Managing eDiscovery in the BYOD Era
As technology advances, businesses and employees are embracing “bring your own” opportunities beyond “bring your own device,” or BYOD – which refers to when employers allow or even mandate employees to bring their own personal computers, smartphones, or tablets to work. While embracing these changes may provide business efficiencies, businesses should carefully consider the technical ramifications of new technologies and remain mindful of their discovery obligations. They need to understand data preservation and collection requirements and obligations, as well the extent of their legal and technical ability to access information on employee-supplied mobile computing sources.
Options for Bring Your Own
Crafting organization-specific programs and policies first requires understanding the mobile technologies available. In addition to bring your own device, BYO includes terms and technologies such as:
- Bring your own everything (BYOx), an all-encompassing term that refers to employees’ use of personal technology to perform work tasks
- Bring your own apps (BYOA), refers to employee use of third-party applications and cloud services in the workplace, such as Google Spreadsheets or Evernote
- Bring your own access (BYOA), refers to employees providing their own wireless access to an organization’s systems, usually though mobile hotspots such as 5G mobile phones
- Bring your own cloud (BYOC), refers to employees’ use of the cloud service of their choice in the workplace, such as employee-controlled Google Dox or Dropbox
- Bring your own encryption (BYOE, or sometimes BYOK for bring your own key), refers to cloud-computing security processes that let cloud service customers use their own encryption software and manage their own encryption keys to access an organization’s cloud-based system. These include Google Compute Engine, Amazon Cloud HSM, Microsoft Azure, and Adobe Creative Cloud
- Bring your own identity (BYOI), refers to digital authentication in which an employee’s credentials (username and password) are managed by a third party, often a social networking site like Facebook, for logging into company systems
- Bring your own network (BYON), refers to end users’ ability to create or access alternative networks rather than the organization’s through the use of mobile phones to create a personal hotspot
- Bring your own technology (BYOT), refers to policies that allow employees to use their personal electronic devices at work
- Bring your own wearables (BYOW), refers to the use of employee-owned wearable computing devices, such as smart watches, in a business setting
Other programs to consider when evaluating technology-use policies include those for devices that are company-owned, personally enabled (COPE), and company-owned, business-only (COBO).
Questions for BYO and eDiscovery
Once an organization understands the possibilities for BYO, which grow and change regularly, it should carefully consider what type of BYO program, if any, is compatible with its business purposes, security needs, and eDiscovery obligations. Questions to be considered include:
- Is having a BYO program advisable and appropriate for the organization? Is it advisable for every employee, or a subclass? What type of BYO program is appropriate?
- How will employees be notified of policies, security requirements, and preservation and collection rules?
- What will be the retention and collection policies for mobile data?
- Will there be regular updates to policies, and will employee acknowledgement be documented with each update? Who will be responsible for ensuring this occurs?
- Who will track mobile devices and technology updates, and how will it be done?
- What technologies will be employed to manage mobile data?
- How will mobile data be backed up?
- How will BYO policy change to accommodate unknown or not-yet-available technologies?
- How will mobile data be collected and produced, should it become subject to eDiscovery?
- What technology will be used for mobile collection?
- How will this data be preserved, collected, processed, and prepared for e-discovery purposes?
- Who will keep track of preservation and collection, and how will it be done?
- How will data on former employee devices be preserved and collected? What about communications with third parties?
These are just some of the questions to be considered as BYO moves beyond devices. BYO programs and policies should consider enabling employee efficiencies and protecting corporate security, as well as potential discovery obligations. And organizations should recognize that any implementation of BYO programs and policies will be constantly changing.