News & Updates: Employer Discovery Obligations May Extend To Employee Personal Devices

Businesses involved in litigation have all been faced with the situation of receiving document requests in discovery and learning that individual employees of the business may have relevant information on their own personal electronic devices. This raises a number of questions for the business: Is it required to scour the devices owned by its employees for relevant, responsive information? Does the answer depend on the type of information at issue – for example, a text message or two sent by an employee to the other party in the lawsuit versus emails stored on both the employee’s personal device and on the businesses’ servers? Can any employer policies limit the scope of discovery obligations, and related costs?

Despite the rise of “Bring Your Own Device” (“BYOD”) policies by which many organizations encourage employees to use their own personal devices for work purposes, to date, courts have offered little guidance regarding the scope of discovery obligations related to such devices. Stepping into this relative void is The Sedona Conference, the legal research institute with a track record of helping to shape practices concerning discovery of electronically stored information (“ESI”). The Sedona Conference recently promulgated “The Sedona Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations.” This Commentary provides guidance on the development of BYOD policies and practices to address security, privacy, and discovery concerns.

On the issue of discovery, the Commentary highlights the risk of significantly increased discovery costs to collect, review, and produce ESI from employee personal devices and offers guidance for organizations considering adopting or revising BYOD policies. Among the Commentary’s key takeaways related to discovery are the following:

First, in drafting policies, organizations should carefully consider whether they wish to require employees to sign consents or acknowledgments granting the organization control of business information stored on personal devices. From a day-to-day operations standpoint, such consents may benefit the organization by making it easier to control business information, including obtaining the return of such information upon the termination of the employment relationship. However, such consents or acknowledgments may increase the risk that courts will find that the organization has legal control over the data, thereby increasing discovery obligations.

Second, organizations should implement policies that prohibit or discourage employees from storing unique ESI on their BYOD devices. To the extent an organization can show that relevant ESI on a BYOD device is simply duplicative of information also available from a more readily accessible source (e.g., an email stored both on the employee’s personal device and on the organization’s server), courts are less likely to require collection of ESI from employee personal devices.

Third, mere reliance on a policy prohibiting employees from storing unique business information on BYOD devises may not be sufficient to avoid responsibility to collect and produce ESI from employee-owned devices. Rather, organizations should consider adopting practices that reduce the risk of unique ESI being stored on personal devices (e.g., synchronizing email accounts with organization servers) and training employees regarding the prohibition on storage of unique ESI.

While the Sedona Conference Commentary does not have the force of law, it offers useful guidance on considerations relevant to the development of effective BYOD policies and practices.