Mobile devices are pervasive in modern business and society; almost everyone can and does own a mobile telephone. Some have even made their mobile their only phone. So with most employees already owning their preferred type of smart phone, companies have been adopting BYOD (Bring Your Own Device) policies to allow those employees to hook their personal devices into the company network. That generates some questions of when it is time to collect and produce data for litigation, however.
Nobody enjoys carrying multiple, bulky iDevices at any time, but without BYOD, that is a reality of doing business. BYOD offers benefits to both employers and employees, however, and because of that, these BYOD policies are growing quickly in popularity.
BYOD turns a personal device into one that is used for both personal and business purposes. Storing and transmitting corporate data on employee-owned devices, however, creates some difficult legal challenges that will need to be addressed going forward.
The biggest factor is that companies don’t control the devices, but they need to have some control over the data being used on those devices.
Companies will need to be able to subject BYOD employees to litigation holds and to prevent data from being destroyed from those mobile devices. Without control of the devices, however, it may be difficult to preserve information on it.
When it comes time to collect data, there may be additional legal challenges. Under the Federal Rules of Civil Procedure (Rule 34), a party to litigation must produce any responsive electronic documents that are stored on devices under its control. Control, however, is a broad term and a company can be found to control devices that they do not own or physically possess – including an employee’s personal devices used to transmit or store company data.
Getting the data off of a mixture of devices running either iOS, Android, Windows Mobile or other platforms, is something that a well-qualified forensics provider can offer where many in-house IT departments will fail to do so.
When the device belongs to an employee, or even a former employee, it may be far more difficult to obtain access to the device for collection. It may also be very difficult to prevent spoliation of the evidence that might be held there. The employees must be put on notice by their employers that the data cannot be deleted or destroyed, but even if it is, the employer can be held responsible for the spoliation.
The exception is that in Nucor Corp. v. Bell, a U.S. disctrict court held that since the employee destroyed confidential information that might have been subject to discovery without consulting his employer beforehand, he was found to be acting for his own benefit, and not within the scope of employment. That line of reasoning is likely still developing, however, and employers need to have solid policies in place.
When considering a BYOD policy, companies should consider the type and volume of data that will be transmitted through the devices they will be supporting. A competent plan for litigation should be put in place and employees should be made aware of the potential for a litigation hold or collection procedure, should their devices become subject to eDiscovery.