A recent article on Dell Computer’s “Tech PageOne” blog suggests that the advent and growth of BYOD (“Bring Your Own Device”) policies will serve to shield companies from eDiscovery costs. The article suggests that the use of personal devices for business purposes will place those devices beyond the control of employers, thus excusing them from the obligation to produce the data they contain. Privacy concerns, the article posits, would ultimately trump any compliance, discovery or production obligations.
Now before you rush off and rewrite your internal security policy to allow, encourage, or even require BYOD, let’s think this through. BYOD will not serve to excuse employers from their preservation and production obligations. Preservation obligations don’t arise from convenience, they arise from statutory and common law duties. For a company that allows BYOD, internal procedures and policies must address collection from personal devices – anything less would be negligent. It’s not difficult to envision a court imposing sanctions for discovery omissions created by the existence of relevant data beyond a litigant’s custody and control where the litigant should have reasonably anticipated the need to preserve and produce that data.
Instead of assuming privacy concerns and “custody and control” arguments will excuse fundamental compliance and discovery obligations, employers who permit BYOD are obliged to consider the retention implications of such a policy and to put sufficient controls in place to allow discovery of data held on those devices to occur. Requiring employees to sign privacy waivers is a far more likely outcome. Indeed, a waiver policy would also serve important data protection goals for such situations as departing employees whose personal devices hold proprietary or sensitive information.
Rather than reducing eDiscovery costs, BYOD is more likely to increase them, as data is stored in different formats and structures on diverse and non-uniform devices, necessitating manual collection and culling efforts. It’s also true that storage of identical data in different formats across multiple operating systems increases the likelihood that conventional de-duplication methodologies will fail, resulting in over-processing and unnecessary review.
BYOD may look great to manufacturers like Dell, who would, I’m sure, love to circumvent corporate procurement policies and discounts by selling business devices to individual employees. A thoughtful approach to the risks and rewards of BYOD should account not only for the security implications of such policies but the potential eDiscovery issues as well. Those issues are almost certain to tip the scales against BYOD without strict controls and privacy waivers.
No comments:
Post a Comment