next? When an employee buys a newer device, what becomes of the old one? Best practices dictate that all data and software must be removed from the device, lest you jeopardize institutional data, user and customer privacy, and software license compliance. You’re also at considerable risk of violating national and international data protection standards, e.g., EUDPD, PIPEDA, the UK DPA of 1998, HIPAA and FACTA. Heck, forget risk and compliance…simply accounting for the devices in the first place can be a real headache. For all you know, that once-cherished personal device may end up on eBay or Craigslist, along with your data and your applications.

I confess that this is a relatively nascent problem, and I don’t have all the answers. But I’ll leave you with this last question as food for thought: In the New Era of BYOD, how will you control the seemingly uncontrollable?



How To-Best Practice
Comment List