This article appeared in the May 2024 issue of Cybersecurity Law & Strategy. © 2024 ALM Global LLC. Reprinted with permission.
Today, there are over 6.92 billion smartphone users in the world, 280.54 million of whom are in the US. Nearly 100% of adults use smartphones every day, and not just to communicate with their family and friends. They are also using smartphones in their professional lives, to interact with customers, vendors, and colleagues in a business context. And why not? Nearly every work-related platform can be routed through a single device: email, calls, Slack, Zoom, WhatsApp, productivity tools, and so on. Smartphones offer a streamlined hub for employees to do their jobs, from anywhere – so it’s hardly surprising they are the preferred method of communication.
And why wouldn’t companies let work trickle over into these devices? After all, smartphones unlock welcome efficiencies and productivity boosts, since work can continue outside of the office. And until very recently, employers have had little incentive to stop it; US law has been slow to catch up to modern communication practices, particularly when it comes to managing business-related data on personal devices and ephemeral apps (like WhatsApp). In investigations and legal proceedings involving businesses, electronic evidence has largely been limited to phone calls, emails, internal messaging platforms, and other more typical work surfaces.
Now, however, new regulations from the DOJ around the ownership and governance of company data on personal devices are catching up to the way the world actually works. It’s going to make companies’ lives a lot harder—and for precisely the same reason that smartphones have made their lives a lot easier.
COMPANIES HAVE CLEAR CUSTODY OF COMPANY DATA ON PERSONAL DEVICES
Because there are so many different ways to work and communicate on a single mobile device, there are also many different data types being circulated and much more data being collected than even a few years ago. Globally, 18.8 million text messages are sent per minute. Across smartphones alone, several zetabytes — a nearly unimaginable amount of data — are being transferred every day.
The recent guidelines from the DOJ now address all the various types of business-related communications, including activity that happens on personal devices and third-party messaging apps. Interestingly, regulators are even considering the different ways people can communicate within individual apps, down to the style of the message. Famously, last year, a Canadian judge ruled that a thumbs up emoji can count as a contract agreement.
Until now, most U.S. companies have turned a blind eye to activity on employees’ devices, since there have been no clear legal guidelines around who owns that data, and since, so far, the most severe potential punishment for not monitoring that data has been a manageable slap on the wrist. In this environment, employers with bring-your-own-device (BYOD) programs could easily shift responsibility—and risk—to employees. If something went wrong, employers could simply say, “It didn’t happen on our phones, so we didn’t know.” This approach also helped them avoid dealing with the technical challenges of managing all those gigs of data.
Now, however, the DOJ has officially recognized that business activity is happening on personal devices and has cleared up once and for all who owns that data: the company. It’s different in other countries. For instance, in the EU under the GDPR, all activity on a personal device is the individual’s property, including company-related messaging. But US regulators have taken a different approach, officially assigning employers complete custody –– which isn’t necessarily a good thing.
IMPLIED CONTROL OPENS THE DOOR FOR NEW RISK
As the proud new owners of company data on personal devices, employers must figure out how they’ll sort through, monitor, store, and analyze exceptional amounts of mobile data and data types, work that is resource-intensive, complex, and highly sensitive. If they don’t figure it out, they could be hit with a hefty multimillion dollar fine, like Wells Fargo, which had to pay out $125 million last year for not backing up and assessing company-owned data on WhatsApp.
Under the new DOJ guidelines, having “custody” means employers must be able to easily retrieve company data from personal devices when a trigger event happens –– either a legal hold for potential litigation, compliance activity, or a business need to preserve data. More specifically, they need to establish a policy governing the preservation of and access to corporate data stored on personal devices (including data contained on ephemeral messaging platforms), explain the rationale for that policy, and make provisions for the application and enforcement of the policy. They need to understand where company activity is happening on personal devices and come up with controls that allow them to pull that data when needed.
Through their newly established custody and the reach it grants, companies now essentially have control over company data on personal devices, too, which opens the door for major risk.
OWNERSHIP AND ENFORCEMENT LEADS TO PRIVACY CHALLENGES
First and foremost, custody and control of company data on BYOD devices raises privacy concerns. Employers now need to pull corporate-owned data from smartphones rife with personal data, like texts to a spouse, family photos, and medical information. They need to extract company data in a way that protects custodian privacy and tapers technical load. Additionally, companies need to communicate that process to employees in a way that doesn’t scare them off.
To do so, companies must establish clear ownership and enforcement policies that convey custody and control. Essentially, these policies must say to employees, “This is a BYOD device. You’re putting company data on it. We have ownership over that data, but we’ll handle your personal data with care. Here’s how.”
To warm employees up to this idea, some organizations are introducing stipend programs in which the company foots a certain percentage of the smartphone bill. This tactic sets the tone for ownership and enforcement on BYODs, shifting the framework around who owns the data and who has access to the personal device.
Alternatively, some organizations are leaning on no-BYOD policies, where messaging happens exclusively on corporate-issued devices with severe app limits. Corporate-owned devices can make it easier for businesses to monitor and preserve company data, meet legal hold requirements, and temper privacy concerns, but they also restrict critical business activity that happens on ephemeral messaging apps –– and buying a phone and phone plan for thousands of employees is expensive.
Other companies are turning to mobile device management (MDM) IT software that governs corporate-owned apps on personal devices. MDM tools can block the copy function on email to promote data security, for example, or pull a list of apps from BYOD devices to ensure employees aren’t using restricted third-party apps. But MDMs cover only a small amount of data on the device, not the whole thing, leaving too many gaps to for this approach to be considered a sound ownership and enforcement plan.
In the near future, we can expect to see companies develop more robust ownership and enforcement strategies when it comes to the governing, preservation of, and access to corporate data stored on personal devices, including data contained on ephemeral messaging platforms. These new strategies will likely be delivered through revised privacy agreements, acceptable use policies, and other HR-employee agreements that clearly communicate scope of access and the controls in place to enforce that custody. These robust strategies will also likely be carried out by data discovery tools with selective targeting capabilities to promote privacy and reduce load.
OVERCOLLECTION PROBLEMS: LIABILITY AND LOCALIZATION
In order to stay compliant and reduce risk in this new regulatory environment, companies need more access, and fewer barriers from the custodian, to go out and collect company data. However, the more access companies get, the more they expose themselves to risk –– particularly to the risk of overcollection.
In the infamous Alex Jones case, for example, Jones’ lawyer accidentally produced every text message Jones had ever written in the previous two years, inadvertently revealing that Jones had committed perjury. In other cases with similar outcomes, lawyers have turned in personal device data that unintentionally opened up entirely new lawsuits and even implicated other corporations that weren’t involved at all in the first place.
But, overcollection is not just a threat from a liability perspective, it’s also a threat for global companies, since privacy and ownership laws vary from country to country and jurisdiction to jurisdiction (including, for example, states like California with strict privacy laws). Global companies can’t just apply a blanket policy around personal device data, set it, and forget it. They need to make policy responsive to local laws where they have offices and to the laws that govern individual employees. For example, if a US company employs a German citizen, that employee’s data is treated according to GDPR regulations. The organization can’t legally pull data from the employee’s phone because the company doesn’t technically own that data.
Localization highlights another area where new DOJ regulations are complicating things for employers with BYOD programs — especially large, global corporations. Smaller businesses with one office can easily circle everyone up, create the appropriate workflows, and run the appropriate software to go out and find the data they need. But global companies not only need to work out how they’ll govern massive amounts of mobile data, but also how they’ll customize those policies based on location.
PREPARING FOR A FUTURE WITH STRICTER BYOD REGULATIONS
Thankfully, most businesses don’t need to engage in these kinds of resource-intensive data management activities on a regular basis. For most companies, these questions and challenges are only relevant when there is a trigger event, like a legal hold on a custodian before potential litigation. While financial services and other businesses in highly regulated industries must preserve company-related personal device data for seven years in order to remain compliant, most simply need to focus on what they will do when the time comes. Federal scrutiny is expected to amplify in the coming years as the new DOJ regulations trickle down. The goal for companies right now is to set up robust ownership and enforcement policies that grant easy access to the data when a trigger happens. As part of this process, employers need to start managing employee expectations today and communicating these new policies to ensure things go smoothly tomorrow. They also need to identify technology solutions that will help them selectively target company data (e.g., find Signal data for just one week), promote privacy, and reduce technical load.
Work environments on personal devices are constantly evolving, with new chat and productivity apps popping up all the time, and new legislation being passed each year. Consequently, businesses need to develop flexible policies that help them adapt and respond to these changes –– that help them address all the different apps and data types that come their way and keep up with all the regulatory adjustments in relevant jurisdictions. Employers also should ensure that whatever technology solutions they choose for selective targeting and data discovery, those solutions must be able to adapt to the emergence of new applications, new ways of working, and new regulations. The technology they choose must help them stay agile, reduce risk, and remain compliant on their journey to successfully governing, preserving, and accessing corporate data stored on personal devices.
*****
Matthew Rasmussen, CEO of ModeOne, has over two decades of experience implementing cutting-edge technology solutions to navigate complex, high-volume litigation. He has a track record delivering efficiency and cost-certainty to Fortune 500 companies and AmLaw 200 law firms. His expertise covers the broad spectrum of services and requirements in the EDRM. He founded ModeOne to evolve the litigation technology market by creating full-function solutions to modern evidence management problems.