One of the most dramatic shifts in corporate attitudes toward technology has played out in the approach most companies have decided to take with respect to employees’ use of mobile devices. As recently as a few years ago, it was considered a serious breach of policy to use anything other than a company-issued device when working on company business. Not anymore.
According to a recent survey of senior in-house counsel conducted by AccessData and Corporate Counsel Business Journal (CCBJ), nearly 70 percent of organizations now allow employee use of personal devices for work-related purposes — a policy widely known as Bring Your Own Device (BYOD) — and that number is expected to rise to 80 percent in the year ahead.
The rapid emergence of BYOD programs has boosted employee morale, with workers reporting that using their own devices for work gives them more balance between their personal and professional lives, and has helped corporations lower their own IT costs in the process. On the other hand, BYOD can translate into some pretty big headaches for corporate legal departments when it comes to managing information risk across the enterprise.
Based on our experience working with corporate legal departments and their outside counsel, BYOD policies seem like a big win initially because of the cost savings that companies realize, but they quickly become unfeasible for corporate IT professionals to manage on their own. The primary reason is that, when it comes to forensic and e-discovery collections required by corporate investigations or litigation, getting data off an employee’s personal device can be a nightmare.
This challenge is not a hypothetical scenario. More than four in 10 (42 percent) respondents to the AccessData/CCBJ survey reported that their organization faced at least one case or investigation in the last 12 months involving collection of data from an employee-owned mobile device — and more than 90 percent expect to face this digital forensics requirement in the year to come.
For example, on any given day, a corporate digital investigation team may have to attempt to collect data from a personal mobile device that is contained in apps such as Skype, Slack, Dropbox, Facebook, Twitter, What’sApp, Instagram and Fitbit … just for one employee. It’s no wonder that 85 percent of organizations find the vast amount of data sprawled across so many different sources to be troubling, according to the AccessData/CCBJ survey, and one in four say this is a critical concern for them.
So what steps can a corporate legal department take to try to gain the upper hand with trying to manage information risks created by BYOD policies? The first and most glaring step is to stop flying blind and get in the game. Despite the fact that most organizations now permit or encourage the use of personal mobile devices for work-related matters, 40 percent of companies do not have a BYOD or personal device policy and/or a formal procedure for collecting data from employee devices. Another 22 percent have only informal collection procedures.
Once those clear policies are in place, corporate teams need to implement practices and protocols for data collection that will produce an efficient workflow, deploy the right tools for the right data set, deliver forensically sound results and protect data security throughout the investigation. To make that possible, it’s essential that corporate investigative teams use software tools that facilitate collaboration and efficiency throughout the investigation, preferably with technology that has been recognized by courts as being forensically sound.
Based on feedback from our clients across corporate, legal, government and law enforcement audiences, we have developed and recently launched the 7.0 versions of our digital forensics software tools. These new releases of our solutions support the growing need for more robust and comprehensive investigations of mobile devices by delivering additional parsers and enhanced presentation of chat conversations in their native formats. We will continue to build out our mobile forensics capabilities with additional releases in 2019 to help investigators more quickly and effectively analyze mobile data in today’s fast-changing digital world.
AccessData and CCBJ recently hosted a webinar that reported the results of our survey, examined the risks associated with allowing individuals to access and share company information through non-monitored personal devices, and then highlighted best practices for establishing and administering BYOD programs in light of potential information risk pitfalls. For free access to an audio recording of this webinar, please click here.