News/Trends, Tech/Engineering

The Complexities of Legal Holds On Mobile Devices

Philip Favro

The debate over the impact of technology on the legal profession has been heightened since the ABA’s groundbreaking announcement in 2012 regarding the interplay between competence and technology. Nowhere is this trend more obvious than in the manner in which lawyers are addressing the impact of mobile devices on corporate clients.

As detailed in an article I recently authored for Inside Counsel, mobile devices have introduced a range of security and eDiscovery complications for companies. In particular, mobile device use lessens the extent of corporate control over confidential business information. Whether that information consists of trade secrets, proprietary financial information, or attorney-client privileged discussions, difficulties in policing mobile devices allow employees the opportunity to misappropriate data more easily. With a single touch of a smartphone screen, an employee can direct sensitive company data to personal cloud providers, social networking sites, or WikiLeaks pages.

Enterprises have the additional challenge of preserving and producing relevant data stored on these devices for legal actions. The logistical problems of locating, retaining, and turning over that data can be particularly complex in light of the legitimate privacy expectations that employees may have respecting the personally identifiable information (PII) stored on a device. All of which could be problematic for satisfying a company’s eDiscovery obligations, among many other things.

Addressing the Problem with Preventative Measures

To address these problems, lawyers should work with their clients to ensure they develop manageable use policies. Such policies need to clearly delineate how employees should handle company data on mobile devices. The policies should also define the nature and extent of the enterprise’s right to access data on the employee device, especially for use in legal matters. One way to tackle this issue is to include a provision in the use policy that eliminates any notion that employees have a reasonable expectation of privacy in their mobile devices. While there is case authority suggesting that a company can successfully follow such a course, other court decisions have reached a contrary result. A better practice may be to secure the employee’s consent on this issue through a separate written agreement, especially where that employee is using a personal device under a “bring your own device” (BYOD) policy.

Lawyers should also work with their clients to explore the availability and feasibility of technologies to segregate personal materials from company data. One way this can be done is by downloading software on to a device to separate and encrypt company information. Not only does this facilitate the retrieval of company data from a device, it could also serve to prevent unauthorized access to or misappropriation of company information by third parties.

Another, more comprehensive approach would involve the use of machine learning technology in connection with the company’s information governance program. In this context, predictive machine learning tools can learn from initial human decisions about information to provide automated guidance about similar documents. Once appropriately calibrated, this technology can help isolate employee PII from company materials throughout the enterprise. Such a strategy would have the advantage of keeping the most sensitive employee PII away from the discovery process and thereby reduce the risk of producing it in litigation.

Though impossible to anticipate or address every legal risk associated with mobile device use, lawyers can still competently advise their clients on the key issues. To ensure that a client has a reasonable plan in place to tackle the security risks and eDiscovery problems arising from those devices, attorneys should work to develop a holistic response along the lines suggested in this article. By so doing, they can help their clients address these issues and also discharge their evolving digital age duty of competence.

This post was originally published on the Recommind blog.