BYOD policies, or Bring Your Own Device policies, allow employees to use and access company information on their personal devices. You can send messages to coworkers on your personal phone's Slack app, between right swipes on Tinder. Instead of staying at the office all night, you can download corporate reports onto your home computer.
For many, BYOD policies are great. They give employees a bit more freedom to work where and when they want, on the device that's most convenient. For employers, the policies eliminate the need to provide workers with dedicated work phones and laptops. But when it comes to eDiscovery, BYOD policies can start looking like a very B-A-D idea.
Bring Your Own Device -- Back to the Lawyers
When company information is dispersed across dozens, sometimes hundreds and thousands, of devices, gathering it all back up for discovery purposes can be a real pain. If you're lucky, the relevant information has been securely archived on corporate servers. When employees sign in to a corporate app on their personal devices, for example, those devices may sync with corporate servers, creating a copy of any relevant data.
But that's a best case scenario. It's also often the case that a record hasn't been created or centralized, given the wide diversity in programs and devices out there.
If data is only saved locally on the device, it might be necessary to return the physical device itself in order to access information for discovery. "One of the challenges you clearly face is getting the device to come back into the organization to begin with," Galina Datskovsky, CEO of Vaporstream, recently explained to Legaltech News. "And that can be quite a challenge."
While current employees may be more willing to bring in their own phones and computers, it could be much more trying to get ex-employees to lend a hand. "Yes, there are subpoenas and things you can issue," Datskovsky says, "but it just makes the process fairly difficult."
Personal Data and Personal Deletion
And then, of course, there's the fact that corporate information may become intermingled with personal information. As part of information collection for discovery, companies may get access to protected personal information. This is a pronounced risk in jurisdictions, like the E.U., that place strict limits on what can be done with personally identifiable information.
And then there's the fact that necessary data might not be there at all. In one recent case, Small v. University Medical Center of Southern Nevada, a special master recommended sanctions after the university medical center failed to preserve data on BYOD devices, allowing employees to delete work-related messages from their personal phones.
We don't expect BYOD policies to go away anytime soon, however. The benefits in cost and productivity to employers and employees simply outweigh most of the risks. But when it comes to eDiscovery, BYOD isn't making any lawyers' lives easier.