In the last year there has numerous articles, blogs, presentations and panels discussing the legal perils of “Bring Your Own Device” or BYOD policies. BYOD refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. The problem with BYOD is company access to company data housed on the device. For example, how would you search for potentially relevant content on a smartphone if the employee wasn’t immediately available or refused to give the company access to it?
Many organizations have banned BYOD as a security risk as well as a liability when involved with litigation.
BYOC Equals Underground Archiving?
Organizations are now dealing with another problem, one with even greater liabilities. “Bring your own cloud” or BYOC refers to the availability and use by individuals of free cloud storage space available from companies like Microsoft, Google, Apple, Dropbox, and Box.net. These services provide specific amounts of cloud storage space for free.
The advantage to users for these services is the ability to move and store work files that are immediately available to you from anywhere; home or while they’re traveling. This means employees no longer have to copy files to a USB stick or worse, email work files as an attachment to their personal email account. The disadvantage of these services are that corporate information can easily migrate away from the organization with no indication they were ever copied or moved – otherwise known as “underground archiving”. This also means that potentially responsive information is not protected from deletion or available for review during eDiscovery.
Stopping employee access to outside public clouds is a tough goal and may negatively affect employee productivity unless the organization offers something as good that they can manage and access as well. For example several companies I have talked to over the last year have begun offering Dropbox accounts to employees with the understanding that the company has access to for compliance, eDiscovery or security reasons all the while providing the employee the advantages of a cloud account.
The other capability organizations should research about these cloud offerings is their ability to respond to legal hold and eDiscovery search. Questions to consider include: Does the organization have the ability to search across all company owned accounts for specific content? What type of search do they offer; Keyword, concept? Can the organization view the contents of documents without changing the document metadata? Can the organization place to “stop” on deletions by employees at any time?
Organizations need to be aware of and adapt to these cloud services and be thorough in addressing them.
For Corporate counsel:
- Be aware these types of cloud storage services exist for your employees.
- Think about offering these cloud services to employees under the organization’s control.
- Create a use policy addressing these services. Either forbid employees from setting up and using these services from any work location and company owned equipment or if allowed be sure employees acknowledge these accounts can and will be subject to eDiscovery search.
- Audit the policy to insure it is being followed.
- Enforce the policy if employees are not following it.
- Train the employees on the policy.
- Document everything.
- Understand that if you setup and use these services from employer locations, equipment and with company ESI, all content in that account could be subject to eDiscovery review, personal or company related.
- Ask your organization what the policy is for employee use of cloud storage/
- If you use these services for work, only use them with company content, not personal files.
- Be forthcoming with any legal questioning about the existence of these services you use.
- Do not download any company ESI from these services to any personal computer, this could potentially open up that personal computer to eDiscovery by corporate counsel
For opposing counsel:
Be aware of these services and ask the following questions during discovery:
- Do any of your employees utilize company sanctioned or non-sanctioned public cloud storage services?
- Do you have a use policy which addresses these services?
- Does the policy penalize employees for not following this use policy?
- Do you audit this use policy?
- Have you documented the above?
These cloud services are an obvious productivity tool for employees to utilize to make their lives easier as well as more productive. All involved need to be aware of the eDiscovery implications.