The impact of BYOD on the eDisclosure process

24
Nov
2013

G. Bernstein & J. Shaw

According to Global analysts, Gartner, around “70% of mobile professionals will conduct their work on personal smart devices by 2018.”  The downside of this development is the impact it will have on the EDisclosure process - and specifically to data protection and privacy issues.  So what are the issues that legal IT professionals need to be aware and what policies that should be in place to avoid costly mistakes?

For employers, BYOD (Bring-Your-Own-Devices) offers the potential to free up much of the high cost financing in providing employees with computer hardware. There is growing evidence that employees are likely to be more productive, over longer periods, in and out of the office, if they use their own computer equipment for business. The challenges created by BYOD are serious, but are not insurmountable, especially if companies take steps to manage the risks presented by the dissemination of their data to personal devices before that data becomes the subject of a legal or regulatory dispute.

Policies and preparation

The key to successfully tackling a dispute is to have your data 'litigation-ready' and of critical importance to this is knowing where your data is. Since the vast bulk of company documents moved from paper to electronic formats, the volume of documents which potentially form part of the average legal dispute has exploded, as have the formats they recorded in and the locations in which they reside.

EDisclosure, the techniques and technology which have evolved in response to this growth in business documentation, can very effectively identify, process and secure this data when a dispute breaks out. But even the best systems need to have the data presented in a structured way if they are achieve the best results.

The challenge presented by BYOD in this context is that the use of personal devices can mean that a company's data becomes fragmented, while the variety of operating systems and applications used by individual computing devices can lead to this data being stored in a wide variety of formats as well. Even within personal devices, relevant documents may be located in a variety of places - folders, email or in the cloud, for example, depending on the personal preferences of the owner.  This not only makes the locating and processing of data more complicated and time-consuming than it needs to be, it can also affect the 'integrity' of a company's data which is critical to its admissibility if relied on in evidence.  In addition to the visible data, files also contain valuable 'metadata' - data which contains information such as when a document was created, amended and by whom - which can be damaged or destroyed by injudicious data management.

It is crucial in the litigation context to establish an electronic document's 'chain of custody', integrity and provenance if it is to be of use in court. Sophisticated forensic techniques are often required to ensure that this is preserved, which can be challenging when data is located in a variety of devices and formats. The use of personal devices can also make getting an employee's co-operation with the eDisclosure process more difficult if company data is sitting on their machines alongside personal data. Litigation support professionals sometimes already find it difficult to persuade people to hand over company-owned equipment which may contain personal emails and photographs.  This issue is becoming more acute as the BYOD trend continues. 

It's all in the detail

The growth of personally-owned hardware for business use is also more likely to bring employers into conflict with data protection and privacy laws. These can vary markedly from country to country and in many instances can leave employers unable to get to their own data without the consent of the owner of the device it is stored on. If not managed properly, these factors mean that BYOD trend has the potential to significantly complicate the eDisclosure process in the event of litigation. This will have a knock-on effect on the cost of an eDisclosure project, putting the potentially rising costs at odds with the courts recent move to proportionate justice. 

More specifically, the recent amendments to the Civil Procedure Rules (CPR) in England and Wales -imposes a duty on the parties to discuss and try and agree what technologies, techniques and strategies will be used to undertake an eDisclosure exercise prior to the first Case Management Conference. Being able to locate your data to understand how you will approach the eDisclosure stage of litigation is more critical to success than ever.

Preventative measures

Much can be done to mitigate the risks of BYOD in litigation, but careful planning, preparation and on-going vigilance are essential if problems are to be avoided.  Taking the following steps can help to limit risks: 

1. Get a plan together: When designing BYOD programmes and policies, it is essential that a plan is put in place to locate, secure and extract data in the event of legal action or regulatory investigation. This includes not only a clear map of where data is and the formats it is likely to be stored in, but it is also essential for the IT department to understand how the security protocols differ between the major operating systems to ensure that they can access data quickly when required and to identify where passwords and encryption keys may be needed. Data preservation and extraction procedures are quite different between the major operating systems so it is important that these are understood in advance. Forward planning should also include agreeing a workflow of how the eDiscovery exercise will be conducted in practice - for example, what the respective roles and responsibilities of the IT, HR and legal teams will be and how the day-to-day business of the company can be carried on without undue disruption if devices need to be taken away for data extraction or analysis.
2. Get an agreement:  Employees need to be made aware of exactly what their obligations are in respect of how they use their devices and the agreement needs to be a formal one between the employer and the employee that can be enforced if necessary. Research suggests that only a minority of companies that allow their staff to use their own computers have such binding agreements in place. The main focus of such agreements will be data security, but they should also contain provisions aimed at ensuring that eDisclosure exercises can be conducted efficiently and cost effectively. Things to consider in an eDisclosure context include whether they will need to surrender the device for a period to enable data to be extracted, what the employer will do with the private data that is on the machine, and how employees should manage company data on a day-to-day basis. Regular compliance checks will also be required to ensure that employees properly understand how they should handle their employer's data and are acting on it.
3. Get worldly-wise: Data protection and privacy laws vary significantly from country and multi-national businesses need to know how this will affect their ability to retrieve information from their employees' devices and take appropriate steps to ensure that this does not create a major obstacle in the event of a legal dispute.
4. Get in sync: Regular syncing of data on personal devices with the corporate network will also help to ensure that company data is easy to locate and retains its integrity. Routing company emails through the company Exchange server will also help to ensure that business emails are easily accessible for employers.
5. Get an app: Apps are now available on both Android and iOS to enable companies to partition their documents from an employee's private data. Isolating corporate and personal data and emails in this way can ameliorate many of the issues described in this article, but care needs to be taken with deployment and partitioning may not be possible on older devices.

Meanwhile, for those companies that have yet to embrace BYOD, the complexities it can bring to litigation-readiness should be key criteria to take into account when companies weigh up the pros and cons of the bring-your-own-device revolution.