The need to stay connected these days applies not only to our social universe, but also to our business universe. The result is a trend known as “bring your own device” or “BYOD.” BYOD is the practice where employees use their own personal devices, such as smart phones, tablet devices and laptops, to access company emails, information and applications. While this practice may seem harmless, there are potentially negative consequences of the BYOD trend. With that in mind, here are some essentials for companies and employees to keep in mind about BYOD.
The BYOD trend has companies and employees thinking about data security. The risks inherent in the use of personal devices for work-related purposes exist in relation to the devices themselves, as well as the functions they perform. In relation to the devices themselves, personal devices often have storage capabilities both locally and in the cloud, thus companies have much less control over data when compared to traditional office desktops and laptops. Also, with personal devices, cybercriminals may obtain access to the device and corporate data; an employee may lose a device, causing it to be the target of retrieval by an untrusted party; or an employee may leave a company with the data still on the device, thus making the data susceptible to deletion or leaking to competitors.
As far as functions performed on the devices, risks may arise as a result of downloaded applications. Many third-party applications often require interplay between the application and the data on the device, thus posing security risks to the extent there are corporate data located on the device. It is important for companies to define clearly for employees those applications and activities that the employees are permitted to access, and companies should frequently remind employees about the risks and the permitted uses.
Acknowledging and addressing these data security threats early and frequently will help minimize some of the risks associated with the BYOD trend.
ESI on employee devices is legally discoverable. Many companies however do not know this. They are unfamiliar with the types of ESI that exist on personal devices, or they do not know how properly to extract the ESI. The types of ESI that exist on personal devices may include emails, voicemails, SMS messages, social networking content and Microsoft office files, to name a few. Just like ESI that exists on a work desktop computer, relevant ESI on personal devices needs to be located, managed, preserved, collected and produced. These steps cannot be accomplished without a sound BYOD policy, as well as authorization to access an employee’s personal device.
Access to relevant ESI on an employee’s personal device is not automatic, thus, companies should proactively include within their BYOD policy a provision that addresses the company’s right to access the employee’s personal device. Such a provision should set forth the scope of the access. Assuming this is done and the employee signs off on the policy, access to relevant ESI is possible.
While there are many other components of the BYOD trend that companies and employees should consider and address, the above-mentioned essentials provide a good starting point in tackling some of the issues surrounding the BYOD trend.
Neda Shakoori is an attorney with McManis Faulkner. Her practice focuses on civil litigation with an emphasis on commercial and business law matters. She is currently leading the firm’s eDiscovery Initiative and oversees all ESI-related issues in the firm’s cases. For more information, please visit mcmanislaw.com.