Business & Practice

‘Bring Your Own Device’ Guidance for Companies on the Way

Feb. 16, 2018, 6:10 PM

• Sedona Conference issues for public comment a publication to assist companies in developing Bring Your Own Device policies

• Guidance comes as more companies allow employees to use their own devices for work

[Image "" (src=https://www.bloomberglaw.com/document/X8FPSHAS000000/download?imagename=IC66140.PNG)]Companies and law firms are getting a new resource on whether—and how—to allow employees use their personal electronic devices for work purposes.

The Sedona Conference has released for public comment its first-ever commentary designed to help organizations develop workable, legally defensible “Bring Your Own Device” (BYOD) policies.

Companies are increasingly allowing their employees to use their own smart phones, tablets, and other personal devices for work. While there are many benefits to BYOD policies, they also increase cybersecurity risks and can create discovery-related headaches for companies.

The legal policy and educational institute’s new publication—"Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations"—aims to fill a resource gap for companies struggling to structure legally sound and technologically secure BYOD policies. The publication is a project of Sedona’s Working Group 1, which focuses on electronic document retention and production.

“We are deep into the second data and e-discovery tsunami” as data moves beyond server rooms and office desktops, William Hamilton, executive director of the University of Florida Law School’s E-Discovery Project, told Bloomberg Law.

“Employees are using their smartphone for business purposes,” he said. “Text messages today are what email used to be—quick, unadulterated, revealing communications. The Sedona BYOD principles are less a wake-up call and more a mandatory call to action.”

The BYOD Tradeoff

BYOD policies can help employees balance work and life interests while also increasing their productivity. Meanwhile, organizations can reduce their spending on devices and servers.

But allowing employees to use their own devices to access and create company data comes with potential pitfalls, not the least of which is cybersecurity.

“From a cybersecurity standpoint every device is a potential vulnerability,” Seth Rothman, a New York-based partner at Hughes Hubbard & Reed LLP, told Bloomberg Law. He is head of the firm’s data privacy and cybersecurity practice group and co-chair of its eDiscovery practice group.

However, allowing employees to stay connected to work while outside the office has become essential to the way businesses operate, Rothman said. Therefore, it’s critical to have policies and technical fixes in place to help ensure that business information remains secure.

Angie’s List, Lynyrd Skynyrd, & Headphones

Because companies can’t exert as much control over data on employees’ devices versus company-owned devices, BYOD policies present new challenges to locating and preserving information that is needed during litigation.

The challenges are evident in a number of recent discovery rulings.

In a January 2017 decision, a federal magistrate judge held that consumer-recommendation website Angie’s List couldn’t make its former employees hand over GPS data from their personal cell phones that they also used for work purposes. The former sale representatives alleged that Angie’s List wrongfully denied them overtime compensation, and the company claimed that cell phone data would help it determine when the former employees were working.

In other cases, companies have been sanctioned for falling short of their legal obligations to hand over information located on personal devices or accounts.

Last August, Los Angeles-based independent record label Cleopatra Records Inc. wassanctioned in its unsuccessful legal battle over a feature-length biopic about southern rock band Lynyrd Skynyrd, because the film’s director didn’t preserve text messages when he got a new phone.

More recently, a the U.S. Court of Appeals for the Second Circuit in January rejected an audio equipment maker’s argument that it shouldn’t be held accountable for the deletion of emails and messages from their employees’ personal accounts.

The appeals court faulted the company for failing to have a “software usage policy in place requiring its employees to segregate personal and business accounts or to otherwise ensure that professional communications sent through personal accounts could be preserved.”

The BYOD Principles may help companies head off such sanctions. Three of the five broad principles address e-discovery directly:

Principle 3: Employee-owned devices that contain unique, relevant ESI should be considered sources for discovery.

Principle 4: An organization’s BYOD policy and practices should minimize the storage of—and facilitate the preservation and collection of—unique, relevant ESI from BYOD devices.

Principle 5: Employee-owned devices that do not contain unique, relevant ESI need not be considered sources for discovery.

“The Sedona BYOD principles do a great job setting the table and mapping the landscape of BYOD legal mines: permitting or not permitting BYOD devices; who owns the devices; should the device have dedicated software apps employees must use; encryption; collection; privacy, etc,” Hamilton said.

“Few of these issues are brand new,” he said. “The problem is the all the issues of electronic discovery that we’ve struggled with over the past 15 years are now on on steroids when it comes to BYOD.”

Look Before Jumping

Sedona’s BYOD Principles provides companies a framework to evaluate whether to adopt a BYOD policy, and how to develop such a policy.

Factors that Sedona says companies should consider before implementing a BYOD policy include:

• the sensitivity of the information that would be accessed or stored on the devices;

• the organization’s legal obligations to restrict disclosure or use of the data; and

• the ability of the organization to exercise practical and legal control over the data.

“What we are saying is don’t jump without looking first,” Kenneth J. Withers, Deputy Executive Director of The Sedona Conference, told Bloomberg Law. Like other types of information governance decisions, BYOD policies and practices must be discussed at the proper levels within an organization, he said.

In addition to cybersecurity and discovery concerns, companies must also consider how they are going to comply with their legal and regulatory obligations, the proposal says. It also advises companies to proactively manage their BYOD policies and consider their employees’ privacy interests.

Organizations must make sure that their policies are reasonable and transparent, David Moncure, Data Privacy and eDiscovery Counsel at Shell Oil Company, told Bloomberg Law. Moncure was a leader of the team that drafted the Sedona guidelines.

But a BYOD policy is useful only insofar as the company enforces it, Rothman said. “People are very good at coming with policies but once they get written there is a tendency to just throw them in a drawer.”

Comment Period

The public comment period for the Sedona proposal ends on March 26.

Attorneys interviewed by Bloomberg Law said that the Sedona Conference publication will provide companies with a basis to demonstrate that their BYOD polices are reasonable.

“Sedona’s Commentary on BYOD is another excellent best practices guide that I am sure will be cited widely and will end up being of great practical benefit to practitioners,” Jason R. Baron, a Washington-based attorney at Drinker Biddle & Reath LLP, told Bloomberg Law. Baron is a former steering committee co-chair of Sedona Working Group 1.

Issues that could be addressed during the comment period include how companies should consider new technologies or developing areas of law, such as the EU’s General Protection Data Regulation.

The appendix on “BYOD in the International Context” is important and should be “updated to expressly embrace the fact that the EU’s GDPR, effective in May 2018, may yet affect the way organizations craft their BYOD policies—especially with respect to personal data residing on such devices,” Baron said.

Others said that they would like to see the publication embrace how BYOD policies confer discovery-related benefits as well.

“BYOD is an opportunity to obtain important, real, pressing, hot, and potential[ly] determinative evidence,” Hamilton said.

“Think of any conspiracy and plan and tell me the perpetrators are not texting about it,” he said. The traditional e-discovery mindset is to focus on the costs, rather than the potential cost upsides of quick access to key information that could bring a matter to a quick conclusion, he said.

“I hope the next Sedona BYOD project will embrace BYOD and focus on how we can quickly and easily [obtain] this critically important BYOD evidence.”

To contact the reporter on this story: Michael Greene in Washington at mgreene@bloomberglaw.com

To contact the editor responsible for this story: S. Ethan Bowers at sbowers@bloomberglaw.com

To read more articles log in.