Skip to content

BYOeDD (Bring Your Own eDiscovery Disaster)

Originally published by Nuix.

There are more active mobile devices in the world than human beings—and at least 3 billion of those devices are smartphones. The volume of data these devices generate daily is staggering. They have evolved from “dumb” phones into pocket computers and ultra-thin tablets that can access multiple data streams, including corporate networks, and store vast amounts of information.

As these devices have evolved, so have corporate IT departments’ view of them. Many companies have in place or are implementing “bring-your-own device” (BYOD) policies. This is an easy way to give employees access to email and other corporate resources after hours and also a cost-saving opportunity for the company. A recent Gartner global survey of CIOs estimated that that by 2017, nearly 40% of companies will stop giving their employees smartphones and will instead allow them to access the corporate network on their own devices.

While this may make CFOs and employees happy, BYOD policies present unique challenges for legal and IT departments. Specifically, how to:

  • Safeguard, retrieve, and control company-owned data
  • Map where all potentially relevant data is stored (on the device, in removable storage or a SIM card, in the cloud, etc.)
  • Understand which data types to consider when collecting from these devices
  • Support multiple mobile operating systems (including a very fragmented universe of OS versions that are under mobile carrier control)
  • Otherwise meet their eDiscovery and compliance obligations on personally owned devices.

In exchange for the privilege of connecting your iPhone to the corporate network, most companies require you to agree to a mobile device security policy. This gives the company a degree of control if the mobile device is lost or if it becomes necessary to collect data from it. These measures are the first step toward setting a company up for mobile eDiscovery success. Typical policies give companies the ability to:

  • Lock and disable the device remotely
  • Wipe all data from the device remotely
  • Track the device remotely
  • Access data on the device remotely, including user-created email and files, application logs, phone records, GPS files, and more—this can include personal data.

Traditionally, legal and IT departments encouraged the use of applications that passed data through corporate servers. That way, if data became subject to discovery, it would be available and under company control on its servers. This often eliminated the need to collect from the mobile device itself. It allowed the company’s lawyers to argue that collecting and analyzing ESI from mobile devices was cumulative and therefore overly burdensome.

However, today it is highly likely that unique data will reside on mobile devices because they make extensive use of apps and cloud services. And that means bring-your-own mobile devices will be involved in day-to-day discovery. Companies need to be prepared for what’s coming (arguably, what is already here).


Back To Top