Does BYOD Corporate Policies Provide an Unfair Protection?
Should defendants be permitted to adopt a policy concerning employee use of personal computing devices in business that benefits the defendant and then hide behind that policy to its benefit in the discovery process of a lawsuit?
An essential organization in the modern discovery process, The Sedona Conference, has recently drafted guidelines and put them out for public comment. They are titled: Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations
The issue covered in these guiding principles are called Bring Your Own Device (BYOD) and it is a policy that has permeated throughout corporate America. An objective examination of the BYOD policy choice illustrates that the policy is typically adopted because, on the surface, it profits Corporate America.
The basic tenets covered in the Sedona publication are summarized as:
- Principle 1: Organizations should consider their business needs and objectives, their legal rights and obligations, and the rights and expectations of their employees when deciding whether to allow, or even require, BYOD.
- Principle 2: An organization’s BYOD program should help achieve its business objectives while also protecting both business and personal information from unauthorized access, disclosure, and use.
- Principle 3: Employee-owned devices that contain unique, relevant ESI should be considered sources for discovery.
- Principle 4: An organization’s BYOD policy and practices should minimize the storage of––and facilitate the preservation and collection of––unique, relevant ESI from BYOD de-vices.
- Principle 5: Employee-owned devices that do not contain unique, relevant ESI need not be considered sources for discovery.
How does it generally work? The ABC Corporation has 500 employees in positions making it desirable for the company to contact the employee via mobile devices and to allow employees ready access to communication such as cell calls, texting and email. Also, it benefits the corporation to facilitate the employees’ ability to remotely access company data. Does ABC purchase 500 smart phones and 500 laptops/tablets for its employees or does it adopt a policy requiring each employee to provide their own mobile computing devices? A potential savings of around $500,000 to ABC.
The ABC Corporation adopts the BYOD policy and saves hundreds of thousands of dollars. All good, right? ABC and its key employees can communicate efficiently with each other.
If handled properly, the BYOD approach to providing mobile access to employees comes with a great deal of baggage in terms of management and oversight. Although the company saves on the front end, it costs the same or more on the back end of the computing process. Security, data back up and computing policies are as, or more, complicated than a non-BYOB environment. There is the worry of hacking, viruses, spam and many other intrusion threats into the corporate system. These worries are amplified where employees are free (it is their own device after all) to install whatever programs they want on the devices.
Applying corporate policies to personally owned devices has its share of issues; either ABC must try and manage those corporate policies through software, through policy or through a combination of both. Managing ABC’s corporate data responsibility through software will allow the corporation to control data security, for example, but at the expense of personal freedom for the employee on the device they own and for which they pay.
What are “reasonable measures” that corporations should take to be in a position to respond to the discovery process of lawsuits and which pushes reasonable preservation safeguards in a Bring Your Own Device world? As we have discussed in previous articles, there are very basic concerns for which BYOD adopters should be held accountable:
- Information governance. Who owns what data and how does the corporation control the data, particularly with ex-employees? Can sandboxing work?
- Confidentiality and privacy. Is it OK for a spouse to use the phone, too? Can email be shared?
- Who controls security requirements? What happens if the employee leaves the device in a bar, a taxi or elsewhere? Can the corporation “track” the devices? Can the corporation “kill” the device?
- Remote access. Can the corporation monitor and control cloud access?
- Regulatory compliance. Can the corporation compel compliance with HIPAA and other legal requirements?
- Legal actions. How will legal discovery of data on the BYOD be handled? How will recognition of confidential information be handled? How will forensic examinations be managed, particularly with former employees?
- Device maintenance and repair. How does this get handled? Can the corporation compel specific repair shops with confidentiality agreements? Can they compel employees to only go to preapproved facilities?
The question is, however, what happens when a lawsuit is filed and legitimate discovery is conducted and key employees have left; data has been deleted from person devices; BYOD devices of low quality have failed and were not backed up? Should the company adopted BYOD program be a reasonable “shield” behind which the corporate defendant may hide from sanctions?
Given the last changes to the Federal Rules of Civil Procedure, I think it is fair to say that corporate defendants may very well be allowed to use the lack of control inherent to a BYOD policy as a shield. Federal Rule of Civil Procedure 37(e) sets forth the following:
(e) Failure to Preserve Electronically Stored Information. If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court:
(1) upon finding prejudice to another party from loss of the information, may order measures no greater than necessary to cure the prejudice; or
(2) only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation may:
(A) presume that the lost information was unfavorable to the party;
(B) instruct the jury that it may or must presume the information was unfavorable to the party; or
(C) dismiss the action or enter a default judgment.
Will the mere existence BYOD policies and procedures, even if not followed, will be accepted by the court as “reasonable steps to preserve” and that the party did not act “…with the intent to deprive…”?
Will the destruction of data or electronic information by the employee (and owner of the device) be imputed to the corporate defendant?
As Sedona sets forth, will the inability of the corporate defendant in a BYOD environment be considered spoliation; even where the corporate defendant knew or should have known of the consequences of deploying the policy:
Organizations face a wide range of possible obstacles to obtaining information from employee-owned devices, including the following:
- Employees may refuse to hand over the personal device or refuse to provide passwords needed to access data on the device.
- Even employees who want to cooperate may be unable to provide complete access, e.g., if portions of devices are locked by device manufacturers.
- Device backups and related device data may be stored in a computer or system that is separate from the device and inaccessible to the employee or employer.
- An employee’s network or cellular service provider may limit the amount and type of information available to a device user if the user is not the primary subscriber of the account or is otherwise not entitled to information the service provider possesses concerning the device (e.g., call records, location information, text messages, voicemail, etc.).
- The employee may not actually own the device, or the employee may own it jointly with others who may not consent to employer requests concerning the device (e.g., the phone may be owned by a family member, or the cellular service provider may lease the phone to the employee).
How are former employees and their personal devices to be handled in terms of spoliation. Will it be enough that the employer had policies in place to collect the data from the device, but just failed to do so?
And then the biggest problem under FRCP 37(e) is the revision that allows the court to impose sanctions “only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation”.
Ultimately, will the changes in the rules allow for significant cover for BYOD shops whether they follow their policies and procedures or not?