Less Is More: The Risks of Excessive Mobile Device Data Collection
This article appeared in the November 2024 issue of Cybersecurity Law & Strategy. © 2024 ALM Global LLC. Reprinted with permission.
At virtually every organization, work is now spread out across phone calls, texts, emails, third-party messaging apps, and productivity tools on personal devices. Smartphones have, in many ways, become the nucleus of professional life. As a result, companies face the critical challenge of managing this new activity center and the vast amounts of company data flowing through it.
The U.S. Department of Justice recently declared that companies are officially responsible for all business-related data on personal devices, regardless of whether it’s a company-issued device or a bring-your-own-device (BYOD). Failure to properly preserve required data for an investigation can lead to significant legal trouble and nine-figure fines. In their rush to comply, however, many companies and their legal teams are overcorrecting by over-collecting data, exposing themselves to even more risks.
Double-Sided Privacy Concerns
To meet requirements for legal hold, corporate compliance, and internal investigations, organizations must extract company data off personal devices. For employees, however, mobile phones are not just an activity center for work, but also for their daily lives. Mixed in with all that company data is a trove of sensitive personal information––photos, medical records, private messages, passwords, and more. Consequently, when companies scrape employee phones, they risk invading personal privacy.
From a basic employee experience and culture perspective, trust can quickly erode when personal data is swept up in the process. Employees may feel like they’re being monitored by “big brother,” an intrusion which can have lasting effects on morale and workplace culture.
On a more concrete level, over-collecting data exposes employees to identity theft, fraud, and serious financial risks in the event of a data breach––not to mention the emotional harm that accompanies those outcomes. Organizations that pull data from mobile devices indiscriminately are responsible for protecting and properly managing not just corporate data, but also the personal data inadvertently collected alongside it. Any compliance or security misstep can result in significant legal penalties and reputational harm. Plus, the security measures required to adequately protect that data can come with a major price tag (more on that later).
For global companies, navigating privacy threats gets even more complicated. Privacy and ownership laws vary widely by country and jurisdiction. California, for instance, enforces stricter privacy regulations than most states, as do countries in the EU (compared to the U.S.) under the GDPR. Corporations are required to handle mobile device data collection based on the local laws and regulations governing each individual employee to stay compliant and avoid expensive legal action, leaving them with a complicated operational puzzle.
Overcollection Means Overexposure
Overcollection and overproduction of personal device data can also expose the company to further liability outside the purview of the immediate investigation––if unrelated nefarious activity is discovered.
In some famous cases, lawyers have turned in personal device data to regulators that unintentionally opened up entirely new lawsuits and even implicated other organizations that weren’t involved in the initial investigation. Just imagine: a company is under investigation for unfair labor practices and accidentally disclose messages that show price fixing activity. Regulators have every right to pursue additional legal action against all companies involved, further expanding the risk landscape.
Beyond legal damage, exposing unnecessary data to regulators can lead to significant reputational damage as well. For instance, if personal data from an executive’s phone accidentally reveals criminal or unprofessional behavior, the organization will largely take the fall, with customers, investors, and partners questioning the company’s ethics and conduct.
Expanded Financial and Operational Costs
Collecting, storing, and analyzing data from personal devices doesn’t come cheap. The infrastructure costs (think: hardware, software, and cloud storage) associated with managing large, unnecessary volumes of data can skyrocket.
To protect sensitive personal information and company-related data, companies must invest in expensive storage solutions with robust security measures––to stay compliant and reduce the likelihood of a costly breach. Additionally, organizations often pay hefty fees for the data discovery services that sort through piles of personal device data to meet investigation requirements.
On that note, scraping device data wholesale simply means it will take more time to collect and sort through that data. Data extraction and preservation is a time-consuming resource-intensive process. As a result, companies that over-collect face unnecessary operational downtime as smartphones are tied up for legal review or compliance checks.
Take, for example, a hospital ecosystem in which nurses and doctors use their smartphones to communicate. When the hospital is under investigation, and they have to collect devices, workflows and patient care are disrupted. More targeted, less time-consuming data extraction, however, could reduce these operational downtimes.
In some cases, due to the time commitment, companies find themselves accumulating a backlog of devices that need to be processed for data collection. Often, those phones end up in a drawer waiting to be processed, leaving companies to replace the original device (in order to resume normal operations). At large companies, the original phones and their replacements can cost hundreds of thousands of dollars––a loss which, again, could be prevented by more selective, efficient extraction.
A New Model for Mobile Device Data Collection
When it comes to the collection and preservation of mobile phone data, the balance between compliance and privacy is a delicate one for legal professionals. While it might seem logical to gather as much data as possible to meet investigation requirements, over-collection and overproduction can lead to increased legal, financial, and reputational risks. Organizations must carefully navigate the complexities of extracting business-related information without overstepping into personal data, all while adhering to various privacy laws.
Moving forward, Counsel should guide companies towards more precise data extraction strategies to reduce legal exposure, minimize operational disruptions, and better protect employee privacy. Ultimately, smarter, more targeted approaches will help organizations save time, money, and their reputations.