As access to mobile devices — such as smartphones, laptops and tablets — has become the norm, more companies are allowing employees to use their own devices at work. This recent phenomenon is typically referred to as “bring your own device” to work, or “BYOD.”
According to a 2013 global survey of chief information officers conducted by Gartner Inc., 38 percent of companies are expected to stop providing devices to employees by 2016. By 2017, half of employers will expect employees to supply their own devices for work purposes.
Companies that adopt BYOD programs expect to decrease their investments in devices and services and, at the same time, expect an increase in employee innovation and productivity. The benefits are clear, and more companies are buying into it.
But there are risks, and two stand out: security and legal.
The security risks include exposure of the corporate network to outside attacks; exposure of company data to unauthorized access if the devices are lost or stolen; and data leakage due simply to the nature of sharing data across multiple mobile platforms including the cloud.
The legal risks include potential loss of control over corporate data on employees’ devices; potential obligations to collect and review data on employee devices; potential ownership disputes over content created on the employee’s personal device; and potential data leaks that could threaten a company’s trade secrets, copyrights and inventions.
Regarding security risks, a main concern is how BYOD programs may affect a company’s intellectual property rights. One immediate issue is the potential loss of rights to the information stored on an employee’s personal device. For example, one of the basic tenets of trade secret protection is to show the existence of a trade secret. To constitute a trade secret, the information must be valuable and be kept in secret. The measures a company takes to protect that information is a key issue in all trade secret cases. What happens if that trade secret is accessible via a mobile device, such as through work emails accessible through the mobile device?
In the BYOD context, a company would need to ask whether the employee device was secure and what measures the company took to make sure the information remained secret and accessible only to people within the company. It is easy to imagine a scenario in which an employee — even a high-ranking employee — inadvertently forwards an internal email containing top-secret information from his or her mobile device to the wrong person, perhaps because of the device’s autocorrect or auto-fill features.
Unfortunately, such risks are part of the ability to create, use, duplicate and share information across multiple mobile platforms. And as this trend becomes more prevalent, additional risks will come to light, as will their consequences and eventual solutions. Companies should use two sets of tools to address this situation: Technology tools secure the information on the employee device. Legal tools make clear the rights and obligations of the employer and the employees in the BYOD environment. When a company uses both technical and legal tools, it is important that they are coordinated. For example, the BYOD use policy should not only establish clear guidelines regarding “permitted” and “accepted” use from the company’s perspective, but also should take advantage of the technical tools employed by the company to secure the company’s data. To that end, the BYOD policy should describe these technical tools, and should explain to the employee the limitations of such tools installed in their BYOD device.
EFFECT ON E-DISCOVERY
BYOD policies, however, also can have a major impact on a company’s electronic-discovery obligations. E-discovery continues to be a fast-developing area of the law — in particular, because of the potential for substantially increasing the cost of litigation if not properly handled.
In the past, when employees were less mobile and tethered to their company-issued computer or telephone, it was understood that those devices were subject to the company’s policy, and subject to inspection and confiscation when employment was terminated. With BYOD environments on the rise, those situations are more difficult to maneuver.
For example, a BYOD policy that claims significant ownership over the content stored on a BYOD device may make that device vulnerable to a discovery dragnet. For companies that employ hundreds or even thousands of developers, the impact can be enormous on productivity — and the accompanying legal expense — when those devices are collected and the data mined in response to a discovery request or document subpoena. An inherent tension exists between protecting the company’s data to secure intellectual property rights and managing the company’s e-discovery obligations with respect to employee-owned personal devices. The more rights a company has or asserts to its employees’ data, the more likely it is that company could be deemed to have an obligation to collect, review and produce data stored on employee-owned devices should litigation ensue.
Such scenarios require companies that adopt BYOD policies to strike an appropriate balance between protecting their intellectual property rights and minimizing their e-discovery obligations. Technology tools can help in this endeavor. For example, company data could be stored on the company’s server and only accessed (but not stored) on the employee’s devices. While that would simplify the e-discovery issues, the reality, however, is often quite different. Documents could be reasonably stored in a central location, but what about personal communication tools such as emails, texts and even phone calls? Those are not documents that exist in a central repository but, instead, are created within the mobile device itself and transmitted to other locations or shared with devices — mobile or otherwise. Indeed, this is the double-edged sword of BYOD environments, since facilitating employees’ communications within the company is a key driver of productivity and a key reason why companies are adopting BYOD policies in the first place.
Clearly defined policies may also help. Companies will want policies that clarify the scope of ownership with respect to data stored and created on the BYOD device as well as policies that require inspection of an employee’s device during the exit interview while the employee is still within the company’s reach.
As is often the case, the law follows technology. Courts increasingly are becoming more aware of today’s technologically advanced and nomadic environment and, as a result, are becoming more adept at dealing with the intricacies and costs associated with e-discovery. To that end, courts are adopting rules that seek to limit the exploding costs of e-discovery, bearing in mind the new world of mobile living. For example, the U.S. district court in the Northern District of California has adopted guidelines that allow litigants to segregate different types of electronic data and prioritize which ones are subject to discovery. This is a promising approach that can reduce the cost of e-discovery but also acknowledges the serious issues associated with collecting, reviewing and producing materials on employee devices. Although the risks and options here are not exhaustive, they are starting points for companies that want the benefits of a BYOD environment, protection for their intellectual property and reduced costs of e-discovery when involved in an IP dispute.
Fabio E. Marino is a partner and Teri H.P. Nguyen is an associate in the Menlo Park, Calif., office of McDermott Will & Emery.