Data access: Manage the data security risks of BYOD

Feature | 28 February 2014

John Shaw considers how to manage the data security risks of 
operating a bring-your-own-device programme

According to global analysts Gartner, up to 70 per cent of professionals will conduct their work on personal smart devices by 2018 rather than using employer-supplied equipment. Bring-your-own-device (BYOD) has many advantages but also creates a raft of issues if you need to carry out an e-disclosure exercise or respond to a regulator’s request for information.

BYOD offers the potential to free up much of the high cost of providing employees with computer hardware. There is also growing evidence that employees are likely to be more productive over longer periods – in and out of the office – if they use their personal computer equipment for business. Employee pressure has also played its part, with many not wanting to carry around more than one device but also not prepared to live with the restrictions that working with firm-owned devices brings.

While the effect of BYOD has not yet proven to be as apocalyptic as many sceptics might have predicted, some of the corporate data management concerns are coming to pass and creating real headaches and challenges for the IT managers running BYOD programmes.

This is no less true in respect of business data in the litigation context, where the ability to quickly locate, secure, extract and analyse data is paramount to meeting legal obligations in dealing with disputes (or responding to regulatory interventions), while keeping a lid on costs.

The good news is that, while the challenges created by BYOD are serious, they are not insurmountable, especially if you take steps to manage the risks presented by the dissemination of firm data to personal devices before that data becomes the subject of a legal or regulatory dispute.

DIY dilemmas

The key to successfully tackling a dispute is to have your data litigation-ready; of critical importance to this is knowing where your data is. Since the vast bulk of documents have moved from paper to digital formats, the volume of documents which potentially form part of the average dispute has exploded, as have the formats they were recorded in and the locations in which they reside.

E-disclosure can very effectively identify, process and secure data when a dispute breaks out. But even the best systems need to have the data presented in a structured way if they are to achieve the best results. The challenge presented by BYOD in this context is that the use of personal devices can result in firm data becoming fragmented, while the variety of operating systems and applications used by individual computing devices can lead to data being stored in a wide variety of formats. Even within personal devices, relevant documents may be located in a variety of places (such as folders, emails or the cloud) depending on the personal preferences of the owner.

This not only makes the locating and processing of data more complicated and time-consuming than it needs to be but can also affect the integrity of firm data, which is critical to its admissibility if relied upon in evidence. In addition to visible data, files also contain valuable metadata (such as on when a document was created, amended and by whom), which can be damaged or destroyed by injudicious data management.

It is crucial in the litigation context to establish an electronic document’s chain of custody, integrity and provenance if it is to be of use in court. Sophisticated forensic techniques are often required to ensure that this is preserved, which can be challenging when data is located in a variety of devices and formats.

The use of personal devices can also make getting an employee’s cooperation with the e-disclosure process more difficult if firm data is sitting on their machines alongside personal data. It can be difficult to persuade people to hand over company-owned equipment that may contain personal emails and photos. This issue is becoming more acute as the BYOD trend continues.


Avoiding misunderstandings

When designing or incorporating a BYOD programme, it is important to consider the terms of the employment agreement, which will help to cover critical e-discovery obligations and expectations on both sides. It helps to avoid possible misunderstandings and ensures that the process runs smoothly.

When implementing your BYOD policy, take steps to identify where all data from an employee’s device may reside. This should include not just what is physically located on the device itself, but also any cloud-based data repositories (such as iCloud or DropBox) to which the data may have been backed up.   

Employees using their own equipment in a BYOD setting should be prepared to allow employers access to their devices in order to install software that can remotely access data on the device or completely wipe the device in the event that it is lost or the employee leaves the company.


BYOD and e-disclosure

When designing BYOD programmes and policies, it is essential that a plan is put in place to locate, secure and extract data in the event of legal action or regulatory investigation. Trying to track down potentially relevant documents and traversing some of the other operational challenges of BYOD in a defensible manner after the event is likely to prove a near-impossible task given the timescales imposed by the courts and regulatory bodies.

This includes having not only a clear map of where data is and the formats it is likely to be stored in, but also understanding how the security protocols differ between major operating systems to ensure the IT team can access data quickly when required and identify where passwords and encryption keys may be needed.

Data preservation and extraction procedures can vary significantly between operating systems, so it is important that they are understood in advance. Monitoring and registering the addition of new devices to the network is also essential to ensure that the IT team understands which operating systems and file formats are being used on their networks at any one time.

Forward planning should include agreeing a workflow of how the e-discovery exercise will be conducted in practice – for example, what the respective roles and responsibilities of the IT, HR and legal teams will be and how the day-to-day business of the company can be carried on without undue disruption if devices need to be taken away for data extraction or analysis.


Incorporating BYOD in your e-disclosure process

  • Get an agreement. Before an employee’s device is admitted to the firm’s network, there needs to be an agreement put in place to address what happens if and when the firm needs access to its information on that device. Employees need to be made aware of exactly what their obligations are in respect of how they use their devices. The agreement needs to be a formal one between the employer and the employee that can be enforced if necessary.

Research suggests that only a minority of companies that allow their staff to use their own computers have such binding agreements in place. The main focus of such agreements is data security, but should also contain provisions aimed at ensuring that e-disclosure exercises can be conducted efficiently and cost effectively.

Things to consider in an e-disclosure context include whether employees will need to surrender their devices for a period to enable data to be extracted, what the employer will do with the private data that is on the machine and how employees should manage company data on a day-to-day basis.

Regular compliance checks should also be required to ensure employees properly understand how they should handle and act upon firm data.

  • Get worldly wise. Data protection and privacy laws vary significantly from country to country. International firms should understand how this will affect their ability to retrieve information from their employees’ devices and take appropriate steps to ensure that this does not create a major obstacle in the event of a legal dispute.

  • Get in sync. Regular syncing of data on personal devices with the corporate network will also help to ensure that company data is easily locatable and retains its integrity. Routing company emails through the company Exchange server will also help to ensure that business emails are easily accessible by the firm.

  • Get an app. Apps are now available on both Android and iOS to enable firms to partition their documents from employees’ private data. Isolating corporate and personal data in this way can ameliorate many of the issues identified, but care needs to be taken with deployment, as partitioning may not be possible on older devices.


Privacy issues

The growth of personally-owned hardware for business use is more likely to bring firms in conflict with data protection and privacy laws. These can vary markedly from country to country and, in many instances, leave firms unable to get to their own data without the consent of the owner of the device it is stored on.

If not managed properly, these factors can mean that the BYOD trend has the potential to significantly complicate the e-disclosure process in the event of litigation. This will have a knock-on effect on the cost of an e-disclosure project, putting the potentially rising costs at odds with the courts’ recent move to proportionate justice.

More specifically, recent amendments to the Civil Procedure Rules in England and Wales imposes a duty on the parties to discuss and try and agree what technologies, techniques and strategies will be used to undertake an e-disclosure exercise prior to the first case management conference. Being able to locate your data to understand how you will approach the e-disclosure stage of litigation is more critical to success than ever.

Much can be done to mitigate the risks of BYOD in litigation, but careful preparation and on-going vigilance are essential if problems are to be avoided (see box: Avoiding misunderstandings). Meanwhile, for firms that have yet to embrace BYOD, the complexities it can bring to litigation-readiness should be taken into account when weighing up the pros and cons. According to the Gartner research, at least 30 per cent of companies are refusing to join the BYOD trend. Whether they are swimming against an irresistible tide remains to be seen.

John Shaw is director of digital forensics at Consilio

Already registered? Login to access premium content

Give Feedback