Today the Sedona Conference posted the public comment version of its Commentary on BYOD: Principles and Guidance for Developing Policiesand Meeting Discovery Obligations. This guide to Bring Your Own Device policies revolves around the smartphones, tablets, and personal computers that employees use to access their company email accounts and documents. The Sedona Conference embraces five core principles:
1. "Organizations should consider their business needs and objectives, their legal rights and obligations, and the rights and expectations of their employees when deciding whether to allow, or even require, BYOD."
2. "An organization’s BYOD program should help achieve its business objectives while also protecting both business and personal information from unauthorized access, disclosure, and use."
3. "Employee-owned devices that contain unique, relevant ESI should be considered sources for discovery."
4. "An organization’s BYOD policy and practices should minimize the storage of––and facilitate the preservation and collection of––unique, relevant ESI from BYOD devices. "
5. "Employee-owned devices that do not contain unique, relevant ESI need not be considered sources for discovery."
With respect to the first principle, Sedona acknowledges that the cost of Mobile Device Management (MDM) may be prohibitively expensive and preclude the implementation of a BYOD program. Organizations should consider whether or not they will allow employees to withdraw consent to access data on their devices. Some employees will own devices shared with other individuals that may not want to give access to the device.
The implementation of a security program with respect to the second principle may require registration of employee devices that will allow for access logging and device tracking. 'Containers' or 'sandbox' partition can separate personal from organization data on a personal device. The Electronic Communications Privacy Act restricts access to personal communications on BYOD devices absent valid authorization.
With respect to Principle 3, the guide cites federal court decisions that organizations do not have possession, custody, and control over BYOD devices. Matthew Enterprise, Inc. v. Chrysler Grp. LLC, No. 13-cv-04236-BLF, 2015 WL 8482256 (N.D. Cal. Dec. 10,2015); Ewald v. Royal Norwegian Embassy, No. 11-CV-2116, 2013 WL 6094600, at *10 (D. Minn. Nov. 20, 2013). Sedona notes that requiring privacy waivers from employees may be inconsistent with local laws.
Google's Android for Work and AT&T's Toggle are cited by Sedona as good partitioning applications that help prevent the storage of business files on BYOD devices with respect to principle 4.
Under Sedona's understanding of principle 5 an email application that fully synchronizes with a company's servers, or a custodian interview that indicates an employee did not use a personal device for business may be a basis on which which forgo BYOD discovery.