Can your company seize your personal smartphone or tablet?

The answer turns out to be yes that they can and in certain circumstances the answer is that they must.

Huh?  It’s my phone not the company’s?  If they ask, I’ll simply remove my access to the company email account and that will be that!

Well, no in that case, you could be in deep legal trouble for destroying evidence, as well as setting yourself up for dismissal from your company.

iPhone5There has been an interesting development in recent years with regards to mobile technology.  Employees are opting to purchase their own devices, then using them for both personal and company purposes.  It’s gotten so widespread that many companies now encourage it to the point of many offering partial reimbursements to help defray the cost.   Basically, it’s considered a win-win for both the individual, who gets to choose the device, as well as the company that doesn’t need to pay for  the device, the maintenance and the other costs like maintaining the inventory records on the device.  This involves smartphones, tablets and laptop computers.

The rub is that the US legal system (as well as the legal systems in other counties I suspect) has very strict rules when it comes to discovery in various legal settings, which for the corporation usually involves civil litigation.  When a company is sued, the company is legally bound to make every effort to find and protect all information that they possess that might be relevant to the litigation.  Once informed, the company and its employees are required to safeguard any relevant information.  One can not destroy or “misplace” the information and the company is obligated to track down this relevant information from every source, including laptops and smartphones.

To do this, they can seize your personal smartphone, laptop or tablet if they have reason to believe that it’s been connected in any way with the corporate servers now or in the past.  They will take the device to perform forensics, which means that they will scan all data on the device to find anything that is considered relevant.  Obviously, this has two major drawbacks from the user’s perspective: First, you’ll loose access to the device weeks to months while the forensics is performed.  For a culture that is so smartphone-centric, that will be torture for many.  The more serious issue (in my opinion) is privacy breach, where the forensic team will need to access all data, including the file you’re not supposed to have, but do because you can’t remember all your passwords.  Remember the forensic team has no legal obligation to safeguard your personal data, just the information that is relevant to the case.

So, what can you do?

  • You can decide that you’ll live with this risk.  The good news is that this hasn’t become a widespread issue … yet.  Most corporate emails are stored on corporate servers, even though you have copies on your devices.  If that’s the case, then there should be no email evidence on your phone that isn’t also on the server.  However, did you even take a picture of a white board after meeting to capture the discussion?  Do you have a document on your tablet for reading on the train home?   If you decide to take the risk, be sure to not keep very sensitive personal data on your device.  Also, you should probably not use the device for any form of financial transactions since that will leave some sensitive data on the device.
  • The safest method is to carry two devices, one personal and one for work, which is a pain and expensive to boot.
  • If you decide to wean your personal device from corporate use, you need to do two things.  First, you need to remove all information, not just your corporate emails.  This means any pictures, documents, whatever.  Next, you need to formally inform your company that you no longer have any corporate data on your device.  It is critical that you do this at a time when you have not been informed about pending discovery.  Said another way … once you’ve been notified about discovery, you can’t remove any data from the device until relevant data has identified and provided to the discovery team and the team informs you that they are done.
  • If you have been notified about discovery, you can work with the discovery team to provide all the data from your device that could be relevant, which likely would preclude the need to seize your device.  I’ve been notified a couple times in my career about discovery and have simply provided copies of anything that could be relevant to the discovery team without the need to provide my computer.   For the majority of employees, there isn’t a need to seize the computational assets.  However, it’s still a real option especially if you were directly involved in the matter being litigated.
  • If you have  a device that is only used for personal use, do not attach it to any asset owned by the company.  This means to not use the company WIFI, nor use the company computer to charge the device.  If they have any record of the device in their systems, they have the obligation to consider it for discovery.

Finally a thought if you use a personal laptop for both personal and corporate use.  I know a couple folks who travel a lot and have decided to use their personal computer for corporate use so that they don’t have to travel with two laptops.  To keep their personal and professional life separate, they run a corporate image of Windows on a virtual machine.  Software provided by companies like VMware make this easy.  By operating your corporate side as virtual machine, you effectively isolate the personal from the professional.  This isn’t a guarantee that your laptop wouldn’t be seized, but if you could provide the virtual machine files, the discovery team would have all they’d need for discovery.  Be sure to clear this with your company.  See the disclaimer that follows …

 I’m not a lawyer, nor do I play one on TV.  Any questions you might have about the legal implications of using your personal device at work, you need to discuss with your company’s legal and IT departments.

8 Comments

  1. captainstarwizz

    Hi Greg, I think you left out the option to say no. Discovery is a legal process and therefore there are legal methods for engaging in it – like a subpoena. The company telling you that you have to disclose anything is really just a request and it is a request that you can refuse. You may get fired, and there may be a subpoena issued, but you don’t have to surrender it because they ask for it. They cannot forcibly take it from you and still be compliant with the law.

  2. Your point is well taken. To expand that a little more, if a company asked me for my personal device due to discovery, I’d first attempt to provide the pertinent data from my device in an attempt to comply and protect my device and its contents. If after that, the company demanded my device, I’d likely contact an attorney to see what my rights would be be WRT the device and hopefully have the attorney work with the company towards a mutually satisfactory solution.

    I suspect the outcome will eventually turn on the published policies of the company. By using the device on their network, one is typically agreeing to conform with the policies. If the policies are not explicit about how to handle this particular situation, then you’ll likely OK.

    The point of the post remains, if you use your personal device for work related access, there is a very real possibility that the device and/or the data contained will be required to satisfy a legal obligation of the company.

  3. Nate

    Quick question.If my company stole my laptop forcible off my desk with no permissions given and will not return it can they use the data on it against me?

    • I don’t know, though I’d suspect it depends on whether the data is owned by the company or your personal data. Company owned data likely can be. If it’s personal, I don’t know. Also, it would depend on whether you or your company owns the laptop (your use of “my” could be your laptop that the company provided).

      if there is something serious on your that you’re concerned about, I’d consult a lawyer with a specialty in workplace law.

  4. Nate

    Its my personal laptop with business and personal info.

    • Figured that was the case, but needed to note the alternative.

      Again, my recommendation would be to consult an attorney. There are a lot of pertinent questions that a competent lawyer would discuss with you to see if there is any liability and what recourse you might have to get the laptop back. I’ve only scratched the surface.

      One other point: If you’re concerned about something that could lead to you being fired or criminal action (I don’t want to know BTW, not my business), it’s even more crucial that you get competent legal advice. Most Internet information (including mine) speak to general scenarios that’s applicable in most, but not necessarily all states. Certainly, not in every country. Also, who your employer is may have some impact: Governmental vs private? Small company (less than 50 employees) vs large? Jurisdiction in the US vs EU vs Russia vs North Korea 🙂

      Good luck and let me know if you find out an answer that you’re willing to share.

  5. Nate

    Great thank you. I have contacted a lawyer and I will report back what I come up with.

Trackbacks

  1. Can Your Family Be Your Lawyer | Local Attorneys

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: