Before the global pandemic, the use of personal mobile devices for work-related matters was commonplace–whether sanctioned by business organizations or not–and the exchange of information between personal and work accounts was likewise commonplace. Employees commonly sent private documents to their work email account to access personal matters at their desks or print documents at the office. Conversely, many employees–C-suites included–would forward business communications to their personal email accounts to access them at home, even if it violated a written company policy.
Since March of 2020, the global pandemic has turbocharged our remote workforces and their reliance on must-have mobility tools, further entangling corporate and private data, and increasing the security and privacy risks for all. For example, instead of having “water cooler” talks in-person, friendly co-workers now have them over text, which can quickly morph into discussions about colleagues or the company, leaving an indisputable audit trail of the conversation.
More than ever, it is critical for corporate legal departments, outside counsel, and expert partners to work together to develop, document, and enforce robust policies for data and devices. Of equal importance when drafting these policies is to consider how the lack of corporate control and visibility into personal devices impacts litigation and investigations. When people use personal devices for work (including texts, chats, emails), the data they create on their devices could be relevant to litigation or an investigation, placed on a litigation hold, and need to be collected.
However your organization chooses to approach the problem, a proactive and robust policy should, at a minimum, account for two distinct challenges.
One issue revolves around the security of corporate data that is accessed and saved on personal phones, laptops, tablets, and other devices – not to mention personal cloud storage. In situations such as these, lost mobile phones, hacked accounts, emails forwarded outside of the corporate network, and SMS threads that mix business and personal conversations (which can be challenging to split or sort for a review) all become risks. The collection process can be incredibly challenging and delicate if a corporation must ask or require an employee to hand over their personal device to access data (regardless of any waivers or notices acknowledged in a formal BYOD policy). Additionally, many employees rarely think of their company’s record retention requirements (if at all). And for those that do, it’s likely that they don’t think about existing policies in connection with their personal devices.
Another issue involves compliance with privacy laws. Many employees don’t think twice about sending personal information to their work email until they become custodians in a dispute. All of a sudden, the tax returns (or other personal data) they’ve emailed to themselves, saved to the hard drive on their work laptop, or stored on a company server become part of a document collection and review.
While all of this may seem obvious, now is not the time to be lax. Corporate legal departments must ask themselves: How do we protect against the inadvertent or improper disclosure of private employee data, customer data, and confidential business information that workers may be commingling with personal data on their personal devices? How do we ensure that any disclosures made are lawful and compliant with all governing regulations, including GDPR, CCPA, and other state and federal regulations?
This issue is especially significant given the dangers of non-compliance regarding the preservation and disclosure of such data.
In all these situations, corporate legal departments need to ensure that stakeholders are correctly evaluating the level of risk they face. Is there a robust BYOD policy to govern how individuals use personal devices to access and interact with corporate data? Is it enforced (along with the process for documenting users and devices)? Is it sufficient for today’s remote work environment? Can corporate data be accessed by the corporation, if needed? Do companies have processes to handle private data if they collect co-mingled data from an employee’s personal device?
By proactively addressing these issues now, we all will be better prepared and protected: organizations, clients, and employees alike.