The proliferation of mobile devices—whether company-issued or personally-owned—may contribute to greater employee productivity outside the office, but they also present unchartered legal risks that for many companies means revisiting current e-discovery policies.
Smartphones, tablets, laptops, and other devices are creating e-Discovery and data retention challenges. “The data environment is going to become more complicated, not less,” says Bennett Borden, co-chair of the e-discovery and information governance unit of law firm Williams Mullen.
That's because the pocket-computing model can result in a massive increase in the amount of data created. According to a recent report from technology services company Cisco, mobile data traffic in 2010 was over three times greater than total global Internet traffic in 2000. And that growth is only accelerating. The study forecasts that mobile data traffic will increase 26-fold globally from 2010 to 2015.
Because e-Discovery calls for the immediate accessibility and production of electronic records, the challenge presented by mobile devices is that employees now have a variety of capabilities—text, picture, video, and more—at their fingertips by which they can modify, share, or copy, including potentially sensitive corporate data. And that data can be stored in multiple places in different formats, including in the cloud.
Historically, IT would decide what devices to support on their networks, issue those devices, and retain control of them. They would also police what and how that data was stored and when and where it was archived. “That's not the case anymore,” says Borden. Today, employees have greater access to far more advanced technologies outside their work environment. “This is driving people to want to use their own computers and their own devices at work,” he says.
That's where questions of data ownership come into play. For example, if an employee uses his personal iPad for work, is that under the custody and control of the employer? How do you monitor employee communications when they're using personal devices?
Some federal agencies are just starting to tackle those questions now. The Financial Industry Regulatory Authority, for example, issued Regulatory Notice 11-39 to clarify that financial services firms must “retain, retrieve, and supervise” mobile communications in the same way that would e-mail and social media. FINRA added that firms may allow employees “to use any personal communication device, whether it is owned by the associated person or the firm, for business communications.”
In this new data environment, what constitutes business communication can depend on individual facts and circumstances. “It's the content of the data that matters, regardless of its source,” says Borden.
“You can't just expect to have every employee somehow bring in their device when an e-discovery event happens and try to cultivate data at that time.”
—Philip Favro,
Discovery Lawyer,
Symantec
Mobile computing also raises plenty of questions involving attorney-client privilege. What if an employee sends in-house legal counsel a question from his iPad from home using his personal Gmail account? By submitting the e-mail through the third-party (Gmail), is that conversation now privileged? “Whether these things waive privilege is likely something the courts are just starting to grapple with now,” says Howard Sklar, senior counsel of Recommind.
Practical Measures
Attorneys that practice in the area recommend that companies write a mobile device usage policy and require employees to sign it. The policy should spell out steps the company will take to access and preserve mobile data in the event of discovery.
The policy should also include a provision saying that the company retains the right to wipe clean any device used for work or confiscate it for reasons of e-discovery or employee termination, including employee-owned devices, says Jeffrey Fehrman, vice president of forensics and consulting for e-discovery consulting and software provider Integreon.
TRAFFIC REPORT
The chart below from Cisco provides data on global internet traffic growth and global mobile data traffic growth.
Source: Cisco Mobile Data Forecast.
And the policy should include password protocol for employees to follow and a provision mandating that employees report lost or stolen devices immediately, securities experts say.
“It's extremely important that once you put a policy in place, you have to continue to update it,” Fehrman adds. “You have to continue to articulate to new and current employees and anyone with access to sensitive information that it's not a set-it-and-forget-it-type mentality.”
“Mobile devices also are being used as a gateway to cloud computing and cloud storage, which presents its own challenge,” says Sklar. This could pose unique e-discovery concerns regarding the collection and accessibility of the data itself.
It's essential that companies spell out in contracts with third-party service providers what is expected of them. How will that service provider secure that data? What is their data retention policy? How easily can you access that data in the event of discovery? “You need to resolve that through IT protocols, including mobile access to networks and how that works,” says Sklar.
In order for a company to reduce its e-discovery costs and risks, “a company needs to be able to have at its fingertips all data that's relevant to a particular claim or defense in a lawsuit, and be able to produce it,” says Philip Favro, a discovery attorney at IT security giant Symantec. “To get to that data, they need to have it in an easily accessible place.”
IN THE LEAD
The chart below from Cisco shows that laptops and smartphones are leading traffic growth.
Source: Cisco Mobile Data Forecast.
“You can't just expect to have every employee somehow bring in their device when an e-discovery event happens and try to cultivate data at that time,” Favro adds. “It's going to be impractical, time consuming, expensive, and you're never going to be able to meet the obligations you'll have to meet in court in a timely fashion.”
To overcome this challenge, some companies are beginning to adopt technologies that restrict the amount of data employees are allowed to download. For example, some mobile device management companies—Good Technology, Air Watch, BoxTone—offer software that does everything from encrypt mobile devices and prevent employees from downloading sensitive corporate data to enabling companies to retrieve mobile data in the event an employee termination or stolen device. Other vendors that assist with mobile message compliance and e-discovery include Mobile Mandate, TextGuard, Credant, Globanet, Commondesk, and more.
The mobile communications environment will continue to grow more complicated, stresses Borden. The companies that move quickest to understand these risks and get their arms around information governance, he says, will have a competitive edge on those who don't.
No comments yet