How corporations and their employees can combat privacy concerns in the BYOD era

Bring your own device and check your data at the door?

This is part three of a three-part series on developments in mobile device discovery and its impact on the lives of in-house counsel. The first, “Bring Your Own Discovery Nightmare: Inside Counsel in the BYOD Era,” was published by Inside Counsel on Sept. 6, 2013 and the second,Picking Up Your Forensic Toolbox and Becoming Your Opposition’s BYOD Nightmare,” was published by Inside Counsel on Oct. 10, 2013.

BYOD is great for so many reasons (for individuals: fewer things to carry around, everything in one place, no device confusion, and you can use your shiny new phone more often; for corporations: less expensive, less need for support/IT, and fewer whiny employees asking why they can’t use their iPhone/Nexus 5/Surface instead of the boring old Blackberry) that it’s easy to ignore pitfalls. But the mingling of personal and corporate data on a single device does create a lot of headache, and when you think about it, the privacy implications of BYOD are kind of obvious. What could go wrong when, for instance, personal texts regarding an HR-sensitive matter are sitting on the same device as litigation-relevant emails and documents? Clearly a lot — especially if a corporation doesn’t have an airtight BYOD policy.

In a recent Lexology article, Thompson Hine Partner Nancy Thompson states, “Through a carefully crafted BYOD policy, employers may be able to eliminate any expectation of privacy even on employee-owned smartphones used for business purposes.” However, employers will not be able to accomplish this feat without clearly explaining their privacy policy, what data they will want and need to access and getting employees’ full and explicit informed consent to the policy. To reiterate, the American Bar Association advises corporate counsel, regarding their BYOD policies, that “to comply with data-protection requirements, organizations should set out clearly what information on the employee-owned device might be monitored and/or accessed. A company should be able to demonstrate that its employees have given fully informed and unambiguous consent to the company to reach data on their personal devices.”

To have a truly strong chance of not running afoul of privacy laws, a corporation should also institute a second set of policies and procedures to go hand-in-hand with BYOD informed consent. This additional line of attack should center on training and policies for guiding the IT or security staff charged with investigating the device post-capture. These staff should understand exactly which data to target and how to avoid data that is off-limits or just plain unnecessary to the matter. Technology and written process can help to narrow search and collection to specific date ranges, subjects and data types on a phone or tablet, leaving out those items that are irrelevant and/or in a grey area when it comes to privacy concerns.

Contributing Author

author image

Caitlin Murphy

Caitlin Murphy is director of marketing for the AccessData Group, where she manages all aspects of legal marketing and consults on product design for the...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.