This is the first of a series of piece on IT and the Law, written by attorney Sean Doherty.
There has been a lot of talk about the advantages and risks of BYOD.
When you weigh the risks and benefits, the elephant in the room is the personal. As computing devices get more personal and pervasive, people are going to be more confident and competent in their personal use of technology whether they’re on a desktop computer or a mobile device. (See Test BYOD in Your Organization With Employee Tablets. But if you’re a CEO, director, manager, or your employment status makes you eligible for litigation (meaning exempt employees who direct the business in some aspect or manage people ), then bringing your own device to work can be detrimental to your personal and professional life.
BYOD presents a challenge for businesses to comply with their litigation requirements in pretrial discovery. Discovery is a compulsory process whereby a party can request from another party information relevant to the litigation to establish a claim or defense.
The primary vehicles to obtain discovery materials are interrogatories, depositions, requests for admissions, and requests for document productions, which are primarily stored in electronic format aka electronically stored information (ESI).
Rule 34 of the Federal Rules of Civil Procedure commands a party to produce designated documents or ESI under their “possession, custody, or control” to a requesting party. Defining “control” of BYOD devices and data are keys in determining whether a device can be discovered in litigation.
Courts have found that control does not require physical possession or legal ownership. ESI on BYOD devices is considered under a party’s control when the responding party has the right to obtain the information from the device. See If business data are resident on a device, then the business has the right to retrieve the data. (They have the right to retrieve corporate data delivered to the machine, however, they may not be able to remove it if they do not manage the device.)
The processes to extract the data and obtain relevant ESI may put personal and professional information unrelated to the litigation at risk of public exposure. Personal or private information on BYOD devices may be protected by law.
For example, the device may contain private consumer financial information under Gramm-Leach-Bliley Act or protected health information under the HIPAA. And that’s not to mention all the text messages, correspondence, music, and photographs of a personal nature that are stored on the mobile device. You may also have data relevant to your membership on a board of directors external to your current employment.
Collecting data from a smartphone or tablet computer can’t be described as a surgical operation. It can, however, be comprehensive if the phone’s chipset and operating system are supported by the collection software. Tools such as AccessData Mobile Phone Examiner Plus, Cellebrite’s UFED Touch Ultimate, and Guidance Software’s EnCases Forensic extract, decode, analyze, and report on a device’s physical and logical file system contents. And don’t fool yourself into thinking these tools might miss something.
If you’re an executive or a person who would be of interest in potential litigation where you work, then BYOD is not for you. It’s highly likely that the mobile device you use will be subject to litigation. Rather than BYOD, use your own device for your personal life and a corporate-issued smartphone and/or tablet for your professional work. And do not, under any circumstances, accept any business communications on your personal device. Otherwise it will be fodder for a lawsuit.
Once you know your executive path for BYOD, don’t let it dampen your employees’ enthusiasm for bringing their devices to work. Support company-wide BYOD by drafting policies that make it litigation-ready. Develop a policy to retain, collect and destroy data on BYOD devices that preserves and retains possible evidence in litigation. To make the policy defensible in court, enforce it by purchasing or building technology to manage BYOD devices and the corporate data resident on those devices.
There are technologies that can deliver applications and data to mobile devices in sandboxes that will limit data exposure should the device go missing. Data can be delivered just-in-time with application virtualization and virtual desktop interfaces with tools such as Citrix Receiver and VMware View. See BYOD’s Impact on the Datacenter.
Attorney Sean Doherty is the technology editor for Law Technology News.