As a Budweiser man often forced to hang out with wine drinkers, I love it when I hear the term BYOB. However, as discovery counsel working with companies to develop model electronically stored information (ESI) policies, I shiver when I hear the very different acronym, BYOD. Working with a company that has begun developing its own BYOD policy, however, can provide comfort from the chill.
BYOD—bring your own device—is a phrase that is widely used to refer to employees who bring their own computing devices, such as smartphones, laptops and PDAs, for use and connectivity on the corporate network. This trend has resulted in increased productivity, flexibility for employees and lower costs for businesses. As with any new trend, however, there are a host of issues to consider. It is imperative that your company begin to develop its own BYOD policy to stay ahead of the BYOD movement. In doing so, you should consider the following five issues.
According to a July 2011 study by Aberdeen Group, of 415 companies surveyed, 75 percent allowed their employees to use personal devices to conduct business. This number is projected to increase as more companies accept the BYOD shift. Allowing employees to use a personal device rather than a company-owned device can reduce employer costs, as many employees are likely to have already invested in a personal smartphone. Furthermore, the ability of employees to use a device with which they are comfortable may help to increase their productivity. Employers, however, should be mindful of potential hidden costs for device support and security.
A 2011 study by IDC and Unisys showed that approximately 50 percent of respondents reported using personal devices to conduct business on vacation, 29 percent while in bed and around 20 percent while driving. The lines between personal and professional life have been blurred and whether or not a company allows it, employees are going to conduct business remotely. The lack of control over where and how workers transmit and store information is a major risk inherent in BYOD. Companies must address the protection of employees’ confidential financial and medical information, protection of proprietary and trade secret information and control over information in the case of litigation. To address these concerns a BYOD policy should include provisions addressing employee protection (HIPPA, harassment/discrimination, financial records and privacy concerns), protection of company trade secrets and proprietary information, device limitations, applications and data access limitation, security and password requirements, anti-virus protection, procedures for lost or stolen devices and procedures for exiting employees.
3. Possession, custody and control
BYOD creates a host of e-discovery challenges that are likely to play out in the courts in the coming years. One of the most significant challenges is likely to be defining the ownership of data on dual-use devices. Under Rule 34 of the Federal Rules of Civil Procedure, a party must preserve and produce responsive documents and electronically stored information that are in its possession, custody and control. Courts have found that control does not require that the party have legal ownership or actual physical possession of the documents at issue. The documents are considered to be under the party's control when it has the right, authority or practical ability to obtain them from a nonparty. It is likely that an employer will have control over work product that employees create in furtherance of their employment. Under this rationale, employers will have to collect and produce corporate documents by request even if the documents are in the employee’s home.
4. Preservation and retention
During e-discovery disputes, courts continue to come back to one fundamental concept: defensibility. For BYOD programs to be defensible in court, companies must create specific policies regarding preservation and retention. Dual-use devices and company information stored on them should be identified so that they organizations can preserve and collect them when necessary. Representatives from IT, human resources, finance and legal should work together to determine the exact corporate policy and individual user policy that will allow for adequate preservation and retention of documents in the event of litigation.
Your BYOD policy should lay out the step-by-step process of ESI discovery ESI, from issuing a litigation hold to locating and collecting potentially relevant information from dual-use devices. If BYOD policies are in place before litigation strikes, the discovery process will be more defensible, efficient and cost-effective.
Although these five considerations only scratch the surface of the BYOD movement, implementing a policy that accounts for each of these issues will provide your company with comfort that it is prepared to weather the BYOD storm.