BYOD (Bring Your Own Device) has become a trend in the corporate world whereby employees can use their personal mobile device to access work email or perform other work related tasks. However, allowing employees to use personal devices in the workplace may expose companies to litigation risks. For example, when a company is being sued, they may need evidence that an employee may have stored on a personal device. Gaining access to the device and obtaining data while respecting employee privacy can become a legal minefield. Because some jurisdictions have stricter data privacy regulations than others, employers could face unintended consequences if they access or delete company data stored on a personal device without the owner’s permission.
Smart employers develop BYOD policies not only to address BYOD network security and data protection, but also how the company gains employee consent to access personal devices. To protect themselves from risk, companies must incorporate e-discovery concerns into their BYOD policies, execute e-discovery in a way that limits access to private employee information and anticipate the increased cost of e-discovery in the BYOD workplace.
Write BYOD Policy with E-discovery in Mind
Company lawyers face three main challenges when they need to obtain information from employee devices. First, the company neither owns nor physically controls personal devices, so they can’t be seized on demand. Second, personal devices hold both personal and employer data, and courts expect companies to respect employee privacy. Third, personal devices usually contain only certain types of data for a limited time. These three BYOD procedures lay the foundation for easier future e-discovery:
- Obtain signed service agreements. The language of the agreement should specify how and when companies may need to access employee devices and how e-discovery would proceed if the company needed personal device data.
- Clarify acceptable use guidelines.BYOD policy should require employees to follow the company’s email, Internet use and computer use guidelines so that most data ends up on the company server. Companies can present compliance as a way to minimize company access to personal devices.
- Enforce device backup requirements. The type of data that lives on employee devices is generally user-generated data, which includes call logs, network logs, emails, SMS messages, browser history, GPS tracking and contact information. Companies should require employees to dock their devices and back them up to a company computer so that the information still exists when the phone wipes historical data.
E-discovery Procedures
Conduct e-discovery with these principles in mind to keep evidence admissible in court:
- Establish a clear chain of custody. State who has permission both to physically access the device and to remotely access the device from the network. Also, log who possesses the device at all times or who is remotely accessing data.
- Turn off device’s network access pathways once the device is in custody. Disable Wi-Fi and Bluetooth on the phone and disable network services to the device, or use tools like Faraday cages to block communication signals.Devices may automatically sync with the company network or cloud, which could alter data stored on the device. An employee may also attempt to remotely wipe the device to destroy evidence.
- Only retrieve necessary data. Before asking either an internal employee or a litigation opponent for device access, the company should know exactly what it’s seeking. Attorneys should do research beforehand to demonstrate to the employee or to a judge exactly why the device’s data is relevant. For example, in the case of EEOC vs. Original HoneyBaked Ham Company, HoneyBaked was able to access an employee device after attorneys presented evidence of questionable workplace conduct gleaned from the employee’s social media posts and text messages.
- Be transparent. Let your employee or the judge know exactly how the company intends to extract relevant data without invading employee privacy. Offer to let an opposing attorney conduct a privileged review and propose the use of a special master who can review the personal device data for relevance before releasing it to opposing counsel.
Estimate the Cost
E-discovery can become expensive in BYOD environments because employees use so many different types of devices. A forensics program that does a good job of extracting information from the Android OS may not perform as well with an iOS device. Prepare to purchase multiple forensics solutions, and invest in mobile device management (MDM) solutions. Also, invest time and money to hold employees accountable for complying with BYOD policy.