The short answer is quite a lot with the potential importance of a mobile device containing a “case winning” or “case losing” communication. However, before looking at that aspect I want to talk about the principe of BYOD itself. I should begin with the acronym, which does not mean, as one Sandton lawyer suggested when I was presenting eDiscovery to his firm, “Bring Your Own Drinks”. He was joking of course and we all know that it means Bring Your Own Device. Simply, it is a situation whereby an employee, with the permission of the employer, uses his or her own mobile device or devices for the purposes of the employers business and therefore has access to the company’s applications and information. It is commonplace in SA I have found.
Very recently, I read an article in the Cape Times entitled “BYOD can transform your workspace and boost productivity”. It speaks of boosting productivity by over 30% partly because employees work faster on their own devices. It is felt that in SA it is becoming a “must have” as long as it is coupled with security solutions. Quite rightly, the article points out some of the potential issues such as who else has access to the device and what happens if it is lost or stolen but there are other issues. How can the employer monitor the usage of a device it does not own? How is the privacy of the employee protected and obviously how is the employee reimbursed for the business use? Can the employer insist upon anti-spyware and malware programs? All of these points and more are covered in the article but, for me, the article misses some very important issues and potential remedies, and for sure it completely ignores the issue of eDiscovery.
My first concern is who “owns” the business related data? It would seem that the obvious answer must be the employer but how can he access that data as he does not own the device - worse, what happens if the employee leaves and the data is required subsequently? Some SA lawyers have said to me that this is not a concern at all as any business emails on the device are also contained on the company’s network so why the fuss? Well, there is a fuss for 3 reasons:-
Sometimes there are synchronisation issues with data between the device and the company network
The employee can draft emails for use in other ways and drafts do not sync
What about all other forms of communication that can be used on the device which will never sync with a company’s network e.g. WhatsApp, SMS, Facebook, Instagram etc. - more on this later!
Ownership of device and data is a major issue here. Suppose the employer needs to inspect the device as it has become involved in a case or investigation, the employee can refuse to hand it over especially as, in the main, it contains personal information. Worse, as mentioned, if the employee has left how difficult then is it to contact the ex-employee and why on earth should that person hand over his personal device to an ex-employer! This whole aspect of ownership can be easily dealt with (and is in other countries) by comprehensive clause inclusion in contracts of employment and I am really surprised that that was not covered in the article to which I have referred, although it does refer to an internal digital policy but covering more the issue of data breach rather than ownership.
Whilst in the UK, I acted for corporations whereby the whole question of the use and ownership of devices and data was covered in contracts of employment and a documented policy to which the employee signed his or her acceptance. In simple terms, if the company supplies the device then the policy and employment contract makes it clear that the device and all data “belongs” to the company. It usually would forbid private use or restrict, at the same time, making it clear that even private data can be viewed by the employer in the event of a case or investigation. BYOD adds a further level of complexity as the employer cannot “own” the device or personal data whatever is stated in the contract of employment. However, it can ”own” the data relating to the business and, in the contract, make provision for the employee or past employee to surrender the device for collection and analysis. Obviously, this also raises Data Protection and Privacy questions but again I have seen instances in Europe when the employer is registered as a Data Controller and again through the careful wording in the employment contract, is able to view, even personal data.
Perhaps you are beginning to see the significance of my reference to eDiscovery. Bearing in mind that discovery involves making a reasonable search for documents which are or have been in your possession or control, look at the significance of the word ‘control”. Without a policy, strengthened by the employment contract, the employer would find it hard to argue “control”. Furthermore, and this is my main counter to the argument that company emails and e-docs on a device are automatically on the company’s network, what about Social Media? It is well established in countries which have eDiscovery incorporated into its rules of civil procedure that all forms of communication are “discoverable” - not only does that include the various methods I mentioned above but there are decided cases in various parts of the world confirming this even to the extent that an emoji or emoticon is discoverable. All of this begs two questions, here in SA, firstly, as lawyers are we advising our clients on this matter and are we complying with reasonable search if we are not looking into communications on devices? Secondly, as forensic service providers are we advising clients that data should also be collected from devices and do we have the appropriate software to do that? Please see my specific blog post on this subject of a year ago.
In summary; employment lawyers should be advising their corporate clients to take a fresh look at their employment contracts; dispute resolution lawyers should be advising their corporate clients as to the risks of Social Media and the use of BYOD; and service providers should be advising their clients that a forensic collection and investigation should include portable devices. I will leave it to all of you who are affected to find answers to these important points, and as usual, if any advice or information is required, you know where I am!