Can Companies Control the Intermingling of Data Across Devices?
by Brad Berkshire, Director, Consulting & Digital Forensics
When employees working remotely have their own computer, tablet, smartphone, a Bring Your Own Device (BYOD) policy allows them to use the devices they own to perform their work. It’s efficient – employees maintain their productivity and employers save money. However, it must be carefully managed to maintain the necessary security to protect potentially sensitive or confidential information.
What is BYOD?
BYOD is a policy that enables employees to use their own personal devices to connect to their organization’s network to gain access to the data they need to perform their jobs. The devices commonly used for BYOD include smartphones, tablets, personal computers, laptops, and USB drives.
Some critical information that companies should include in BYOD policies:
- What devices and applications are authorized for business use
- Data storage practices and retention policies
- How the use of personal devices will be implemented
- How personal devices will be managed and monitored
- How data from personal devices will be preserved and collected, including segregation of personal content versus business content on a BYOD device
- In context of what the company is demanding, clear instruction to employees regarding the laws governing the use and protection of data contained on BYOD devices
- Clear delineation of what may be acceptable for personal use on a BYOD device, but which is not acceptable when it comes to use for business purposes
Companies must confirm that their employees understand that business data is always discoverable, regardless of where it is being generated. If an employee produces data or uses an application on their personal device for business purposes, this data must be preserved because it could be subject to a legal hold or eDiscovery request.
Vulnerabilities with BYOD Policies in Practice
The risks for some organizations will always outweigh the benefits. As seen in recent weeks, certain regulated industries, like financial services, are under intense scrutiny and subject to steep financial penalties for reporting infractions. And even when an employer provides secure devices, controls access, establishes privacy protocols and strict BYOD policies their workforce may still turn to personal devices for any number of reasons.
As a result, every company needs to worry about misunderstandings surrounding BYOD policies. Corporate eDiscovery directors, data managers and legal teams are facing continual litigation and investigations related to BYOD.
Here are some of the challenges presented by BYOD policies:
- Transparency. What’s to stop employees from doing things on their own devices? Suppose an employee has a corporate phone, but decides to open a message or conduct business-related conversations on a device without letting anyone know? What is the best route for companies to identify that as an issue?
- Data theft. If employees are allowed to use their own devices in an unrestricted manner, some of their personal applications may not have the most stringent security requirements. If a personal account is hacked, this could potentially also expose corporate data and confidential information.
- Malware. When devices are used for both personal and business tasks, a distinction must be made between valuable corporate data and information used for personal purposes. Should an employee download malicious software, it can easily access the confidential information of both the employee and the organization.
Even when an organization has a BYOD policy in place, it can still be difficult to monitor all downloaded applications and ensure that work communications are not being transmitted through unapproved applications. Depending on the jurisdiction – inconsistent court decisions on employers’ obligations to collect and produce data from BYOD devices based on factual circumstances (like the employer’s policies and the employee’s use of the devices) can directly impact the key question of “custody and control”, and an employer’s true obligations.
Further considerations are also important. For example, what statutes supersede corporate policies? And for BYOD, will those statues increase or potentially increase either risk or present challenges to data collection when and if it is necessary?
Best Practices For BYOD
Organizations must prepare for the eDiscovery issues that might arise from the rise in remote work and BYOD. BYOD best practices for companies include:
- Ensure that all the organization’s BYOD policies are current.
- Ensure that policies abide by all applicable privacy statutes. This will likely mean policies by state/region/nation within the organization, as well as training for employees on which statutes apply to employees’ use of devices and how the statutes impact employees’ use of business information.
- Distribute all BYOD policies to employees for review and signature while also ensuring that all employees are provided with enough training to knowingly accept the policies applicable to them.
- Offer an open line of communication for employee questions.
- Provide training regarding the use and implications of using personal devices.
- Conduct routine check-ins to ensure compliance.
End user education is critical to ensure that employees follow all document retention and IT security policies, and to ensure that they understand the duty they owe to outside counsel, in-house legal teams, and experts when they use their own devices. Training should include legal hold obligations, management, and how privacy implications weigh against the enrollment terms for a BYOD device to encourage employees to think the way legal experts and outside counsel do regarding ownership and the implications of BYOD.
Technical Complexity in Mobile Device eDiscovery
Mobile devices are one of the most rapidly multiplying data sources in the eDiscovery realm. Each device can hold a staggering amount of material and files. The collection and analysis of mobile devices presents unique challenges, including securing authorization to access devices, rapidly evolving encryption features, wildly varying content formatting, various device versions, and much more. The methods and tools used to approach mobile data are actively evolving, as are the standards that will ultimately guide them.
CDS provides a full range of Advisory Services, including assistance with mobile device/data collections, forensic analysis, and short message data collection, conversion, and review.