This is part three of a three-part series on developments in mobile device discovery and its impact on the lives of in-house counsel. The first, “Bring Your Own Discovery Nightmare: Inside Counsel in the BYOD Era,” was published by Inside Counsel on Sept. 6, 2013 and the second,Picking Up Your Forensic Toolbox and Becoming Your Opposition’s BYOD Nightmare,” was published by Inside Counsel on Oct. 10, 2013.

BYOD is great for so many reasons (for individuals: fewer things to carry around, everything in one place, no device confusion, and you can use your shiny new phone more often; for corporations: less expensive, less need for support/IT, and fewer whiny employees asking why they can’t use their iPhone/Nexus 5/Surface instead of the boring old Blackberry) that it’s easy to ignore pitfalls. But the mingling of personal and corporate data on a single device does create a lot of headache, and when you think about it, the privacy implications of BYOD are kind of obvious. What could go wrong when, for instance, personal texts regarding an HR-sensitive matter are sitting on the same device as litigation-relevant emails and documents? Clearly a lot — especially if a corporation doesn’t have an airtight BYOD policy.

In the last two articles in this series established that, with the correct process and technology, you can get e-discovery data off of mobile devices and even review it, creating an incredible advantage against less-prepared opponents. Now we need to look at whether you should. Which data, if any, is off limits, and how can you protect your organization’s rights alongside your employees’ privacy? The answers may surprise you.

Most disquieting to employee users of BYOD may be that, when it comes to litigation, the fact that the phone is yours means nothing. If the phone or data on it are requested as part of a warrant or relevant civil e-discovery request, it must be turned over — with all of your personal photos, texts, banking information and Words with Friends high scores. This can come as somewhat of a shock, not only because you are turning over private data that may potentially be searched by co-workers and third parties, but because you’ll be without your device as long as it is part of an investigation or discovery process. It’s enough to make you think twice about the ‘burdens’ of carrying two devices!

However, this does not imply that employees are entirely without protection. Federal law does afford some protections, including statutes barring unauthorized, intentional access to employee-owned devices. A recent federal case, Lazette v. Kulmatycki, in the northern district of Ohio, upheld the idea that a company’s search of private employee data on a mobile device violated the Stored Communications Act because such a search was ‘unauthorized’ — even though, in this case, the device was owned by the company. It can be logically surmised that a similar search on an employee-owned device could create a similar outcome if also unauthorized.

Actually, this idea of ‘authorization’ is one of the strongest takeaways for corporations from statutes and case law in this area. (By ‘authorization’ I mean the informed consent of an employee for the employer to search all data on the device.) It is absolutely essential that a corporation makes the notion of informed consent a central part of an airtight BYOD policy. However, we may be getting ahead of ourselves, especially considering that, according to a recent survey, 60 percent of corporations using BYOD lack a policy surrounding it. Of course, this is extremely unwise. All corporations using BYOD need a policy to govern it and this policy will be strongest if it contains the following three elements:

  1. Software to manage devices across the network (allowing for remote wiping if needed)
  2. Written explanation of responsibilities of both the corporation and employee users
  3. Sign-off on said policy by employee acknowledging that they have read and understand it (i.e., the informed consent mentioned earlier)

In a recent Lexology article, Thompson Hine Partner Nancy Thompson states, “Through a carefully crafted BYOD policy, employers may be able to eliminate any expectation of privacy even on employee-owned smartphones used for business purposes.” However, employers will not be able to accomplish this feat without clearly explaining their privacy policy, what data they will want and need to access and getting employees’ full and explicit informed consent to the policy. To reiterate, the American Bar Association advises corporate counsel, regarding their BYOD policies, that “to comply with data-protection requirements, organizations should set out clearly what information on the employee-owned device might be monitored and/or accessed. A company should be able to demonstrate that its employees have given fully informed and unambiguous consent to the company to reach data on their personal devices.”

To have a truly strong chance of not running afoul of privacy laws, a corporation should also institute a second set of policies and procedures to go hand-in-hand with BYOD informed consent. This additional line of attack should center on training and policies for guiding the IT or security staff charged with investigating the device post-capture. These staff should understand exactly which data to target and how to avoid data that is off-limits or just plain unnecessary to the matter. Technology and written process can help to narrow search and collection to specific date ranges, subjects and data types on a phone or tablet, leaving out those items that are irrelevant and/or in a grey area when it comes to privacy concerns.

Providing an example of what not to do, the investigator/supervisor in the previously mentioned Lazette case accessed over 48,000 of an employee’s personal emails (from an account she thought she had deleted from the device) over an 18 month period as part of his investigation of her surrendered Blackberry. He then shared details of the personal emails with third parties. This is the type of practice companies want to train investigators to avoid. Unless the personal email is relevant to the case, it probably does not have to be reviewed and certainly does not need to be discussed with parties outside of the litigation.

With a BYOD policy that clearly delineates privacy practices and includes explicit consent of the employee signee — along with the proper training of internal staff — a corporation should be well on the way to covering itself in the event of a BYOD privacy challenge. Likewise, with clear and explicit policies, employees should be better able to understand what they can expect if they decide to go the BYOD route.

These are good strategies on both parties’ parts, because the statistics are showing that BYOD is here to stay and is only getting bigger. This year, a Gartner survey of CIOs showed that 38 percent of companies expect to stop providing devices to employees altogether by 2016, and another survey showed that a majority of younger workers are willing to actually contravene a corporate anti-BYOD policy in order to use their own devices on the job. Clearly, corporations and their employees are rushing headlong into the BYOD future together, and the good news is that, with a bit of forethought, the privacy implications for such a future do not necessarily need to be grim.