Apr 21, 2011

What is personal liability when discussing mobile devices?

And is personal liability the way to go in the enterprise?

Allowing staff to access and use the full range of work ICT facilities via their own mobile devices is a more challenging area for institutions to handle than opening the systems for student use.

Students will not normally have access to confidential, sensitive, or personal data (other than their own) held on the institution’s systems, although it is the case that research, medical, or social science students may very well be undertaking research involving personal or sensitive data and for which they should have had appropriate guidance.

On the other hand, many staff in their day-to-day roles may have access to student data, financial data, confidential reports and employee HR records.

To some extent bring your own device (BYOD) is already happening in your institution. Staff are already using their mobile devices to access their work emails, papers and documents from off campus. In some institutions, staff may also be doing this without a clear indication from their employer as to the extent of permissible use.

At Comodo, we believe that all employees should have appropriate access to the corporate resources while using devices such as smartphones, tablets and more.

Hi beatrix1,

Here's a good article that covers some of the issues related to this and suggests ideas to deal with them:

Navigating Smartphone Liability: Corporate Liable v. Individual Liable


There is a liability issue, not just for smartphones, but for any computing device that is potentially out of the controlling reach of the IT department's security people. Just for starters, use of devices off of company premises, without proper oversight, could lead to the archiving protocol being breached. You may for example, have a great system for archiving, but when that system can't connect to certain devices, you start to have orphaned documents all over the place. That could lead to a liability issue later on if a discovery order comes up.


Not sure what happened to my original response.  In any case....There is no right answer to this question.  I will say however that regardless of who owns the device.....if your employees are going to be accessing corporate information on their mobile devices (and that most certainly includes email), then you MUST manage and secure the devices.  ActiveSync does provide some baseline protection, but there is so much more that can/should be done.  You can read a lot more about this at the enterprise mobility forum.


The term personal liability means that a firm's employees are allowed to use their personal mobile devices (notebooks, handsets, tablets, etc.) on the enterprise's network. The benefits are many: users need only carry one handset, for example, and there's no need for the company to spend massive amounts of money on rapidly-depreciating capital equipment. Companies can save on operating expense as well, as users are responsible for device purchases and their own carrier bills, with reimbursements or subsidies used as compensation for business use. The obvious drawback, though, is that support costs can be higher, given the potentially huge diversity of the resulting equipment base, and there is the potential for compromise to both security and the integrity of the corporate network.


The challenges can be largely addressed, however, via the rapidly emerging field of mobile device management (MDM). MDM products and services are available from at least 50 companies at present, and capabilities are expanding al the time. It's still important, of course, to have both security and acceptable-use policies in place, as well as a separate agreement with staff who use their personal devices on corporate networks. While this approach is not going to work in every situation (a case can be made for corporate liability in many environments), personal liability really is a major trend today, and more often than not a win-win for both the company and staff.

Answer this