- 0 Comments
Organizations should develop a plan to tackle the data security, information retention, and e-discovery problems arising from mobile devices.
The challenges associated with mobile device use continue to be splashed across the headlines. This year alone has seen various reports on mobile mishaps involving Samsung, Starbucks, the former U.S. Secretary of State, and—most recently—famed NFL quarterback Tom Brady. Debacles over device misuse are also being played out in court, with companies facing the threat of court sanctions for neglecting to preserve relevant mobile materials. Organizations hoping to avoid the fate of so many others tripped up by device disasters must be perplexed regarding the course of action they should adopt. Given the critical role that such devices play in most business operations, few if any clients will likely ever be free from such challenges. Those challenges generally fall into three categories: data security, information retention, and e-discovery.
Data Security, Information Retention, and E-discovery Challenges
Whether employees use those devices under a “company-issued, personally enabled” (COPE) policy, a formal “bring your own device” (BYOD) policy, or “shadow BYOD” (where “employees covertly use their personal devices for work purposes”), they present security risks for sensitive corporate information. In particular, the difficulty in monitoring personal mobile device use often leaves it more vulnerable to misappropriation, regardless of whether that information consists of trade secrets, proprietary financial data, or lawyer-client communications. Moreover, the commingling of personal and business information also leads to an environment in which employees may disclose sensitive and confidential information irrespective of intent. With a single touch to a smartphone screen, an employee—not to mention a family member, friend, or opportunistic hacker with access to that device—can take, text, or tweet proprietary materials.
These security problems are amplified when mobile devices go missing. Indeed, a recent industry survey confirmed that lost or stolen devices represented the most significant vulnerability associated with their use. According to the survey results, that is because more companies are allowing confidential information to be stored on devices. This includes corporate email, customer data, and even network login credentials.
Personal mobile device use can also undermine company retention schedules. This is because information may be created, communicated, and/or destroyed beyond the knowledge or reach of corporate authority. For example, materials may be kept that would ordinarily be discarded under a document retention program. On the other hand, data may be destroyed or otherwise compromised that should have been kept for business purposes.
Beyond these issues, enterprises have the additional challenge of preserving and producing relevant data stored on devices for legal actions. The logistical problems of locating, retaining, and turning over that data can be particularly complex in light of the legitimate privacy expectations that employees may have respecting the personally identifiable information (PII) stored on a device. All of which could be problematic for satisfying a company’s e-discovery obligations, among many other things.
Addressing Employee Use of Mobile Devices
While addressing these challenges is no easy task, there are steps that companies can take to help prevent or ameliorate many of the problems associated with mobile device use. A first step that can be taken is having a company’s in-house lawyers work with its information technology professionals to develop actionable BYOD policies that protect corporate interests. Such policies will need to clearly delineate the parameters of work to be performed on a personal mobile device. This includes audit and enforcement mechanisms to gauge policy observance and disciplinary measures for noncompliance, particularly for shadow BYOD use. Related mechanisms will also be required for those organizations that proscribe personal mobile device use since many employees would likely circumvent such a policy if it lacks audit and enforcement procedures.
Another key facet to a workable BYOD policy is ensuring that they define the nature and extent of the enterprise’s right to access, retain, and/or destroy data on the employee device for information governance purposes. Doing so will invariably necessitate that a company determine whether its employees have a reasonable expectation of privacy in data stored on a device. One way to tackle this issue is to include a provision in the use policy that eliminates any notion that employees have such an expectation of privacy. While there is case authority suggesting that a company can successfully adopt that approach, In re Asia Global Crossing, Ltd., and many of its progeny have reached a contrary result. A better practice may be to secure the employee’s assent on this issue through a separate written agreement, especially where that employee is using a personal device under a BYOD policy.
On the e-discovery front, a company’s litigation readiness program should be updated to include a process for preserving and producing relevant data from personal devices. Beyond the prophylactic issuance of a litigation hold, legal counsel should consider working with company IT professionals or engaging service providers to better ensure that mobile device data is properly preserved. This may include, among other things, the option of using cloud providers that have legal hold and other discovery-oriented functionality. Regardless, getting informed direction from technically savvy partners is essential for maintaining mobile device data since the methods for doing so from previous decades—creating paper copies, imaging hard drives, or relying on backup tapes—may be obsolete or simply unworkable.
Though impossible to remediate every risk associated with mobile device use, organizations can develop a plan to tackle the data security, information retention, and e-discovery problems arising from those devices. By following the above-referenced suggestions, companies can develop a process for handling the issues. However, without actionable policies, along with subsequent employee training and regular policy enforcement, companies will have little chance of preventing device disasters before they are splashed across the headlines.