Here are Five BYOD Principles to Consider from a Highly Respected Source

Information on BYOD

In our last post (BYOD Could Mean Bring Your Own Disaster to Some Companies), we discussed some of the potential pitfalls of Bring Your Own Devices (BYOD) in organizations and three ways to keep BYOD devices from becoming a disaster in your own organization. One of those ways was to implement a formal BYOD policy and here’s a great Commentary from a highly respected source with five terrific principles for addressing BYOD policies and BYOD devices in discovery.

The Sedona Conference Commentary on BYOD

The Sedona Conference® (TSC) is a nonpartisan, nonprofit 501(c)(3) research and educational institute dedicated to the advanced study of law and policy. TSC has published numerous resources related to technology and discovery on everything from cooperation to guides for judges to proportionality and privilege and so forth. It’s a highly respected organization which has several working groups with experienced industry professionals committing their time to create resources to improve the practice of law.

In 2018, TSC published The Sedona Conference Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations. The Commentary is primarily focused on five principles for BYOD. The first two principles are focused on whether an organization should allow or require BYOD devices and how to develop and implement a BYOD program. The last three principles are focused on discovery obligations when it comes to BYOD devices.

Five BYOD Principles

Here are the five BYOD principles, with our comments about each:

• Principle 1: Organizations should consider their business needs and objectives, their legal rights and obligations, and the rights and expectations of their employees when deciding whether to allow, or even require, BYOD.One notable comment tied to this principle is that “Significant legal implications may result if the organization is unable to access its business information on employee-owned devices.” We’ve seen a lot of litigation arise regarding company trade secrets and mobile devices are often highly relevant in cases like those. It’s important to consider and develop a game plan for potential discovery of mobile devices before litigation occurs. Doing so after it occurs may be too late.
• Principle 2: An organization’s BYOD program should help achieve its business objectives while also protecting both business and personal information from unauthorized access, disclosure, and use.A notable comment here is “Organizations should consider requiring employees to agree to the terms of the BYOD policy.” This is great advice and establishes expectations with employees as to what they can expect in terms or privacy on the devices vs. the obligations to make those devices available for investigation and litigation.
• Principle 3: Employee-owned devices that contain unique, relevant ESI should be considered sources for discovery.We would add the word “always” before “should be” in that sentence. BYOD devices may not be discoverable in every case, but they should at least be considered in every case. As we discussed in the post Busting the Myths Associated with Mobile Device Discovery, text messages, files, photos, videos, phone logs, phone notes files, phone voice memos and geolocation data is all data that is typically only located on the mobile device and is often discoverable. If you’re not considering that data as a potential source of unique, relevant data in discovery, you’re making a mistake.
• Principle 4: An organization’s BYOD policy and practices should minimize the storage of––and facilitate the preservation and collection of––unique, relevant ESI from BYOD devices.This principle discusses the proactive management of BYOD devices, which we recommend. However, we’ve seen on numerous occasions a need to conduct a forensic image to uncover attempts at hiding bad acts (such as theft of intellectual property), so it’s important to remember there are cases where you’ll need to collect everything. A BYOD policy signed by employees will establish the right to do so.
• Principle 5: Employee-owned devices that do not contain unique, relevant ESI need not be considered sources for discovery.True, but in many cases, it may be necessary to conduct at least a cursory investigation of the device to confirm that it doesn’t contain unique, relevant ESI and it’s important that you work with an experienced investigator that knows where to look. Until then, you won’t know for sure whether it has unique, relevant ESI or not.

Conclusion

TSC’s Commentary on BYOD is an excellent resource for best practices for handling BYOD devices in your organization and how to handle them in discovery. You can access it free here. You should also consider setting up a free account on the TSC website to access the many other useful resources they have published as well!

Addressing BYOD devices in discovery starts before litigation even begins and it’s important to keep in mind how much we use our mobile devices for so many things today when considering those BYOD devices as potential sources of unique, relevant ESI. Here are some tips and information on the security provided with BYOD policies. Don’t wait until it’s too late!

For more information about Forensic Discovery’s Mobile Phone Forensics services, click here.