Health law litigation, like almost all litigation, increasingly focuses on electronic data and the electronic devices on which that data is transmitted and kept. With the sharp increase in the use of mobile electronic devices within the last few years—including employee-owned devices used for company business—the question of how to control the use, storage, and transmission of company data has become increasingly urgent. Is your client ready to gather and preserve all the documents that could be out there for use in litigation when it is time?
The BYOD Culture
According to the Pew Research Center’s Jacob Poushter, a survey of cell phone ownership in the United States showed that about 72 percent of adults in the United States who were polled owned a smartphone, which is a cell phone that can access the Internet and functions as a handheld computer. Jacob Poushter, Smartphone Ownership and Internet Usage Continues to Climb in Emerging Economies, Pew Research Center (Feb. 22, 2016). For type A personalities who like to stay on top of matters, smartphones are a way to expedite access and responses to work-related electronic communications; and where company-issued smartphones are not an option, employees will bring their own devices in a practice commonly known as bring your own device (BYOD).
This BYOD culture has potentially negative ramifications for those companies who do not have policies to address such usage and the security and preservation issues that are associated with it. In other words, in companies with BYOD employees, some kind of usage rules are critical in order to ensure that preservation is not an issue if the company becomes involved in litigation.
Not only is a company’s control of employees’ company data usage essential to the management of litigation matters such as the implementation of litigation holds to prevent charges of spoliation, such control is especially useful for companies in the health-care space as the inventory, security, and confidentiality of health information is highly regulated and is often the object of cyberattacks and HIPAA violation complaints.
Consider the multiple and varied usage policies that different social media outlets maintain that could expose a company to liability. Facebook, for example, collects device information from users’ electronic devices to “help [Facebook] provide consistent Services across [each user’s Facebook-capable] devices.” The information collected by Facebook includes file and software names and types, IP addresses, “information about the websites and apps you visit, your use of [Facebook’s] Services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or [to Facebook].” Data Policy, Facebook (Sept. 29, 2016).
And then there is the increasingly popular practice of cloud computing, which facilitates both convenience in document retrieval and inadvertent security breaches when BYOD employees’ devices are set to automatically back up data into cloud storage with which a company does not have any sort of operating agreement or HIPAA-compliant confidentiality agreement.
BYOD Best Practices
By working hand in hand with its human resources and IT departments, a company exponentially increases the chances that it will have better access to all of its electronic data when necessary. Below are some steps that your clients can take to facilitate better management of BYOD practices.
Understand that there are several platforms and know how they function. While email and text messages are the most common media by which most people communicate, several other mobile applications cater to different communication styles by sharing information in different ways.
Unfortunately, the ease with which an application transmits information is almost always the most important consideration for users—at the expense of privacy and security. And sacrificing security allows access to unauthorized users, such as family members who may share cloud and Internet account passwords and social media outlets that may have automated data backup and sharing capabilities.
Make an assessment of why the company’s employees use their devices at work. Why do employees use their own devices at work? Is it purely for the convenience of portability, or is the use of their electronic devices essential to their job functions? The answer to this question will determine the complexity of a company’s BYOD policy considerations.
Create and implement a BYOD policy that balances the company’s needs with employees’ protected rights. Implementing a BYOD policy may ease the management of litigation matters and enforce employee productivity, but it also increases the possibility of curbing employees’ rights as they relate to speech, protected activity, and overtime work, to name a few. It is essential that a company adhere to the relevant employment laws and regulations in creating a well-crafted BYOD policy.
Get employees’ consents or commitments as to their use of personal devices for work. Consider providing employees with the option of either completely abstaining from personal device usage in carrying out work-related tasks or agreeing to the company’s terms of personal device usage. Have employees sign an acknowledgement of the BYOD policy along with their new-hire orientation packet.
Implement usage rules and control mechanisms if opting for BYOD. For the sake of inventory, confidentiality, and compliance with applicable regulations, consider issuing predetermined parameters regarding settings that BYOD employees may choose and which applications they may or may not install on their devices. Storage settings, for example, can be a determinant in the legal question of spoliation. In PTSI, Inc. v. Haley, 71 A.3d 304 (Pa. Super. Ct. 2013), the defendants, who were accused of destroying electronic evidence, routinely deleted their cell phone data in order to create more data storage space; in this case, the court limited the application of spoliation to improper and intentional destruction of evidence, meaning that your company’s storage retention and deletion settings requirements should be implemented in a standard and consistent fashion to avoid unwitting incidents of spoliation.
Companies should also consider issues such as requiring access to devices and home computers that may have company records; offering remote security, content management, and support services on employees’ devices; prohibiting destruction of affected records; and, last but not least, finding a good insurance policy that covers the effects of a company-wide BYOD practice.
Make the entire company a BYOD-free zone. If implementing a BYOD policy is not practicable, consider completely prohibiting employees’ use of personal devices for work-related tasks. This is, after all, the cheapest and most efficient way to manage the personal device issue and ensure a more accurate inventory when a litigation hold is necessary.
While a BYOD culture lowers a company’s actual electronics expenditure, opting not to issue cell phones to employees may end up being costlier to a company in other ways in the long run. Issuing company cell phones gives an employer more control over employees’ use of such devices.
However, with the proliferation of and reliance on personally owned smartphones, many companies will find it difficult to eradicate the BYOD culture. In such situations, it is critical for companies to develop practices and policies that maintain security, confidentiality, and the company’s awareness of the quantities and locations of its electronic data so that they are ready when litigation comes a-knocking.
Margaret Ong’ele is an attorney in Dallas, Texas.
Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).