Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.


Bracing for the E-Discovery Dangers of BYOD

Created on July 9, 2013

The full version of this article is available on CMSWire.com here.

By: Ajith Samuel, Executive Vice President of Process Innovation, Exterro, Inc

In today’s fast-paced business environment, companies are increasingly permitting their employees to use their own devices, such as smart phones and iPads, to perform business functions. Known as Bring Your Own Device (BYOD), this trend has revolutionized employee work habits. According to a recent survey by Cisco, 42 percent of employees own the personal mobile device used for work purposes.  From a purely business perspective, the impact of BYOD has been largely positive. Companies save money and resources by not having to purchase and support new equipment. They also reap the benefits of a more flexible and productive workforce. The Cisco study estimates that the annual benefits from BYOD range from $300 to $1,300 per employee, depending on the employee's job role.

While BYOD may have its immediate benefits, it has also brought with it a host of legal and administrative risks, especially with respect to litigation, investigations and corresponding e-discovery requests.

Recognizing that mobile device ESI is legally discoverable is step one; being able to manage those devices, and capture, preserve, search, collect and produce relevant ESI stored on them is a much tougher corollary for legal, IT and records management professionals alike. Unlike more traditional sources of ESI, such as databases and email systems that are often subject to enterprise-wide retention and usage policies, mobile devices exist in the “wild,” often outside any shared corporate networks. In most cases, legal teams have very little visibility into what ESI actually exists on employees’ mobile devices, let alone the necessary technology to extract the information when it is identified.

Developing a BYOD Policy

The first step in weathering the BYOD storm is developing a corporate-wide BYOD policy. It is important to remember that personally owned devices are not company property. Organizations can’t simply seize a device and extract its data without the devices owner consenting to such an action. For this reason, the BYOD policy must be forthright and comprehensive, as well as sufficiently fluid to account for the impressive pace at which new devices and applications hit the market.

Every organization will address the issue differently based on a variety of factors, including the nature of the workforce, litigation profile, regulatory requirements, internal IT resources and, of course, the nature of data being produced. In general, the BYOD policy should clearly articulate the company's rights with respect to monitoring and accessing all the ESI stored on employees’ mobile devices. It should address, in specific terms, an employee's obligations regarding device security, password requirements and procedures for lost or stolen devices. Organizations should also include specific language around approved and non-approved business usage. For example, a company might allow the use of personal devices for emailing but prohibit their use for recording meetings.

Once the policy is created, it must be sufficiently communicated and explained to the employees so they are aware of the legal implications of BYOD, positively acknowledge the key elements of the program and understand the consequences for failing to abide.

Managing the Technical Complexities

Beyond creating guidelines on how employees should use their mobile devices for work purposes, organizations face a number of technical complexities with BYOD. The variety of smart phone and tablet models has increased exponentially in recent years, requiring IT teams to stay abreast of the growing list of platforms, manufacturers, models and software versions deployed when e-discovery demands arise. Furthermore, the information sources on mobile devices ranges from email, SMS messages and location data to voice mails and social networking content. The ESI formats associated with these various applications can differ greatly. Organizations must be able to not only extract the data but place it in context with other potentially relevant ESI so that it can be fully analyzed for relevancy and significance. Further complicating matters, the ESI identified may not actually be stored on the device. It may reside in the cloud or on a separate server.

One way to limit the burdens of mobile device e-discovery is to ensure that mobile data from key custodians is regularly backed up onto more accessible ESI sources. For specific employees who are frequently subject to preservation orders, organizations should make it a priority to frequently copy critical work documents onto the corporate network. Similar to ESI stored on backup drives, this process will allow the corporate legal team to argue that ESI stored on targeted mobile devices is duplicative and out of the scope of discovery.

Incorporating Mobile Device ESI into Existing E-Discovery Workflows

BYOD is a relatively new trend that only figures to grow and hybridize. While most organizations have little to no experience dealing with mobile device e-discovery, chances are that most will be exposed to it at some point in the near future. It is imperative that legal teams proactively update their e-discovery processes to account for mobile device ESI in future cases. Examples of this in practice might include updating the legal hold policies to include mobile devices on the list of data sources requiring preservation and collection or establishing specific reports that detail mobile device e-discovery activities that can be used to validate the defensibility of the process.

Learn more about how Exterro is advancing mobile collections in e-discovery here