Companies that allow employees to use their own devices for work are increasingly facing thorny discovery disputes in litigation. Now, the influential Sedona Conference has issued a working paper addressing that problem.
Over the last twenty years employees have become accustomed to using their own personal devices for work. This has become known as "Bring Your Own Device" or "BYOD." With BYOD comes concerns about security, privacy, and discovery obligations. In January 2018, the Sedona Conference published the paper "Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations."The paper's aim is to help organizations develop BYOD policies and reduce discovery disputes.
Baseline Principles Offer Companies Guidance on BYOD
At its core, the Sedona Conference established five key principles on BYOD policies. The first principle is that "organizations should consider their business needs and objectives, their legal rights and obligations of their employees when deciding whether to allow, or even require BYOD."
It suggests that as an organization grows larger, a BYOD program might appear more attractive as it is less costly than issuing company-owned devices. However, with BYOD, "organizations that are parties to litigation may incur additional discovery costs to collect, review, and produce electronically stored information (ESI) from employees' personal devices to the extent the information is relevant and unique…."
The second principle is that "an organization's BYOD program should help it achieve its business objectives while also protecting both business and personal information from unauthorized access, disclosure, and use." The paper suggests that organizations explain to employees "that unique, relevant ESI may be subject to discovery." It should also address the organization's security concerns.
The third principle is that "employee-owned devices that contain unique, relevant ESI should be considered sources for discovery." This raises whether the employee-owned device is in the employer's possession, custody, and control. It also raises whether, under the Federal Rules of Civil Procedure, the ESI requested is proportional to the needs of the case.
The fourth principle is that "an organization's BYOD policy and practices should minimize the storage of—and facilitation and collection of—unique, relevant ESI from BYOD devices." Here, the conference proposes training employees to segregate communications between business email and personal email and not to store business files on personal devices. It recommends barring use of personal devices when needed for public safety, such as railroad locomotive engineers, or to prevent fraud, such as by securities traders.
Last, the fifth principle is that "employee-owned devices that do not contain unique, relevant ESI need not be considered sources for discovery." For example, the paper suggests that if the organization's server stores all email communications on the server, and synchronizes deletions, that the organization may have good reason to believe the personal devices do not contain unique ESI.
Asking Your Employees to Use Their Devices for Provokes Discovery Disputes
"BYOD becoming more of an issue as a general matter in some high-stakes litigation," says Sean O'D. Bosack, Milwaukee, Wisconsin, vice-chair of the Corporate Counsel Committee of the ABA Section of Litigation. "In some instances, when a company has a lot of IT infrastructure, sometimes adversaries in litigation attempt to turn disputes into a battle over e-discovery and spoliation."
Other Section leaders agree. "At the outset of a case, counsel are increasingly having discussions concerning the relevance and discoverability of information located on employee-owned devices," observes Amy D. Fitts, Kansas City, MO, cochair of the E-Discovery Subcommittee of the Commercial and Business Litigation Committee. "These discussions often take place as early as the Rule 26(f) conference and frequently lead to disputes when negotiating ESI protocols and preservation agreements." Fitts also proposes that disputes about the discoverability of employee-owned devices typically focus on whether information located on employee-owned devices is within the employer's possession, custody, or control.
Guidelines Only Start the Conversation
Bosack says that lawyers and courts may apply the guidelines differently depending on whether the industry uses sensitive information. "For example, when employees in the healthcare industry use their own devices, the devices may contain HIPAA protected information. In these instances, best practice is that is people who use their own device should work with the IT department to assure state-of-the-art encryption to protect that information." He also suggests that some technical solutions may be helpful regardless of the industry. "When a company operates its own instant messaging system, it reduces the temptation for employees to text on their own devices, and the data would be preserved," says Bosack.
Still, leaders believe that BYOD issues are complex and they question how impactful these guidelines will be. "I think that the principles make a lot of sense," reasons Bosack. "But it's a lot easier to raise them than to implement them in the day-to-day life of a business."
Fitts agrees. "It is still unclear whether, and to what extent, the Sedona Conference recommendations will influence where the case law goes on these issues," says Fitts. Even so, in an era when employees are increasingly worried about privacy, she observes, "it's good to have the discussion between the employer and the employee. Anything that brings light to the issue and encourages employers to set clear expectations can be a good thing."
Andrew J. Kennedy is an associate editor for Litigation News.