The debate over the impact of technology on the legal profession has been heightened since the ABA’s groundbreaking announcement in 2012 regarding the interplay between competence and technology. Opining that a lawyer should understand “the benefits and risks associated with relevant technology” as part of its overall duty to “keep abreast of changes in the law and its practice,” the ABA’s position has caused many lawyers to re-think their approach toward advising clients on basic legal issues. Nowhere is this trend more obvious than in the manner in which in-house lawyers are addressing the impact of mobile devices on their corporate clients.
Mobile devices — especially smartphones and tablet computers — are at the forefront of today’s cutting edge innovations. While these devices have revolutionized the way in which business is conducted, they have also introduced a range of security and e-discovery complications that in-house counsel must address for their clients.
Mobile device difficulties
In particular, mobile device use lessens the extent of corporate control over confidential business information. Whether that information consists of trade secrets, proprietary financial information or attorney-client privileged discussions, difficulties in policing mobile devices allow employees the opportunity to misappropriate data more easily. The commingling of personal and business information also leads to an environment in which employees may disclose sensitive and confidential information regardless of malicious intent. With a single touch of a smartphone screen, an employee can direct sensitive company data to personal cloud providers, social networking sites or WikiLeaks pages.
Such security threats are amplified when mobile devices go missing. Indeed, a recent industry survey confirmed that lost or stolen devices represented the most significant vulnerability associated with their use. This, according to the survey results, is because more companies are allowing confidential information to be stored on devices. This includes corporate email, customer data, and even network login credentials.
Enterprises have the additional challenge of preserving and producing relevant data stored on these devices for legal actions. Obtaining that information is no small task due to the substantial number of devices that are lost or stolen every day. Even if a device is recovered, the data previously stored on it may be lost forever given the increasing use of remote wiping tools designed to prevent misappropriation. Beyond this issue, the logistical problems of locating, retaining and turning over that data can be particularly complex in light of the legitimate privacy expectations that employees may have respecting the personally identifiable information (PII) stored on a device. All of which could be problematic for satisfying a company’s e-discovery obligations, among many other things.
Addressing the problem with preventative measures
To address these problems, in-house counsel should collaborate with their IT and information security colleagues to develop manageable use policies. Such policies will need to clearly delineate how employees should handle company data on mobile devices. Without such policies, along with subsequent employee training and regular policy enforcement, companies will have little chance of addressing the increasing security threats posed by mobile devices to their information ecosystem.
The policies should also define the nature and extent of the enterprise’s right to access data on the employee device, especially for use in legal matters. It is important for in-house counsel to determine — before a litigation event arises — whether an employee has a reasonable expectation of privacy in data stored on a device. One way to tackle this issue is to include a provision in the use policy that eliminates any notion that employees have a reasonable expectation of privacy in their mobile devices. While there is case authority suggesting that a company can successfully follow such a course, other court decisions have reached a contrary result. A better practice may be to secure the employee’s assent on this issue through a separate written agreement, especially where that employee is using a personal device under a “bring your own device” (BYOD) policy.
In-house counsel should also work with their clients to explore the availability and feasibility of technologies to segregate and then isolate personal materials from company data. One way this can be done is by downloading software on to a device to separate and encrypt company information. Not only does this facilitate the retrieval of company data from a device, it could also serve to prevent unauthorized access to or misappropriation of company information by third parties.
Another, more comprehensive approach would involve the use of machine learning technology in connection with the company’s information governance program. In this context, predictive machine learning tools can learn from initial human decisions about information to provide automated guidance about similar documents. Once appropriate calibrated, this technology can help identify and isolate employee PII from company materials throughout the enterprise. Such a strategy would have the advantage of keeping the most sensitive employee PII away from the discovery process and thereby eliminate the risk of producing it in litigation.
Though impossible to anticipate or address every legal risk associated with mobile device use, in-house counsel can nonetheless competently advise their clients on the key issues. To ensure that a company has a reasonable plan in place to tackle the security risks and e-discovery problems arising from those devices, in-house lawyers should work to develop a holistic response along the lines suggested in this article. By so doing, they can help their clients address these issues and also discharge their evolving digital age duty of competence.