BYOD: The #1 eDiscovery Challenge for Inside Counsel

Survey of inside counsel at Fortune 1,000 companies highlights growing BYOD fears

The Scenario

You are the general counsel of an investment firm and have recently learned that your company has been accused of trade secret misappropriation by a competing firm.  It seems that the 9 traders your company has recently recruited from a competitor may have brought client lists and other trade secrets from their previous employer with them when they came to work for you.  You are being sued.  The plaintiff alleges that certain text messages between these 9 traders will demonstrate the employees’ conspiracy to steal their clients.  Your legal department issues a litigation hold collects the traders mobile devices and discovers that they have been wiped.  No data exists on the devices, despite the litigation hold requiring the preservation of that data.  The custodians claim they wiped the devices because the phones contained personal non-relevant ESI and that turning them over without wiping would have violated their privacy rights.

The Problem

The mobile devices are owned by the employees, even though your company pays for the monthly data plan fees.  Does your company own the data?  Unfortunately, your company does not have a mobile device usage policy.  Oops.  Now you are looking at potential sanctions for ESI spoliation.

This scenario and the risks associated with Bring Your Own Device (BYOD) were illustrated in a recent survey of Fortune 1000 inside counsel who reports BYOD issues as their number one eDiscovery challenge.

And case law is emerging.  Consider Judge Jackson’s comments in Christou vs. Beatport, in which a company CEO “lost” his cell phone while under a litigation hold:

 “Defendants had a duty to preserve Mr. Roulier’s text messages as potential evidence, but they did not do it…I agree some sanction is appropriate.” ^[1]

The Land Mines

BYOD in the workplace is definitely creating some heartburn for inside counsel and their IT departments.  If the employee owns the phone, how do legal departments fulfill their litigation hold requirements during an investigation or litigation?  How do you secure your IT network when BYOD devices are operating outside of the IT department’s security controls?  What happens when a key employee leaves and takes your company data with him on his mobile device?  What about the loss of your Intellectual Property if an employee loses his network-connected cellphone that is not password protected?  These are just a few of the BYOD headaches.

Is Remote Wiping an Answer?

Some companies have resorted to requiring employees who bring their personal phones into the workplace to agree that their phones will be remotely wiped if they are terminated.  This practice is, however, often viewed as hostile by employees, and the HR issues related to remotely deleting hundreds of personal photos from a terminated employee’s phone, for example, can be ugly.  Even so, 21% of employers report using remote wiping.^[2]

The Take-Aways

Mobile devices in the workplace are here to stay, and many of those devices will be owned by employees.  While the eDiscovery and security risks can be daunting, a few best practices can help mitigate your exposure.

1.  Have a Policy.  Companies must have a solid written policy covering the dos and don’ts related to mobile devices in the workplace.
2. Use Technology.  Mobile Device Management (MDM) software can help companies manage a company and personal data on mobile devices in the workplace.  Most MDM software contains enterprise security features that protect company data while at the same time partitioning between employee personal data and company information.
3. Consider Company-Owned Devices.  If the use of mobile devices in your business is particularly critical, or if your business is highly regulated, you should consider issuing company-owned mobile devices to your employees.  This practice provides you with the highest degree of security, and maximum ESI control during investigations or litigation.  Further, the U.S. Supreme Court has ruled that employees have no expectation of privacy on company-issued devices.^[3]