Home > Knowledge > Blog

The Pitfalls of Commingling Personal Devices, Corporate Data, and Private Lives

Sep 1, 2021

By Level Legal

Commingling business and personal data is a growing trend–and ticking time bomb–for U.S. corporations, law departments, and employees.

Before the global pandemic, the use of personal mobile devices for work-related matters was commonplace–whether sanctioned by business organizations or not–and the exchange of information between personal and work accounts was likewise commonplace. Employees commonly sent private documents to their work email accounts to access personal matters at their desks or print documents at the office. Conversely, many employees–C-suites included–would forward business communications to their personal email accounts to access them at home, even if it violated a written company policy.

Since March 2020, the global pandemic has turbocharged our remote workforces and their reliance on must-have mobility tools, further entangling corporate and private data, and increasing the security and privacy risks for all. For example, instead of having “water cooler” talks in person, friendly co-workers now have them over text, which can quickly morph into discussions about colleagues or the company, leaving an indisputable audit trail of the conversation.

More than ever, it is critical for corporate legal departments, outside counsel, and expert partners to work together to develop, document, and enforce robust policies for data and devices. Of equal importance when drafting these policies is to consider how the lack of corporate control and visibility into personal devices impacts litigation and investigations. When people use personal devices for work (including texts, chats, and emails), the data they create on their devices could be relevant to litigation or an investigation, placed on a litigation hold, and need to be collected.

However your organization chooses to approach the problem, a proactive and robust policy should, at a minimum, account for two distinct challenges.

One issue revolves around the security of corporate data that is accessed and saved on personal phones, laptops, tablets, and other devices – not to mention personal cloud storage. In situations such as these, lost mobile phones, hacked accounts, emails forwarded outside of the corporate network, and SMS threads that mix business and personal conversations (which can be challenging to split or sort for a review) all become risks. The collection process can be incredibly challenging and delicate if a corporation must ask or require an employee to hand over their personal device to access data (regardless of any waivers or notices acknowledged in a formal BYOD policy). Additionally, many employees rarely think of their company’s record retention requirements (if at all). And for those that do, it’s likely that they don’t think about existing policies in connection with their personal devices.

Another issue involves compliance with privacy laws. Many employees don’t think twice about sending personal information to their work email until they become custodians in a dispute. All of a sudden, the tax returns (or other personal data) they’ve emailed to themselves, saved to the hard drive on their work laptop, or stored on a company server become part of a document collection and review.

While all of this may seem obvious, now is not the time to be lax. Corporate legal departments must ask themselves: How do we protect against the inadvertent or improper disclosure of private employee data, customer data, and confidential business information that workers may be commingling with personal data on their personal devices? How do we ensure that any disclosures made are lawful and compliant with all governing regulations, including GDPR, CCPA, and other state and federal regulations?

This issue is especially significant given the dangers of non-compliance regarding the preservation and disclosure of such data.

In all these situations, corporate legal departments need to ensure that stakeholders are correctly evaluating the level of risk they face. Is there a robust BYOD policy to govern how individuals use personal devices to access and interact with corporate data? Is it enforced (along with the process for documenting users and devices)? Is it sufficient for today’s remote work environment? Can corporate data be accessed by the corporation, if needed? Do companies have processes to handle private data if they collect co-mingled data from an employee’s personal device?

By proactively addressing these issues now, we all will be better prepared and protected: organizations, clients, and employees alike.

Need help managing your data? Contact Level Legal for help.

Explore More
Close Modal

Our Framework

Understand.

During this phase, we work to step away from any assumptions and guesses about what our customers needs, and let our research findings inform our decision-making. We learn more about our customers, their problems, wants, and needs, and the environment or context in which they will use the solution we offer.

Our Framework

Define.

During the Define phase, we analyze our research findings from the Understand phase and determine what is the most important problem to solve — and why. This step defines the goal. Then we can give a clear problem statement, describing what our customers’ needs are that we are trying to solve, making sure that we heard and defined their problem correctly.

Our Framework

Solve.

This phase is an important part of the discipline in our process. People often settle for the first solution, but the most obvious solution is often not the right one. During the Solve phase, we brainstorm collaboratively with multiple stakeholders to generate many unique solutions. We then analyze our potential solutions and make choices about which are the best to pursue based on learnings in the Understand phase.

Our Framework

Build & Test.

This phase is critical in developing the right solution to our customers’ problem. An organized approach to testing can help avoid rework and create exceptional outcomes. Starting small and testing the solution, we iterate quickly, before deploying solutions across the entire project.

Our Framework

Act.

During this phase, the hard work of prior phases comes to life in our customers’ best solution. The research, collaboration, and testing performed prior to project kick-off ensure optimal results.

Our Framework

Feedback.

At the project completion, we convene all stakeholders to discuss what went well, what could have been better, and how we might improve going forward. We call these meetings “Retrospectives,” and we perform them internally as a project team, and with our external customers. The Retrospective is one of the most powerful, meaningful tools in our framework.

Next