BYOD to E-Discovery: What Happens When Employees “Scan” and Send Chats of Company Documents Using Their Phones?
We recently cautioned employers about their confidential information showing up in selfies posted online, but social media is not the only reason employees are taking photos at work.
Picture this: An employee quickly needs to send her coworker the information shown on the face of a document. She can (A) type the information into an email, (B) go to a scanner to send the document through her employer’s secure IT system, or (C) take a quick iPhone photo of the document and send it via text message.
As employees are increasingly using option (C), employers should be aware of what happens next, particularly if there is a concern that the employee’s “scan” and subsequent text message contain confidential information or trade secrets. Questions that arise in this all-too-common circumstance include:
- Did the employee delete the image of the document from their phone’s photo album?
- Did the employee delete it from their “Recently Deleted” album?
- Did the employee delete it from the text message thread?
- Is the image and/or text message now stored in the employee’s iCloud account?
- Is the employee’s iCloud automatically synced to an iPad, Dropbox, or Google Photos?
- What about the coworker who received the text message? Did they save it or delete it, or is it now contained in their cloud-based storage accounts, too?
- What does the employer’s BYOD (“Bring Your Own Device” to Work) Policy say?
More hurdles arise when one of these employees leaves to go work for a competitor. And, even more arise if that particular document becomes relevant in future litigation and discovery involving the company. For instance:
- Does the employer have “possession, custody, or control” of an image stored on the employee-owned device or iCloud account? (Hint: It depends.)
- Is the employees’ text message conversation discoverable if neither of them is a party to the lawsuit? If discoverable, should it be subpoenaed from the employees directly, or does the company have a right to demand its employees turn over their personal chats?
Engaging litigation counsel who are competent in electronic discovery, including chat-based discovery, is increasingly important.
Answers to the above questions can vary by jurisdiction. For example, Texas state and federal courts have held that an employer generally does not have possession, custody, or control of text messages stored on its at-will employees’ personal cell phones and, therefore, the employer could not be compelled to produce them.
“My Employees are Required to use Company Phones, so This Doesn’t Affect Me.”
Employers that require employees to use company-owned or company-paid smartphones for work-related purposes should still be cautious of these issues because of the nature of the cloud. For instance, if a company iPhone is set up using the employee’s own personal iCloud or Apple account, the same issues could still arise. When the employee quits and turns in the company phone, all of their previous work content may still be accessible in their iCloud account.
Alternatively, even if the company-owned phone is set up using a company-owned iCloud account, has the employee been allowed to connect any other personal devices to that same account? If so, those personal devices could inadvertently retain work content, even when the company iCloud account is wiped or deactivated.
BYOD Policy Updates
Given the ease — and seemingly innocent nature — of an employee using their iPhone to “scan” a photo of a document in the course of their job, employers with BYOD policies should contemplate these issues and how to protect their trade secrets and confidential information from inadvertent retention and disclosure. The policy should address employee privacy concerns, including clear and specific terms of privacy expectations for employee-owned devices that are used for work purposes. It may also include stricter password requirements, the ability to remotely wipe the device, or installation of spyware protection software. Of course, the policy should clearly state the consequences for an employee’s failure to comply and include a signed acknowledgment.
It also is important to keep in mind that other policies may be implicated by employee-owned devices in the workplace as well. For example, new hire paperwork should include a signed acknowledgment that the employee is not bringing any documents with them (including photos of documents) from their prior employer.
For employers wishing to take advantage of all the benefits of BYOD policies, it is even more important now than when we cautioned you 10 years ago to develop and implement a BYOD policy tailored to your particular business and industry and delegate responsibilities, to ensure the policy is regularly reviewed and updated when circumstances change.