New Guidance On Employee-Owned Device Discovery

The Sedona Conference: Five principles on BYOD

As technology continues to evolve, organizations are increasingly facing challenges concerning whether, and to what extent, they allow employees to utilize their own devices for work purposes. When employees use their own personal, privately-owned devices to access, manage,and store organization information, organizations are frequently asked to produce information from those devices in litigation, which can impose significant costs on the employer. Whether such information is within the employer’s possession, custody, or control and whether that information is more readily available from other sources are frequent sources of disagreement. 

Recently, the Sedona Conference,a non-profit legal research and educational institute that is often cited by courts, weighed in on so-called “Bring Your Own Device” or “BYOD” policies and some of the discoverability issues involved with employee-owned devices. Although the Sedona Conference’s guidelines are unlikely to resolve many of the day-to-day disputes over BYOD discovery issues, they do shed light on the need for employers to take discoverability issues into account when setting BYOD policies.

The Sedona Conference: Five Principles

To provide guidance on this issue, the Sedona Conferencerecently released “Commentary on BYOD: Principles and Guidelines for Developing Policies and Meeting Discovery Obligations.”¹ This commentary contains five principlesregarding the considerations that organizations should address when determining whether to permit the use of employee-owned devices.For organizations that choose to allow or require their employees to use their own devices, the principles also provide a list of precautions and actions organizations should take to ensure they comply with their legal and discovery obligations.The five principles are:
 
Principle 1: Organizations should consider their business needs and objectives, their legal rights and obligations, and the rights and expectations of their employees when deciding whether to allow, or even require, BYODs.

Principle 2: An organization’s BYOD program should help achieve its business objectives while also protecting both business and personal information from unauthorized access, disclosure, and use.

Principle3: Employee-owned devices that contain unique, relevant electronically stored information (ESI) should be considered sources for discovery.

Principle 4: An organization’s BYOD policy and practices should minimize the storage of—and facilitate the preservation and collection of—unique, relevant ESI from BYOD devices.

Principle 5: Employee-owned devices that do not contain unique, relevant ESI need not be considered sources of discovery.²

Based on these principles, the Sedona Conference suggests that organizations should first assess the pros and cons of permitting their employees to use BYOD devices.3 In making this determination, organizations may want to consider their size, cost concerns, privacy concerns, and legal factors that would affect the organization’s ability to access organization data on the BYOD devices.⁴

One of the key legal factors, as the Conference recognized, is whether an organization may access its own information on the employee’s private device.⁵This issue alone implicates data protection laws, labor laws, and other laws and policies.⁶ Accordingly, organizationsshould consider that significant legal implications may arise if the organization is required to turn over ESI, but it is unable to access the employee-owned devices that contain the relevant information.⁷

If an organization chooses to allow its employees to use BYOD devices, the Sedona Conference guidance supports the implementation of BYOD protocols.⁸ According to the Conference, those protocols should:
 

Additionally, the guidance suggests that organizations should ensure that employee-owned devices are not used to transmit or store unique organization information.¹⁰ In other words, an organization should ensure that all of its data is also contained on, and more readily accessible from, organization sources. For example, organizations should ensure that all organization email is stored on organization servers and not solely on the BYOD devices.¹¹

In addition, the need for all data relevant to the organization to be stored within the organization, and not just on employee-owned devices, extends to other data sources, such as text messages, which can present additional hurdles for the employer.

Complications associated with text messages may include difficulty regulating the use of text messages, the inability to easily store text messages within the organization, privacy concerns of employees who may use their BYOD device to text for both personal and work purposes, and the difficulty and expense of accessing old text messages. Nonetheless, employers can limit these issues by crafting BYOD policies that restrict employees’ ability to send work-related texts on BYOD devices and instead require the use of organization-sanctioned texting systems. 

Because discovery of BYOD devices is generally subject to a proportionality and reasonableness test, if an organization can demonstrate that an employee’s BYOD device only contains information that is largely duplicative of that contained on organization servers, it may reduce the likelihood that the organization would be required to produce information stored on BYOD devices.¹²

Likewise, BYOD protocols should clarify that the organization does not have possession, custody, or control of information contained on BYOD devices. That being said, because tests for determining possession, custody, and control vary by jurisdiction, so too might the effectiveness of these disclaimers. By implementing thorough and thoughtful BYOD protocols, organizations can limit their exposure to employee-owned device discovery.

Given the increasing attention being paid to BYOD discovery issues, organizations are best advised to weigh the practical and legal implications carefully when determining whether to allow employees to use their personal devices for work purposes. If an organization does choose to allow or require its employees to use BYOD devices, it is in the organization’s best interest to implement clear policies that set reasonable expectations between the employer and the employee and best position the organization to defend against potentially costly employee-owned device discovery.

Reference
The Sedona ConferenceCommentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations, (January 2018), available here
 
2 Id. at 5.
3 See id. at 6-7.
4 Id.
5 Id. at 7.
6 Id.
7 See id. at 9.
8 Id. at 11.
9 Id.  at 11-16.
10 Id. at 23-24. 
11 See id.
12 See id. at 23-25.