In today’s fast-paced business environment, companies are increasingly permitting their employees to use their own devices, such as smart phones and iPads, to perform business functions. Known as Bring Your Own Device (BYOD), this trend has revolutionized employee work habits.
According to a recent survey by Cisco, 42 percent of employees own the personal mobile device used for work purposes. From a purely business perspective, the impact of BYOD has been largely positive. Companies save money and resources by not having to purchase and support new equipment. They also reap the benefits of a more flexible and productive workforce. The Cisco study estimates that the annual benefits from BYOD range from US$ 300 to $1,300 per employee, depending on the employee's job role.
While BYOD may have its immediate benefits, it has also brought with it a host of legal and administrative risks, especially with respect to litigation, investigations and corresponding e-discovery requests.
E-Discovery Implications of BYOD
Rule 34 of the Federal Rules of Civil Procedure (FRCP) stipulates that parties must produce responsive electronically stored information (ESI) that is in their possession, custody and control. Courts tend to interpret this rule broadly, expecting parties to produce all potentially relevant work product even if it resides on devices not directly owned by the organization, as long as it is reasonably accessible. In the past, organizations could successfully argue that the technological complexities involved in extracting mobile device data were “unduly burdensome” given the potential value of the ESI to a given case. Courts today tend to reject that argument. BYOD is so ubiquitous and widely embraced that parties are now expected to have a plan for producing mobile device data.
Recognizing that mobile device ESI is legally discoverable is step one; being able to manage those devices, and capture, preserve, search, collect and produce relevant ESI stored on them is a much tougher corollary for legal, IT and records management professionals alike. Unlike more traditional sources of ESI, such as databases and email systems that are often subject to enterprise-wide retention and usage policies, mobile devices exist in the “wild,” often outside any shared corporate networks. In most cases, legal teams have very little visibility into what ESI actually exists on employees’ mobile devices, let alone the necessary technology to extract the information when it is identified.
Developing a BYOD Policy
The first step in weathering the BYOD storm is developing a corporate-wide BYOD policy. It is important to remember that personally owned devices are not company property. Organizations can’t simply seize a device and extract its data without the device's owner consenting to such an action. For this reason, the BYOD policy must be forthright and comprehensive, as well as sufficiently fluid to account for the impressive pace at which new devices and applications hit the market.
Every organization will address the issue differently based on a variety of factors, including the nature of the workforce, litigation profile, regulatory requirements, internal IT resources and, of course, the nature of data being produced. In general, the BYOD policy should clearly articulate the company's rights with respect to monitoring and accessing all the ESI stored on employees’ mobile devices. It should address, in specific terms, an employee's obligations regarding device security, password requirements and procedures for lost or stolen devices. Organizations should also include specific language around approved and non-approved business usage. For example, a company might allow the use of personal devices for emailing but prohibit their use for recording meetings.
Once the policy is created, it must be sufficiently communicated and explained to the employees so they are aware of the legal implications of BYOD, positively acknowledge the key elements of the program and understand the consequences for failing to abide.
Managing the Technical Complexities
Beyond creating guidelines on how employees should use their mobile devices for work purposes, organizations face a number of technical complexities with BYOD. The variety of smart phone and tablet models has increased exponentially in recent years, requiring IT teams to stay abreast of the growing list of platforms, manufacturers, models and software versions deployed when e-discovery demands arise.
Furthermore, the information sources on mobile devices ranges from email, SMS messages and location data to voice mails and social networking content. The ESI formats associated with these various applications can differ greatly. Organizations must be able to not only extract the data but place it in context with other potentially relevant ESI so that it can be fully analyzed for relevancy and significance. Further complicating matters, the ESI identified may not actually be stored on the device. It may reside in the cloud or on a separate server.
In a perfect world, lawyers would be able to isolate corporate data on personal devices when e-discovery projects come up. Unfortunately, with BYOD, it is almost always the case that personal data is comingled with corporate data. To ensure that personal data is adequately protected, organizations should categorize the types of data that exist on personal devices so that legal teams know specifically what they are looking for when it comes time to extract specific information. Data can be categorized in a variety of ways. A good place to start is with broad “buckets”:
- Corporate Data: Data associated with the company, such as corporate email messages and documents
- Non-Corporate Data: Personal data that might include text messages or photos
- User-Created Data: Data that’s created by the user of the device, such as notes and contact lists
- Device-Created Data: Data that’s automatically created by the system, such as when a device was powered on and off or settings information
These distinctions are important because they help drive the processes by which mobile device ESI is identified and collected. Since most e-discovery requests focus on corporate, user-created data, it is especially important that organizations have the necessary workflows and technology to isolate that particular category of ESI. Should a case arise that does involve device-created data, organizations should also have a plan in place for extracting it, even if it means bringing in outside experts.
One way to limit the burdens of mobile device e-discovery is to ensure that mobile data from key custodians is regularly backed up onto more accessible ESI sources. For specific employees who are frequently subject to preservation orders, organizations should make it a priority to frequently copy critical work documents onto the corporate network. Similar to ESI stored on backup drives, this process will allow the corporate legal team to argue that ESI stored on targeted mobile devices is duplicative and out of the scope of discovery.
Incorporating Mobile Device ESI into Existing E-Discovery Workflows
BYOD is a relatively new trend that only figures to grow and hybridize. While most organizations have little to no experience dealing with mobile device e-discovery, chances are that most will be exposed to it at some point in the near future. It is imperative that legal teams proactively update their e-discovery processes to account for mobile device ESI in future cases.
Examples of this in practice might include updating the legal hold policies to include mobile devices on the list of data sources requiring preservation and collection or establishing specific reports that detail mobile device e-discovery activities that can be used to validate the defensibility of the process.
The benefits of the BYOD are undeniable and the movement only figures to gain a stronger foothold in the years ahead. Unfortunately, many organizations that jumped into the BYOD craze are only now just beginning to recognize the dangers that come with it. Emerging case law suggests that mobile device data is beginning to play a significant role in e-discovery.
Many organizations don’t have extensive experience identifying and collecting ESI from mobile devices and could be exposing themselves to risks if not preparing for this inevitable reality. While taking the steps outlined above, such as creating a corporate-wide BYOD policy and investing in specialized technologies, won’t completely insulate a company from the perils brought on by BYOD, it’s a far better alternative than doing nothing and paying for it later.
Title image courtesy of bloomua (Shutterstock)
Editor's Note: Want to read more of Ajith's thoughts on e-discovery? See: E-Discovery Trends for 2013