On June 13th, New York State Attorney General Eric Schneiderman and San Francisco District Attorney George Gascón held a Smartphone Summit to address the mobile crime epidemic, launching the Secure Our Smartphones (S.O.S.) Initiative with a series of steps whose goal is to reduce or deter mobile theft. The primary recommendation to come out of the Smartphone Summit was the strong recommendation that device manufacturers create a "kill switch" in all smartphones. While we commend this effort, and are ourselves a part of it through our partnership with Samsung, the addition of a kill switch will have implications for the management of mobile devices for businesses.
If a kill switch becomes the norm for smartphones, organizations will have to consider how this impacts their BYOD policies. The kill switch proposed during the Smartphone Summit by New York State Attorney General Eric Schneiderman and San Francisco District Attorney George Gascón would be device-specific, corresponding to an individual's ID and password for that device (such as the Apple ID).
With the kill switch tied to the individual, the employee becomes responsible for the control or invocation of the kill switch, not the organization. Employee control of the kill switch could prove problematic for the organization, especially if they do business in a highly regulated space.
The responsibility of securing corporate data resides solely with the organization. If a smartphone owned by an employee is stolen, the organization must be able to prove that the corporate data it contains was not breached or suffer the consequences of non-compliance penalties and publicity. It is not yet clear if an employee-initiated kill switch would satisfy these regulatory bodies or if a formal record of the invocation of the kill switch will be available.
We advocate creating a very clear, prescriptive BYOD policy that allows the organization to perform certain security functions that would satisfy regulators and legal entities prior to enabling a kill switch.
Employees may not accept this level of control by their employer on their personally owned devices. The unintended result of these changes could be an increase in people opting out of BYOD programs with a corresponding increase in smartphones that are owned by the organization: corporately owned, personally enabled, or CoPE.