Apple's refusal to follow a court order to support the FBI's San Bernardino shooter investigation was the right move for the company and for its customers, as my colleagues and I cover in Fatemeh Khatibloo's blog post here, and in our full, detailed report, here. As we discuss, there are many constituents with a large stake in the outcome of this case, but I will focus on security and risk management decision makers in this post.

There are four key implications to consider:

  • Your policy decisions have to be more nuanced than before. Enterprise mobile programs often prefer Apple products for their inherent security; however, this case shows that Apple favors consumer privacy over enterprise control. Notably, the shooter's employer provisioned the device and gave the FBI permission to access it, but Apple still refused to cooperate in the investigation. This standpoint could ultimately weaken your corporate policies that govern employer ownership of devices and data, records management, and eDiscovery. For example, can you now reasonably expect to enforce eDiscovery policies if your employees use Apple devices?    
  • The power and risk of brand promises deserve more attention. Two years ago, Apple threw down the gauntlet on customer privacy with a series of new product features and even swipes at the competition. Associating with issues like this doesn't work if corporate behavior diverges from the promise. Risk managers should help the executives understand the risks of taking a stand against government authorities, customers, or other interested parties, and more importantly explain the risk of making aspirational statements without backing them up. Apple had created an expectation that it would fall on the side of privacy long before this case came up, and the risk seems to have paid off.

This is just the most recent battle in a drawn-out war between privacy and surveillance. The implications of this case are substantial, but the issue will be far from settled for the foreseeable future.