Companies implementing BYOD policies often do so in recognition of the fact that most employees have a personal smartphone or tablet that is familiar to them and usually close at hand. Employees may prefer to use their personal devices for both business and personal reasons and companies would rather not procure and issue devices that are redundant. Where the company no longer procures the device, it has no contractual relationship with the service provider and loses the ability to select the devices to be used by employees, monitor the devices or have access to the communications sent to and from the devices.
The devices will be used by the employee for personal purposes and may even be used by other people not employed by the company, such as the employee's family members. Employees may lose, damage or trade in the devices and may store third-party information on the devices, such as music, books, computer applications, etc. Finally, some employees will leave the company through an orderly, voluntary process, or they will leave (or be asked to leave) suddenly. When they leave the company, they will still have their devices and the company may not have an opportunity to collect, retain or delete data on the device.
Any BYOD policy must be clearly explained to all participating employees, with a focus on the employees' reasonable expectations of privacy and the possibility that the employer may have to evaluate and remove or copy data from the device, temporarily take possession of it and require employees to execute what is essentially a release authorizing the company to request data from the service provider with which the company otherwise does not have any relationship or rights. In City of Ontario, Calif. v. Quon, 130 S. Ct. 2619 (2010), the Supreme Court provided some guidance in this area, but many questions remain regarding the relative privacy rights of an employer and an employee with respect to a device that is used for both personal and business reasons.
Another example of how business and personal purposes blend together is employees' use of social media. More and more organizations establish a social media presence and then designate authorized representatives to post on social media websites such as Facebook, Twitter or Google Plus and develop policies that provide such representatives with guidelines on how to represent the company in the online world. Not surprisingly, courts are likely to hold that postings by authorized corporate representatives on the corporation's social media site are within the corporation's care, custody and control.
The issue is not so easily resolved when employers allow their employees limited use of social media websites at the workplace. Many organizations will develop social media policies to define the acceptable and prohibited uses of social media as it relates to company business and personal purposes. Often, these policies address and prohibit employees from implying endorsement from the company or using company, proprietary or client information in personal posts on social media sites.
While the company may decide to periodically spot-check what employees are posting on their personal accounts to validate or verify compliance with its corporate policy, companies do not retain such information. One exception is the requirement in FINRA Regulatory Notice 11-39 regarding broker-dealer compliance with Rule 17a-4 under the Securities and Exchange Act of 1934 that a "firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person." In some jurisdictions, if faced with a discovery request for an employee's personal social media account, an employer may argue that it is unlawful for an employer to ask for a current or prospective employee's social media account information. (See, e.g., SB 433, HB 964 (Md. 2012).) In jurisdictions without such laws, an employer can still make a strong argument that an employee's log-in information for his or her social media account is outside the employer's care, custody and control.
Where discovery is sought directly from an employee who is a party to the lawsuit or is subpoenaed for relevant information, both federal and state courts have held that social media content can be discoverable because any intrusion from discovery is fairly minimal. The user typically has made his or her information available to a wide variety of social media contacts who have no legal obligation to keep the information confidential. (See, e.g., EEOC v. Original Honeybaked Ham Co. of Georgia, No. 11cv02560MSKMEH (D. Colo. Nov. 7, 2012); Trail v. Lesko, No. GD-10-017249 (Pa. Com. Pl. 2012).) Nevertheless, a party requesting access to information existing on a user's social networking profile must first demonstrate that relevant information is likely to exist on the user's profile before a court is likely to grant access to social media content. (See, e.g., Offenback v. LM Bowman, No. 1:10CV1789 (M.D. Pa. June 22, 2011); EEOC v. Simply Storage Management, 270 F.R.D. 430 (S.D. Ind. 2010).)
In addition, organizations use numerous types of storage media that may be subject to retention requirements and discovery obligations. For example, companies must determine how to retain voicemails that are considered company records or those that are relevant to reasonably anticipated or pending litigation. Some companies choose to avoid defining voicemails as corporate records and instead explicitly define voicemails as transitory information for which there is only a short-term or temporary business need and recommend that voicemails should be disposed of as soon as practicable. There is an inherent danger in retaining voicemails for extended periods of time. In addition, the collection, review and production of voicemail files can be much more difficult, time-consuming and expensive. Many companies have their IT departments set up the automatic deletion of voicemails after a specified time period.
Similarly, some companies permit their employees to use instant messaging programs throughout the work day. Such companies may or may not log the instant messages, but most do not. There are occasions, however, where instant messages may constitute business records and could reflect potentially relevant and discoverable information. Companies are thus faced with a Hobson's choice: spend vast amounts of money to retain instant messages that may not be relevant to reasonably anticipated or ongoing litigation or risk facing sanctions for failing to retain instant messages. Perhaps the best solution is for companies to develop policies that prohibit the use of instant messaging for discussing anything relevant to pending or anticipated litigation or investigations and/or to prohibit use of messaging entirely for critical business communications.
Companies that incorporate these new forms of communication into their employee and records retention policies will be best positioned to identify and retain corporate records, respond to requests for discovery and demonstrate respect for employee privacy interests. Regular ?discussions among the legal, compliance, technology and human resources teams ?will help to ensure a prudent risk-versus-benefit approach to making best use of these technologies.
David R. Cohen is the practice group leader for Reed Smith's global records and e-discovery practice group. He has more than 25 years of commercial litigation experience in a variety of subject matters. He can be reached at email@example.com.
Timothy J. Nagle is a member of the firm's data security, privacy and management practice group. He can be reached firstname.lastname@example.org.
Caitlin R. Gifford is an associate in the firm's e-discovery and records management group, where she provides advice regarding e-discovery, records management and records retention research matters. She can be reached at email@example.com.