WE’RE HEARING employee use of their own tablets and smartphones to conduct business has lots of benefits, but it doesn’t come without some legal risks.
Companies like the
Scott Milner, a partner at the law firm of Morgan Lewis, told me that the growing awareness that employees are leveraging their own tablets and smartphones for work is raising awareness of the potential legal obligations involved.
“I think it’s an area that people are starting to pay a little more attention to, to really focus some extra effort on it as a potential source of relevant information.”
Spoliation—the potential loss, intentional or not, of information that is relevant in litigation—becomes a concern at the time you are having a “reasonable anticipation” of litigation. At that point, you don’t want people wiping out potentially relevant communication or data from their devices or applications.
Milner noted that in some regulated industries, including financial services, companies are required to retain certain data even when litigation is not an issue.
He said when setting up a company’s
The biggest risk of spoliation occurs when data are moved from a company network to personal devices, he said.
“For companies that are fairly sophisticated, I think they have got a pretty good handle on it,” he says. But smaller companies may not have the level of security and controls that bigger players have.
“I think the biggest area is just making sure that you are really developing a process around controlling what is going on outside your firewall.”
In most cases, the phone or tablet is just a portal used to access company networks. By making access available on basically a “read only” basis, employees usually can’t do anything to manipulate or change data that would be problematic, he said. BYOD-related spoliation is only a risk if you have unique or relevant data or communications that exist only on personal devices and not on a company’s core network.
There is also the risk that angry ex-employees or employees that are terminated may take company data with them when they go. Companies with BYOD plans may be able to wipe company data from those devices remotely, though they have to take spoliation risk into account when doing so. Companies can also go to court to try to reclaim whatever data or information was taken.
Milner said companies that allow employees to store work data and communication on their tablets, cell phones or personal laptops need to have a model for handling electronic discovery when litigation occurs.
In 50% of cases where companies are sanctioned for violations in the discovery process, spoliation is to blame.
Spoliation isn’t the only legal risk lenders need to consider in shaping their BYOD programs. Milner and James Walsh, also a partner at Morgan Lewis, outlined some of the legal issues that can arise during a recent webcast hosted by Fiberlink, which operates the MaaS360 mobile device management platform. (IBM recently announced that it is acquiring Fiberlink).
Historically, Milner said courts tended to be reluctant to permit discovery involving personal devices, but with the growth of BYOD, courts are becoming more willing to allow discovery involving information stored on personal devices.
Walsh said during the webcast that companies need to make sure that appropriate security is used to protect and preserve business communication on personal devices. Data privacy and security are the main concerns, he said, especially since many states have strict laws requiring companies to protect personal information about their customers.
“One in three individuals does not password-protect their cell phone. That is not appropriate when there is company data stored on their cell phone,” Walsh said.
Moreover, some employees bypass company rules and policies to access and use corporate networks. One in three actually admit contravening their company’s security policies.
“Employees increasingly view the ability to use their own device as a right and not a privilege,” Walsh says.
So what should companies do to minimize the legal risks inherent in BYOD?
Walsh said companies should have explicit consent agreements with workers participating in a BYOD program that outlines the company’s right to have access to devices used for work and the ability to wipe company data off those devices.
He noted that some states, such as California, have laws that create a right of privacy for employees or “computer trespass laws” that may limit the ability of a company to track or monitor information on employee-owned devices. There are also federal statutes that limit a company’s access to personal email accounts.
Walsh said it can be difficult to enforce the border between work and play on personal devices.
“The lines of distinction between what is work and what is personal can become blurred.”
One place where that blurring can occur involves disputes between employees, conflicts that could end up in court as harassment and discrimination claims, even if the statements or messages exchanged occurred via social media or personal email accounts. Some courts have held that companies have an obligation to investigate allegations of harassment or discrimination that occur outside of the workplace.
Another liability issue companies need to consider is overtime related to BYOD. If employees are expected to check work related communication on their devices outside of normal work hours, that could lead to wage and hour claims.
Ted Cornwell has covered the mortgage markets since 1990. He is a former editor of both Mortgage Servicing News and Mortgage Technology.
