Bring Your Own Device, or “BYOD,” is the phrase and acronym frequently used now to describe the ascension into the workplace of personal devices. It has escaped no one’s attention that pretty much anything that starts with a lowercase “i” — e.g., iPads, iPhones, iPods — dominates the marketplace of personal or recreational electronic devices, while Windows-based devices — desktop and laptop computers, Outlook and Exchange email servers, SharePoint — dominate the workplace. Personal devices, however, along with other personal means of storing and sending electronic data, are, like other social trends (can anyone say, “Karaoke night”) creeping into the workplace. As we shall discuss, this trend, amongst other things, creates great challenges to the production of e-discovery and reminds us of how e-discovery grew out of digital forensics and why the latter always will be needed to inform and direct the former.
The Bad Old Days/Good Old Days/Bad New Days
In the original bad old days, i.e., the mid-1980s through the mid-1990s, computers and other digital devices were rare in the workplace. At home, some people had computers (usually Macs, which were much more user-friendly and robust than were DOS-based Windows computers) and early cellphones. In the workplace, secretaries (remember secretaries?) may have had rudimentary PCs, which were always referred to as “word processors,” as that was their sole function. Computer memory was in the megabyte range and users installed applications on 5.25- or, later, 3.5-inch floppy disks, which usually wrote to other floppies, as the hard drive lacked sufficient memory to write to itself. As for the Internet, one connected to it via telephone modem and traffic on it was slower than going through the Holland or Lincoln Tunnel at rush hour. All but the smallest files were transmitted via “Sneakernet,” i.e., creating a file on one floppy and running to a second computer, where the user could copy the file to a second floppy. Any file of importance was printed out and stored in paper format.
As computer speeds and memories greatly increased and high-speed Internet connectivity proliferated, the workplace became dominated by workstations — desktop and laptop computers — connected to email and file servers, all of them the property of the employer and, with the exception of servers kept at “co-locations” (highly secure locations that also provide failover power sources and protect against flooding and other more anticipated natural disaster scenarios), found on the property of the employer. Almost all of the operating systems were Windows-based, and Microsoft Office applications, including Outlook, as well as Exchange email servers, drove out the Word Perfect word-processing application as well as Lotus Notes email with Domino servers, although the latter are still used by many businesses.
As cellphones and PDAs grew in prominence, employers came to issue those as well, usually with email that synced with the email server. There always have been and still are exceptions to this “vanilla” scenario: employees take the laptops home with them, on business trips, on vacations so they can stay connected to work; many employees can remotely access their business servers from home, using their family computer. But, even with those exceptions, the workplace that 20-25 years ago was dominated by typewriters, with some word processors and Macs brought in by sophisticated users, gave way to the good old days of Windows-based workstations and Outlook email, with the user’s Blackberry synced to the employer’s Exchange server.
Now, however, user-owned personal devices have returned to the workplace. Employees want to use their iPads and not clunky, old-fashioned laptops — that’s, like, so 2008 — to remote into work networks. They also want to make use of Dropbox and other cloud applications, which allow them to copy work files to the cloud (say, just before leaving the office), pull them down on a user-owned personal device to work on them in the evening and then copy them back to the cloud to be pulled down, back into the company network, the following day. And, of course, they would prefer to text someone rather than email them. They may also wish to use social media, such as LinkedIn or Facebook, to conduct business.
All usage of personal devices and personal cloud accounts create technical and legal challenges when, in the context of a demand for e-discovery, ESI must be preserved, collected, reviewed and produced. The e-discovery benefits of the “vanilla” model of Windows-based, company-issued workstations and BlackBerrys connecting to company Exchange and file servers are that there is no question that the data, and all devices in which it resides, are owned by the company, and that collection could often be done just at the servers, making it much easier and cheaper. As personal devices and data storage creep back into the workplace, those benefits disappear and challenges arise in their place.
Legal and Technical Issues
The basic legal issue involving data preservation and collection from personal devices and cloud sources is the same: What legal authority does the employer have to compel the employee to give the employer access to personal devices or accounts, notwithstanding that data residing in those locations is the intellectual property of the employer? The issue is by no means a theoretical one; it arises from the reality that preserving and collecting data in and from those sources has unwelcomed practical consequences for the employee, which include a compromise of personal privacy, inconvenience and, sometimes, cost.
The privacy issues arise because the employee has comingled personal data with company IP. Sorting out the two is not easy and, if the task is given to the reviewer, privacy is compromised simply by the reviewer seeing the personal data, even if none of it gets produced, because the employee does not want anyone, and especially not his or her employer (or their representative, the reviewer) looking at the employee’s personal email, photos, income tax records, etc.
The employee does not want the employer to have access to those materials, even if the employer does not look at them; indeed, the employee does not even want them copied — as when a forensic image of the hard drive of the employee’s home computer is made — even if they are sorted out by an e-discovery vendor before the reviewer sees anything. For the employee, the employer’s simply copying that data constitutes a breach of privacy.
The technical challenges of preserving and collecting data from these sources are daunting. Because there are two basic types of desktop and laptop computers — those with Windows operating systems and Macs — it has been relatively easy to develop tools (EnCase, FTK Imager, Hard Copy and others) to make forensically sound copies of computer data as well as to image data on email and file servers.
By contrast, each cellphone or PDA is different from all others depending upon the make, version (e.g., 2.0, 3.0) and service provider (AT&T, Verizon). Some phones store important information on SIM or SD cards within the phone, while others store the same information in the phone’s memory itself. Thus, whether a tool performs a “logical acquisition” of the SIM and SD cards, a “physical acquisition” of the phone’s memory or both will make a world of difference as to what the tool can collect. Tools are said to “support” a device if they can acquire the data from that model, version and using that carrier; if the device is “unsupported,” the best an analyst can do is to take screen shots of everything he or she can find on the device — obviously, a lengthy, and thus expensive, process.
The challenges devices present pale in comparison to those presented by social media. There are very few tools available to collect data from social media, and all of them, unsurprisingly, are in their infancy. Moreover, the social media itself is always changing, even more so than are cellphones and PDAs. The Facebook user may have noticed a change in the form of the Facebook “timeline,” but that is only one of numerous changes. Most are in ways users cannot see, but are crucial to anyone attempting to capture a Facebook page.
Facebook and other social media constantly change how their data is stored. Facebook and many other social media sites do allow you to download data from the webpages, but the effectiveness of those applications to collect data has not been vetted technically or court-approved under Daubert or Frye. Thus, how to get data from social media sites remains an open technical question.
The new devices also present legal challenges. What legal recourse, for example, does an employer have, and what repercussions with regard to e-discovery does an employer face, if the employee refuses the employer access to a source that contains the employer’s IP?
Opposing counsel can move to compel production by the employer under the theory that by allowing the employee to store company IP in such sources, those sources are, de facto, under the “control” of the employer. The court may agree and impose sanctions upon the employer for failure to produce data from the recalcitrant employee, reasoning that the IP is the employer’s property and the employer’s choice to allow the employee to store the data on the employee’s device does not alleviate the employer’s production obligation. Of course, the court may also disagree, but there is no body of case law and the e-discovery night is, so to speak, still young. It must also be noted that states are enacting laws preventing employers from compelling employees to provide them with access to their social media sites.
Opposing counsel can also subpoena the data from the employee as a third party. Should the employee be subpoenaed, would that employee be entitled to counsel separate from his or her employer’s? The answer would seem to be yes, as the employee would have privacy and property interests separate from the employer’s; for example, the attorney reviewing data from the employee’s home devices might see job offers from rival companies and other materials that might compromise the attorney’s duty of loyalty if the attorney also represented the employer.
Who, then, should pay for the employee’s attorney? Imagine that there are five, or 10, or 20 employees similarly situated. When the employer must produce e-discovery, the cost “savings” in allowing employees to use their own devices in the workplace can get pretty expensive.
The legal expenses involved in searching an employee’s devices can grow even more when a Rule 34 search is involved — generically named for the federal rule that allows it, although the rules of virtually all states allow it as well. The search takes place when the court grants an opposing party’s motion to search its opponent’s, or a third party’s, devices. Typically, the opposing party conducts the search and forwards the results not to its counsel but to counsel for the owner/custodian of the devices, who then reviews for responsiveness and privilege, as he or she would in any other discovery matter, and produces the responsive data along with a privilege log, assuming one is needed. Again, the cost of counsel here will not be inconsiderable, and if many such searches must be conducted, the costs will rise astronomically.
It is uncertain how these issues will play out, what effect they will have and what other issues will arise. What is certain is that the increased use of personal devices in the workplace will lead to new legal issues with regard to e-discovery.
As with the problem created by user-owned and controlled devices and cloud storage in the workplace, so with the solution: the bad old days pendulum had swung to the good old days but now is swinging back, to the bad new days. Initially, there was no e-discovery per se. Rather, at one extreme, digital forensic examiners extracted data using techniques developed by law enforcement (where many of the analysts worked before heading to “greener” pastures), while, at the other extreme, custodians printed out or forwarded their self-selected and self-collected files to counsel, who produced them all in paper.
As, however, the vanilla model of Windows-based computers usually accessing Exchange and file servers grew to dominate the workplace, collection devices and data processing and review applications got better and became widely known within the world of e-discovery professionals.
E-discovery has not become “commoditized,” but it certainly has taken great steps in that direction.
The advent of user-controlled personal devices and cloud locations, however, has and will force a return to vendors needing to develop tools to collect, process and allow the review of the data residing in these locations. As a vendor, I can report that each social media collection, for example, involves the in-house development or modification of an application. The processing of data captured from devices often involves creating conversion applications so that the data can be exported into the review database format with which e-discovery counsel have become familiar.
As new devices continue to be released and social media and cloud sites continue to be reconfigured, the one-off matters that cannot be addressed by conventional e-discovery tools will become, if not the rule rather than the exception, at least far more prevalent. This means that e-discovery vendors will have to continue to develop applications to collect and process the data housed in those locations.
For clients, who may be accustomed to thinking of e-discovery as a service separate from digital forensics, and who do not look for expertise in the latter unless the matter at issue involves theft of intellectual property or other investigative matters that require digital forensic analysis, it means that, when selecting vendors, clients will have to consider how digital forensics informs the e-discovery services vendors provide. •
Leonard Deutchman is general counsel and administrative partner of LDiscovery, a firm with offices in New York City, Fort Washington, Pa., McLean, Va., Chicago, San Francisco and London that specializes in electronic digital discovery and digital forensics.