Skip Links

Don't say no to BYOD and personal clouds, but understand the legal risks when you say yes

By Alan Brill, Senior Managing Director, and Jonathan Fairtlough, Managing Director, Kroll, special to Network World
December 05, 2013 10:32 AM ET

Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

While you have undoubtedly heard all the gloom and doom stories regarding individuals using personally owned devices or personally controlled cloud services like Dropbox, SkyDrive, Google Drive, Idrive, Evernote and similar services, don't forget the law of unintended consequences.

IT can’t possibly anticipate every possible risk presented by the use of these technologies, but one thing is for certain: If employees store corporate information on their own devices or in the cloud using one of these services, they may open the company up to legal implications under the U.S. Federal Rules of Civil Procedure (FRCP).   

The law requires – with few exceptions – that each side in a civil lawsuit diligently search for and preserve information that is “reasonably calculated to lead to the discovery of admissible evidence” and to provide it to the other side – including any electronic data and its associated metadata.  

It is important for IT leaders to discuss this subject and related corporate policy with your company’s senior leadership and in-house or outside counsel to ensure that anything that could affect legal discovery is handled properly and to help mitigate the risk of severe penalties that could be imposed by judges for discovery failures.

[RELATED: How to become a BYOD guru]

Top considerations when looking at this issue should include:

* The duty to preserve evidence – in hard or electronic format – starts as soon as it’s reasonably anticipated there will be litigation, whether your company would be the plaintiff or the defendant. The company’s general counsel will help determine when this duty is imposed and if/when you must notify employees that they may not delete relevant information or otherwise cause it to become unavailable. (You may also have to take steps to stop automatic time-based destruction of relevant evidence.)

* How laws apply to new technologies is vague/uncharted. For example, under U.S. federal law, companies are required to disclose information within their possession, custody or control, but how that might apply to Bring Your Own Device (BYOD) efforts or personally controlled clouds is murky. It would seem unlikely a court would allow for relevant information to be excluded or withheld because it was stored in personal clouds, and in fact, this information could – and likely would -- be accessed by way of court orders and subpoenas against the “owning” employee.  

* BYOD may not support a company’s discovery responsibilities. With so many software program and application options for smartphones and tablets, it’s possible for employees to use services for work that are not company-approved or synchronized to a company-controlled server. This may make it especially difficult to cull evidence and could require forensic analysis of the device.

* The discovery process may create disciplinary issues. As companies collect back data from BYOD devices, the full scope and nature of personal activity might become clear. The viewing and distribution of adult, sexist, racist or degrading material can lead to human resource based investigations relating to the use or viewing of the material in the workplace. Simply ignoring the data and declaring it personal may not be enough.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News