Bring your own device (BYOD) policies are nothing new in the corporate world, as consumerization proponents tout decreased IT costs and improvements in employee satisfaction.
E-discovery tools and processes, however, are lagging far behind this mobility trend. During a discovery case, lawyers looking for evidence can demand access to all company data -- a process made much more convoluted when that data is not only on the organization's network, but also scattered on numerous employees'
A lot of times, companies don't have a good policy -- that's where they get into trouble.
Debra Logan, VP and analyst, Gartner Research
"It's kind of an iceberg problem: Everybody's got it on the horizon, but very few people have addressed it yet," said Gregory Buckles, cofounder and principal analyst at The eDJ Group Inc. "It is definitely on the radar of the plaintiffs who are asking for data; they know that unique data lives on these devices."
As companies increasingly store data and host applications on employees' personal mobile devices and the cloud, it's a mistake to put potential e-discovery issues on the back burner, experts say. Consumerization and the cloud create huge e-discovery risks for organizations, particularly because they dramatically complicate access protocols and create potential privacy concerns.
These complications will likely continue as cloud use and mobility proliferate in the corporate world. A 2011 Gartner Inc. study predicted that through 2016, less than 1% of organizations will deploy sufficient technology to fully insulate themselves from mobile e-discovery challenges. From a consumerization standpoint, the e-discovery process starts with a good BYOD policy, said Debra Logan, a Gartner Research vice president and analyst.
"The best way to ensure that there are no difficulties is to make clear in the BYOD policy that, in the event of a legal or regulatory investigation, the password will be required and that any personal data that is on the device will be searched, along with anything that is relevant to the company," Logan said.
"In the case of criminal activity or suspected criminal activity, failure to turn it over with the password is a criminal offense if it is evidence or contained evidence."
Organizations can further insulate themselves from e-discovery process risks by ensuring that all data on employee devices is backed up on enterprise-controlled systems. If possible, employee-owned devices should be encrypted as well -- and corporate information that is not encrypted shouldn't be stored on mobile devices at all.
Other stipulations that BYOD policies should include, relative to e-discovery processes, are retention and data destruction schedules in accordance with compliance regulations, as well as a clear determination of who is responsible for that data. The policy should also clarify steps for immediately halting the data destruction in the event of litigation, and what happens to corporate data on personal mobile devices when employees leave the company.
When in doubt, turn to internal legal counsel to ensure the organization is meeting any relevant regulatory compliance rules with regard to BYOD.
"A lot of times, companies don't have a good policy -- that's where they get into trouble," Logan said.
E-discovery processes in the cloud
Ensuring e-discovery process protocol in the cloud is no picnic, either, as companies must consider how they will access data in the cloud if it's part of an e-discovery request.
Organizations often fail to take those processes into consideration when moving operations to the cloud, Buckles said. Instead, they consider the initial positive financial impact and forget about e-discovery implications. According to a 2011 eDJ Group survey, less than 16% of respondents reported creating an e-discovery plan before moving data to the cloud.
"That's a problem," Buckles said. "You've got folks who are moving their data into someone else's care, and they have the responsibility to be able to preserve the data, to inspect, to collect it and even retrieve it, and they don't think of that flow before they move the data."
More on e-discovery strategy
Records managers vital to e-discovery governance
Podcast: The keys to successful, company-wide e-discovery
The company also may not know exactly where the cloud data is stored, making retrieval that much more difficult. This creates potential legal ramifications: Under the Federal Rules of Civil Procedure, which was updated in 2006 specifically to address e-discovery issues, organizations are required to preserve and be able to retrieve electronic information under its control.
These regulations make contracts with cloud service providers vital. Before entering into an agreement to move any operations to the cloud, companies need to determine where data will be stored and how they will access it if needed -- especially when it comes to sensitive data that could be discoverable down the road.
If it sounds like the e-discovery implications of the cloud are murky, it's because cloud providers are often behind in the game as well, Buckles said.
"The e-discovery implications on the cloud are almost always an afterthought," Buckles said. "One of the predominant things we are hearing is, basically, people are just not ready for it."
That stark reality makes comprehensive information governance policies that cover all organizational data -- no matter the source -- very important. Whether the data is on the company network, on personal mobile devices or in the cloud, there need to be policies and procedures in place outlining where it’s stored and how to quickly access it during an e-discovery request.
Without these processes, companies facing litigation could be left scrambling to answer the core e-discovery questions surrounding corporate mobile and cloud use.
"Data is moving from the traditional location sources to a new, dynamic, mobile global environment," Buckles said. "E-discovery is slow to adapt."
This was first published in February 2013