Contextualizing Bring Your Own Device Policies.

• Author: Blair, Lindsey

1. Introduction to Bring Your Own Device Policies II. BYOD in the Modern Workplace and Legal Responses A. BYOD E-Discovery Issues Arising in Legal Proceedings 1. In re Pradaxa: Employer in Control Model 2. Cotton: Employer Does Not Have Control Model 3. Small and Ewald: Contrasting Results with Little Analysis B. BYOD and the Interaction with Personal Privacy Concerns C. BYOD Windfall Compensation Concerns III. Analysis of BYOD Policy Issues in Light of Current Case Law A. BYOD and E-Discovery Concerns B. BYOD and Employee Privacy Concerns C. BYOD Compensation Concerns 1. Employee Rights to Protect Personal Data 2. Is Cost-Sharing the Future of BYOD Implementation? 3. BYOD Wage-and-Hour Pitfalls IV. BYOD Policy Recommendations and Implementation Guidance A. Corporate Data on a BYOD Device B. Comprehension and Consent C. Personal Data on a BYOD Device D. Employee and Employer Rights and Responsibilities E. BYOD Expenses V. Conclusion I. INTRODUCTION TO BRING YOUR OWN DEVICE POLICIES

   Whether a large corporation or a small local business, the need for mobile technology in the workplace has skyrocketed. By 2022, the bring-your-own-device (BYOD) market is predicted to reach nearly $367 billion, which is an unprecedented increase from just $30 billion in 2014. (1) Today, businesses have several mobile strategy options to choose from. However, BYOD is by far the most popular option. BYOD is typically a policy in which an employer allows an employee to bring their personally owned devices into the workplace in order to access company applications and information. Although BYOD initially seemed vastly beneficial, time has exposed issues for both employers and employees. In today's technological society, employers must weigh the risks of adopting a BYOD program against their industry needs, budget, IT, and organizational culture.

   This Note explores the development of BYOD policies, the risks and benefits for both employers and employees, and advocates for written policy as the primary method to successfully implement a BYOD system. By analyzing current case law, statutes, and innovative BYOD policies, this Note addresses the three largest issues surrounding BYOD: e-discovery in legal proceedings, compensation, and privacy concerns. This in-depth examination reveals that these issues largely stem from unclear or unstructured policies. Finally, the Note provides recommendations for a strong and defined written policy that outlines both employer and employee responsibilities in the management of BYOD.

2. BYOD IN THE MODERN WORKPLACE AND LEGAL RESPONSES

   BYOD policies rapidly expanded during the 2010s in IT communities and have become increasingly common in other professional fields. (2) However, the idea behind BYOD has existed ever since employees began bringing their own flash drives and installing preferred programs on their work computers. (3) Businesses have continually embraced employees' increasing access to technology. This especially is true of mobile devices--in 2015, 64% of Americans owned a smart phone, (4) and according to a TechPro study, 74% of employers allow employees to use mobile devices for work purposes--or will within the next 12 months. (5) Employers immediately recognized some of the benefits inherent in BYOD, such as lower hardware and service costs and increased employee mobility and flexibility. (6) However, the law has been slow to address the issues arising from BYOD programs. Currently, there are no statutes directly addressing BYOD policies on a federal or state level. However, case law surrounding BYOD is slowly developing. (7)

   1. BYOD E-Discovery Issues Arising in Legal Proceedings

      Perhaps the most complex and least anticipated issue that arises with BYOD policies is what happens when the business is facing litigation. This Part focuses on data preservation issues that inherently arise in an e-discovery context. Applying established procedural rules to newly emerging technology presents a dilemma for the courts--and most cases that address discoverability on personal devices have not gone beyond the district court level. (8)

      The primary concerns of BYOD policies in e-discovery are accessibility and control. The Federal Rules of Civil Procedure and similar state rules require that information for discovery be "accessible" (9) to the party and in its "possession, custody, or control." (10) However, an inaccessibility claim can be overcome by court order, allowing the requesting party to still seek production of the electronically stored information (ESI). (11) The primary issue then turns on whether an employer is in "control" since BYOD are not within the employer's direct possession. Early courts interpreted this standard to be disjunctive. (12) For example, in Carrillo v. Schnieder Logistics, Inc., the court sanctioned a company for not producing e-mails its employees' sent using a client's e-mail system of a client. (13) However, the Ubiquiti Networks, Inc. v. Kozumi USA Corp. court found that a corporation could not be compelled, absent evidence of a legal right, to produce e-mails from a worker's private account. (14) This Note focuses on four decisions to understand how courts interpret "control" for the purposes of BYOD issues in legal proceedings.

      1. In re Pradaxa: Employer in Control Model

         The first option courts have considered is that employers do have "control" of their employees' devices. From the outset of a complex pharmaceutical products liability case, the plaintiff in In re Pradaxa (15) requested that the defendant produce text messages from the defendants' sales representatives. (16) The messages were essential to the plaintiff's case as support for the claims of failure to warn, design defect, and negligent misrepresentation. (17) The defendants did not introduce text messages into the litigation hold until several months later, claiming they "did not realize" the employees had the messages on their personal phones. (18) The defendants also claimed the auto-delete function of SMS systems as an affirmative defense, which the court quickly dismissed. (19) In its decision, the court heavily considered the fact that the defendant had directed employees to use their own phones for work and recognized that "[t]he litigation hold and the requirement to produce relevant text messages ... applies to that space on employees [personal] cell phones dedicated to the business which is relevant to this litigation." (20) The court awarded the plaintiff nearly one million dollars in financial sanctions. (21)

      2. Cotton: Employer Does Not Have Control Model

         As opposed to the decision In re Pradaxa, the district court in Cotton v. Costco Wholesale Co. found the employer did not have the same control over the employees' personal devices. (22) In Cotton, the plaintiff filed a Motion to compel the Defendant to produce text messages sent and received from two co-workers' personal cell phones as evidence in support of the charges of racial discrimination, harassment, and retaliation. (23) However, Cotton never mentioned why the co-workers' texts were relevant--rather, the plaintiff relied on the theory that he was entitled to all relevant information to his claim. (24) The defendant argued that there was a lack of evidence in the record regarding the existence of the co-workers' text messages and that it would be an invasion of privacy. (25) The plaintiff's motion was denied and the court stated that the employees' phones were not within the employer's "possession, custody, or control," because the plaintiff failed to contend that "Costco issued the cell phones to these employees, that the employees used the cell phones for any work-related purpose, or that Costco otherwise has any legal right to obtain employee text messages on demand." (26)

         Although the courts in Cotton and In re Pradaxa reached opposite conclusions as to whether the company had to produce its employees' devices, both courts focused on a fact-specific analysis.

      3. small and Ewald: Contrasting Results with Little Analysis

         Two other notable cases involving the preservation of data on mobile devices during e-discovery are Small v. University Medical Center of Southern Nevada (27) and Ewald v. Royal Norweigan Embassy. (28) In Small, an e-discovery special master recommended the "'harsh sanction' of dismissal" for a defendant in an FMLA case for failing to preserve data stored on mobile devices. (29) The defendant failed to issue any litigation hold even after the court, addressing BYOD devices, ordered one after several key employees confirmed they used their personal mobile devices for work-related purposes. (30) The defendant's failure to comply with the hold caused over two years of messages that were potentially relevant to the litigation to be lost. (31) The special master called the defendant's actions "extraordinary misconduct and substantial and willful spoliation of relevant ESI." (32) Although the Small and In re Pradaxa courts both held the employer in control, the court's analysis in In re Pradaxa focused on the employer's consent to use personal device for work-related contexts whereas the Small court held actual employee use of personal devices, regardless of permission, was enough to hold the employer to be in control of the messages. (33)

         In contrast, the court in Ewald allowed production of ESI located on a cell phone provided by the defendant, but the court denied the plaintiff's request for ESI on personal phones. (34) In this case, the plaintiff brought a gender discrimination and retaliation suit, and requested smart devices used by 12 coworkers. (35) Although the plaintiff showed the defendant had a company policy to store text messages in the official archives, and established the messages existed through email evidence, the court held that the plaintiff "ha[d] not demonstrated her entitlement to such devices." (36) The court did not clarify what circumstances would be appropriate to hold an...