Is It Ever Right to Remote Wipe an Employee's Work Device?

It might seem like remotely wiping an employee’s phone, laptop or other digital device is an extreme measure to take, but it’s becoming increasingly necessary in a world of frequent cybercrime. Since 2015, there have been more than 1,000 data breaches each year in the US alone, with more than 155 million records exposed in 2020.

Each of these has the potential to be extremely damaging to a business. IBM has calculated the average cost of a data breach in 2021 to be $4.24 million per business, which is the highest it has ever been in the 17 years since the company started recording this data. What’s more, the rise in people working away from the office is making this worse; data breaches cost a business $1.07 million more on average when remote working is involved.

All this has created an environment where it might sometimes be necessary to wipe an employee’s device remotely. If a staff member has their phone stolen or leaves a laptop on public transport, bad actors could use it to access your organization’s data. To prevent this, it might be necessary to erase everything on the device before it is too late.

The legal issues around remote wiping

The exact legality of wiping an employee’s device remotely will vary from place to place. We will focus on US law here, and what follows will apply in most locations, but it’s always best to check the specifics for your area.

The Society for Human Resource Management (SHRM) lays it out well: in the US, it’s perfectly acceptable for a business to remotely wipe a company-owned device. If it’s solely used for the organization’s purposes, there will be no issue with getting rid of the data. Where it gets more difficult is if employees are using personal devices to access company emails, shared drives or other access points to your business data.

Without express written consent, it isn’t legal to wipe an employee’s personal device in the US. Samsung points out it might be possible to remotely erase some (but not all) of the data using an enterprise mobility management (EMM) or mobile device management (MDM) system. If you have this installed, you can potentially wipe your business data but not anything from an employee’s personal life.

Of course, this depends on being able to find EMM or MDM software that’s reliable and within your budget. There’s also the issue of independent contractors who might be using personal devices for all their clients. They may be less likely to consent to you installing anything extra on their devices.

Legally, the safest option is to add a section into your bring-your-own-device (BYOD) policy that covers remote wipes. This will count as a waiver, so make sure you get employees to sign it to show they consent to what is written. Your policy should essentially say that employees are allowed to use their own devices to access work data, but if those devices are stolen or lost then you have permission to wipe them remotely.

EMM or MDM software that allows you to delete corporate data and is the safest option to avoid a data breach. However, it might not always be possible to avoid deleting personal data with these solutions.

The ethics of remotely wiping a device

While this might cover you legally, it’s possible your employees will be unhappy with these policies. This is an important balancing act, and employers have different opinions. Talking to TechRepublic, Jim Paris, president of IT managed services provider Kelser Corporation, said: “Employees doing BYOD should have more limited access. Every company needs a written remote work policy that employees sign. And it has to have teeth.”

However, co-founder and CEO of Clockwise Matt Martin opined in the same article that it should be treated as more of an agreement than a top-down policy: “A remote work policy and agreement articulates what the company expects of remote workers and what the remote workers can expect of the company."

Managing employee expectations is especially important given the general distrust surrounding remote work. Gartner found that only 59% of employees think their organization has invested in providing them with the resources they need to work remotely, and only 58% believe their organization trusts employees not to abuse flexible working. That makes it crucial for employers to tread carefully when it comes to remotely wiping a device.

While it is often the safest option, it’s worth noting that remote wiping is not an infallible solution. It’s often possible to block the signals heading to a device that cause it to be erased, meaning a cybercriminal can keep hold of your company data even with a remote wipe. This means you might end up implementing a restrictive, unpopular policy that has no guarantee of working.

Ultimately, it’s sometimes going to be the right call to erase a device remotely, but it isn’t the only solution and certainly not something that should be done without careful thought. Make sure you consider all the possible factors before committing to a policy of device erasure.