What kind of access to work data could get your personal device legally confiscated in the event of a lawsuit against your employer?

Continuing the discussion from Which is better, a Microsoft managed work profile or Microsoft apps directly in my owner profile?:

At this point I just deleted the work apps and went back to the drawing board. Maybe what I’ll do is just use the Outlook web app and set a reminder to check my email once after hours to catch anything urgent that may have come through. I may just ask my boss to text my personal number if they need me and leave it at that.

But to expand on this point, what kind of access to work data is fine to access from a personal device without risking confiscation for legal reasons? If I download Outlook then some email is on my phone, but if I log into the web app I’m accessing the same email. At that point would using the web app get me in the same boat?

If they’re owned by your employer, there is a risk they may take them back for any reason any time and you should be prepared for that by having your own personal devices.

Likewise I simply would not mix work data with your personal devices.

Pretty much the answer @jonah gave you there is the same.

Wow, so this applies even if you’re just logging into Outlook on a personal device? I wouldn’t have though that it would go that far. I guess weighing that risk is something for me to think about, as well as how often I realistically have to be reachable. This is very inconvenient if this is the best advice for even basic threat models. :frowning:

Yes.

If your employer is ever subpoenaed for access to your devices, there will be one simple question. “is there work stuff on it?”.

You want to be armed with the answer “no that’s my personal device I don’t use for work”. Anything more complicated will result in the device having to be turned over. In any case if your employer is subpoenaed you want to be able to remain contactable, having a personal computer, phone etc is crucial for this.

I think it’s also quite healthy to be able to turn those devices off when you’re not on the clock.

2 Likes

What about using the Microsoft Authenticator app, or using any authenticator app for 2FA for a work account? I guess that’s something I could quickly qualify if asked, but I can also see some lawyer not understanding what 2FA is and wanting to take my phone anyway. But in that case I’m in a pickle once more because I’m actually required to have 2FA for work now. I wanted to be better by using an authenticator app, but I do have the option of doing SMS 2FA.

Are hardware keys an option at all?

I can look into that, but I think it’s possible I have to use my own keys even if that’s available as an option.

SMS 2fa is probably worse because its linked to your phone number. at least with an authenticator app you could say “i used it on desktop” or something. you can use the same seed on multiple devices