BYOD: The E-discovery Implications of a “Bring Your Own Device” Policy in the Workplace
The use of mobile devices in the workplace is an ever-evolving practice. When organizations first started taking advantage of increasing mobile technology, particularly cell phones and laptops, most implemented “Company Owned, Personally Enabled” (“COPE”) policies. The mobile device remained the property of the organization, and the employee used it primarily for work-related tasks. With COPE, the type and scope of mobile devices can be restricted, affording the organization the ability to fully understand the technology of a limited number of devices and thus providing them with predictability when the data stored on those devices becomes discoverable.
However, as mobile technology has become more accessible, COPE has become increasingly difficult to enforce. As lines have gradually blurred between work-related and personal use of mobile devices, some organizations have transitioned to “Bring Your Own Device” (BYOD) policies. BYOD provides a different kind of predictability from COPE because employers can be better assured that their employees’ work product is contained in one device. With COPE, employees often use two devices, one professional and one personal, but they don’t always draw a strict line between the two. This can make it difficult for employers to pinpoint discoverable data when the need arises. Some additional advantages of BYOD include cost savings associated with employee purchase of the device and increased efficiency as employees have proven to work more effectively on the devices of their choosing. Nonetheless, with these advantages come certain e-discovery complexities that organizations should address at the outset of creating or switching to a BYOD policy.
Below are some important questions to address in a BYOD framework so that an organization can act defensibly to identify, preserve, and collect data from its employees’ mobile devices:
- The Who and the What: Who is using mobile devices to create work product and what devices do they use?
It’s critical to maintain a detailed inventory of all employees who use their mobile devices to create work product, as well as what type of devices they use. When the need for a litigation hold arises, organizations need to be able to act quickly to ensure all relevant individuals and devices can be easily identified so as to defensibly preserve important data.
- The How: Does our IT department understand how the mobile device technology works?
With BYOD, IT departments have the complex task of understanding the nuances of many types of devices due to varying employee preferences and the myriad of devices and platforms from which they can choose. From Galaxies to iPhones, and tablets to laptops, possessing a strong understanding of the associated technology used by each platform and type of device is critical to ensure that the correct data is identified and collected.
- The Where: Where is the relevant data located?
The risk of BYOD is that it puts the device largely under the control of the employee, and thus data may be destroyed that would have otherwise been maintained by an official document retention program. To avoid data deletion and costly collections, it’s important to understand if the data is also stored on the company servers, on the cloud, or only on the device. It’s a good precaution to have employees back up their mobile devices onto the organizational network.
- The Why: Why did the employee use this device?
Understanding what each employee uses their devices for can cull down the time and cost associated with identifying any relevant content. However, because these mobile devices will also be used for personal reasons, it’s important to avoid violating employees’ privacy by exposing their private content.
Whether an organization prefers COPE, BYOD or a hybrid of the two, the best protection from e-discovery complications is to implement an effective and practiced mobile device policy – one that is detailed, documented, and well- communicated so that employees follow the safeguards necessary to maintain the integrity of discoverable data.