April 23, 2013 at 4:31 AM ET
If you use your personal smartphone or tablet to read work email, your company may have to seize the device some day, and you may not get it back for months.
Employees armed with a battery of smartphones and other gadgets they own are casually connecting to work email and other employer servers. It's a less-than-ideal security arrangement that technology pros call BYOD — bring your own device.
Now, lawyers are warning there's an unforeseen consequence of BYOD. If a company is involved in litigation — civil or criminal — personal cellphones that were used for work email or other company activity are liable to be confiscated and examined for evidence during discovery or investigation.
It's a possibility even technology pros rarely consider, said Michael R. Overly, a technology law expert in Los Angeles.
"You would be very surprised to hear that even extremely sophisticated business people seem shocked when they learn their personal phone, including email, GPS data, photos ... may be subject to review in litigation involving their employer," Overly said.
BYOD is a worldwide reality and a dramatic shift in the way companies outfit their employees with work tools. Cisco Systems Inc. released a report earlier this year saying 42 percent of all "knowledge workers" own the smartphones they use for work, and two-thirds of companies expect the employee-owned device phenomenon to increase.
The convenience is hard to ignore, as is the personal touch — workers love picking their own phones — but of course, cost savings is the real driving force. Increasingly, companies are requiring workers to supply their own gadgets at their own cost, the way a restaurant might require waiters to purchase their own uniforms.
Even if companies reimburse those employees, there can be a big hidden cost for workers — the possibility of losing their phone for days or months while their company combs through it for data relevant to legal action.
“People’s lives revolve around their phone, and they are going to become more and more of a target in litigation,” Overly said. “Employees really do need to understand that .”
Giri Sreenivas, a mobile phone security expert at Boston-area firm Rapid7, warned discovery requirements can extend far beyond email stored on smartphones.
"Text messages and cellphone records might be subject to discovery, too, even if you never connected to company email," he said. "If lawyers believe the device was used for work purposes, it can be (taken).”
Race to keep up
How could firms gain the right to rummage through the most personal items on worker’s phones — pictures, texts, social media accounts? In many cases, it’s not a right, it’s a duty, says Overly. When a company is sued, and required to produce documents as part of a discovery process, it must make a good-faith effort to retrieve data — wherever it may be. That includes employee-owned gadgets.
In fact, Overly says he was part of a case recently where a judge sanctioned a company for a discovery violation because it failed to search BYOD devices during discovery. He declined to name the case.
Companies are racing to keep up with the trend — trying to set policies, inform workers of their rights, and superimpose BYOD rules over arrangements that organically evolved within their workplaces. Increasingly, companies are requiring workers to sign agreements that alert them to the potential of personal gadget seizure, Overly said.
Christopher Dahl runs a Seattle-based firm that specializes in digital document retrieval for lawyers called Lighthouse eDiscovery. While he says industry discussion is dominated by talk of BYOD discovery, he said gadget seizure has not become common — yet.
"We see mobile devices infrequently. We only had one come in last month," Dahl said. "It's typically pretty rare where the company can't get the same information from another location. Companies will have to disclose that the information is on that second location (the smartphone) but typically don't have to dig into that second place."
Red Tape wrestling tips
Workers wary of having their personal phone nabbed can carry two phones – one personal and one for work – but even that’s not fool-proof. An occasional connection from the personal phone to work email can make the phone subject to discovery. Going this route requires diligent work and personal separation.
"The No. 1 thing you can do to ensure your device is not subject to seizure is to remove any sort of company account ... and then inform the company it's been removed," said Sreenivas.
Dahl warned about accidental blending of personal and work data through a seemingly innocent USB charge connection that leads to accidental synching of data.
There may be a technology solution to this problem in the future. The newest Blackberry phone claims to create a work data-personal data divide, which has the potential to limit the searches that might be conducted by company lawyers