A salesperson and her boss are attending a conference at a hotel. Their goals are twofold: learning the latest industry trends and mingling with clients to generate business. After the sessions end, they invite two potential clients to join them for happy hour. Over cocktails, they develop a rapport with the prospects, but the boss senses the clients are hesitant to commit to a formal meeting. He excuses himself to the restroom and texts his colleague: “I bet if you take one for the team tonight, they’ll give us that meeting. It’s worth $100 million, and I don’t need to remind you of that commission.”
Appalled by the message, the sales associate leaves without saying goodbye to her boss or the prospects. On Monday, the boss tells her that her rudeness ruined the company’s chance at securing the business and threatens to demote her. That evening, he deletes the text message.
Three months later, she sues for sexual harassment and later learns through depositions that the boss has made similar propositions to other female sales associates. Her lawyers demand production of the boss’s texts. The company’s attorneys refuse on the grounds that they do not have “possession, custody, or control” over the boss’s personal Blackberry, even though the company subsidized the phone service because the boss routinely conducted business using the device.
Scenarios like this highlight the complex issues that can arise as employees use personal devices for work purposes. By 2017, Gartner predicts half of employers will require employees to supply their own devices for use in the workforce. While the business case for enterprise BYOD programs is gaining appeal—with the advantages of increased productivity and decreased costs for the organization—the C-suite and counsel must consider the legal implications of BYOD, especially when litigation arises.
The company needs to decide how much “possession, custody, and control” it desires over employee-owned devices. It must strike a balance between greater monitoring and access to address security and intellectual property concerns against staving off potential e-discovery obligations that may impose significant storage costs and legal fees. The considerations include the following:
How much access to employees’ mobile devices does the company want?
Does the BYOD policy address the company’s rights to monitor and access employee devices?
Does the BYOD policy address specific platforms that will be supported, backed up, or connected to corporate networks?
Do employees grant consent to wipe the device if security issues arise?
How much privacy should employees reasonably anticipate if the employer subsidizes the service plan or provides IT support for the device? Does the subsidy provide the company a stronger argument in favor of greater access and monitoring rights?
Unfortunately, the developing case law provides no clear-cut answers for companies navigating these issues. In In re Pradaxa (Dabigatran Etexilate) Products Liability Litigation, the Southern District of Illinois sanctioned the employer for bad faith in discovery, citing its failure to produce texts and to disengage the auto-delete function for texts on both employer- and employee-owned devices after instituting a litigation hold. In contrast, in Cotton v. Costco Wholesale Corp., the District of Kansas held an employer did not have “possession, custody, or control” over text messages sent or received on their personal cell phones where there was no evidence that the employer issued cell phones to the employees, that employees used the phones for work-related purposes, or that the employer had any legal right to obtain employee text messages on demand.
One thing is certain: the issues surrounding “possession, custody, or control” of content will proliferate along with enterprise BYOD programs. Therefore, companies should address the considerations listed above and evaluate their BYOD policies; they must foster greater awareness among the workforce of the potential implications for mixing their personal life with work on their devices.