Don't say no to BYOD and personal clouds, but understand the legal risks when you say yes
- 05 December, 2013 16:12
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
While you have undoubtedly heard all the gloom and doom stories regarding individuals using personally owned devices or personally controlled cloud services like Dropbox, SkyDrive, Google Drive, Idrive, Evernote and similar services, don't forget the law of unintended consequences.
IT can't possibly anticipate every possible risk presented by the use of these technologies, but one thing is for certain: If employees store corporate information on their own devices or in the cloud using one of these services, they may open the company up to legal implications under the U.S. Federal Rules of Civil Procedure (FRCP).
The law requires with few exceptions that each side in a civil lawsuit diligently search for and preserve information that is "reasonably calculated to lead to the discovery of admissible evidence" and to provide it to the other side including any electronic data and its associated metadata.
It is important for IT leaders to discuss this subject and related corporate policy with your company's senior leadership and in-house or outside counsel to ensure that anything that could affect legal discovery is handled properly and to help mitigate the risk of severe penalties that could be imposed by judges for discovery failures.
[RELATED:How to become a BYOD guru]
Top considerations when looking at this issue should include:
* The duty to preserve evidence in hard or electronic format starts as soon as it's reasonably anticipated there will be litigation, whether your company would be the plaintiff or the defendant. The company's general counsel will help determine when this duty is imposed and if/when you must notify employees that they may not delete relevant information or otherwise cause it to become unavailable. (You may also have to take steps to stop automatic time-based destruction of relevant evidence.)
* How laws apply to new technologies is vague/uncharted. For example, under U.S. federal law, companies are required to disclose information within their possession, custody or control, but how that might apply to Bring Your Own Device (BYOD) efforts or personally controlled clouds is murky. It would seem unlikely a court would allow for relevant information to be excluded or withheld because it was stored in personal clouds, and in fact, this information could and likely would -- be accessed by way of court orders and subpoenas against the "owning" employee.
* BYOD may not support a company's discovery responsibilities. With so many software program and application options for smartphones and tablets, it's possible for employees to use services for work that are not company-approved or synchronized to a company-controlled server. This may make it especially difficult to cull evidence and could require forensic analysis of the device.
* The discovery process may create disciplinary issues. As companies collect back data from BYOD devices, the full scope and nature of personal activity might become clear. The viewing and distribution of adult, sexist, racist or degrading material can lead to human resource based investigations relating to the use or viewing of the material in the workplace. Simply ignoring the data and declaring it personal may not be enough.
* Co-mingled business and personal files can create hurdles for discovery. Some people use personal cloud services and BYOD to store both personal and business-related information. Without appropriate employee agreements requiring cooperation with discovery and investigations of personally-controlled clouds on work-associated devices, this can become a highly contentious issue.
Employees may have highly personal even privileged and legally protected information stored on these services/devices, and these protections may have to be honored when it comes to discovery. It is an area in which courts have differed in their views.
In one recent high profile case, a court ordered that an independent expert be brought in to provide access to employee files on non-company cloud services. It was the expert's responsibility to identify and extrapolate only those documents that bore relevancy to the case for approval by the judge and review by supporting counsel to determine if any of the documents were protected under attorney-client privilege. Only then were the documents turned over in discovery. Such a process may be tedious but may work well for disputes involving personal information on BYOD devices and in personally controlled cloud storage.
In the coming years, court decisions are very likely to provide more exacting guidance on the cloud and BYOD, but businesses have obligations now in terms of e-discovery that must not be overlooked. Courts are issuing rulings that include significant penalties where discovery obligations aren't met. Companies that have integrated the use of personal cloud services and BYOD into their discovery and contingency plans will be much better prepared to fulfill their obligations.
Does this mean that companies should just ignore demands of users and the potential that BYOD can bring in increased productivity and cost sharing?
No. It requires understanding the challenges and a willingness to not only implement new IT solutions, but to invest the time and the management resources to verify that the solutions actually meet the needs of the firm. Counsel must be involved in this ongoing process.
Kroll, the global leader in risk mitigation and response, delivers a wide range of solutions that span investigations, due diligence, compliance, cyber security and physical security.
Read more about anti-malware in Network World's Anti-malware section.
Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.
TPG should pay rural levy for each FTTB service: NBN Co
NBN Co seeks ‘early resolution’ of TPG fibre threat
NBN Co hits 105Mbps in limited FTTN trial
TPG should pay rural levy for each FTTB service: NBN Co
Galaxy S5 deep-dive review: Long on hype, short on delivery