Many organizations struggle with whether to permit employees to use their own electronic devices (e.g., mobile phones, tablets, laptops) to conduct business on behalf of the organization. In addition to discovery challenges in the event of litigation, the use of individual devices can also present significant security concerns and regulatory compliance issues. In January, the Sedona Conference Working Group Series issued a public comment version of “Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations.” Comments to the public comment version must be submitted by March 26, 2018.
As drafted, this Commentary addresses how creating and storing information on employee-owned devices can impact an organization’s discovery obligations and security goals. In response to those concerns, the Commentary offers companies best practices, broken down into 5 principles. Each principle contains additional commentary from the Working Group. The five principles are:
- consideration of business needs and objectives, legal rights and obligations, and the rights and expectations of their employees;
- achieving business objectives while also protecting both business and personal information from unauthorized access, disclosure, and use;
- employee-owned devices that contain electronically stored information (ESI) should be considered sources for discovery;
- policy and practices should minimize the storage of, and facilitate the preservation and collection of, ESI; and
- employee devices that do not contain relevant ESI need not be considered sources for discovery.