Can your company seize your personal smartphone or tablet?
The answer turns out to be yes that they can and in certain circumstances the answer is that they must.
Huh? It’s my phone not the company’s? If they ask, I’ll simply remove my access to the company email account and that will be that!
Well, no in that case, you could be in deep legal trouble for destroying evidence, as well as setting yourself up for dismissal from your company.
There has been an interesting development in recent years with regards to mobile technology. Employees are opting to purchase their own devices, then using them for both personal and company purposes. It’s gotten so widespread that many companies now encourage it to the point of many offering partial reimbursements to help defray the cost. Basically, it’s considered a win-win for both the individual, who gets to choose the device, as well as the company that doesn’t need to pay for the device, the maintenance and the other costs like maintaining the inventory records on the device. This involves smartphones, tablets and laptop computers.
The rub is that the US legal system (as well as the legal systems in other counties I suspect) has very strict rules when it comes to discovery in various legal settings, which for the corporation usually involves civil litigation. When a company is sued, the company is legally bound to make every effort to find and protect all information that they possess that might be relevant to the litigation. Once informed, the company and its employees are required to safeguard any relevant information. One can not destroy or “misplace” the information and the company is obligated to track down this relevant information from every source, including laptops and smartphones.
To do this, they can seize your personal smartphone, laptop or tablet if they have reason to believe that it’s been connected in any way with the corporate servers now or in the past. They will take the device to perform forensics, which means that they will scan all data on the device to find anything that is considered relevant. Obviously, this has two major drawbacks from the user’s perspective: First, you’ll loose access to the device weeks to months while the forensics is performed. For a culture that is so smartphone-centric, that will be torture for many. The more serious issue (in my opinion) is privacy breach, where the forensic team will need to access all data, including the file you’re not supposed to have, but do because you can’t remember all your passwords. Remember the forensic team has no legal obligation to safeguard your personal data, just the information that is relevant to the case.
So, what can you do?
- You can decide that you’ll live with this risk. The good news is that this hasn’t become a widespread issue … yet. Most corporate emails are stored on corporate servers, even though you have copies on your devices. If that’s the case, then there should be no email evidence on your phone that isn’t also on the server. However, did you even take a picture of a white board after meeting to capture the discussion? Do you have a document on your tablet for reading on the train home? If you decide to take the risk, be sure to not keep very sensitive personal data on your device. Also, you should probably not use the device for any form of financial transactions since that will leave some sensitive data on the device.
- The safest method is to carry two devices, one personal and one for work, which is a pain and expensive to boot.
- If you decide to wean your personal device from corporate use, you need to do two things. First, you need to remove all information, not just your corporate emails. This means any pictures, documents, whatever. Next, you need to formally inform your company that you no longer have any corporate data on your device. It is critical that you do this at a time when you have not been informed about pending discovery. Said another way … once you’ve been notified about discovery, you can’t remove any data from the device until relevant data has identified and provided to the discovery team and the team informs you that they are done.
- If you have been notified about discovery, you can work with the discovery team to provide all the data from your device that could be relevant, which likely would preclude the need to seize your device. I’ve been notified a couple times in my career about discovery and have simply provided copies of anything that could be relevant to the discovery team without the need to provide my computer. For the majority of employees, there isn’t a need to seize the computational assets. However, it’s still a real option especially if you were directly involved in the matter being litigated.
- If you have a device that is only used for personal use, do not attach it to any asset owned by the company. This means to not use the company WIFI, nor use the company computer to charge the device. If they have any record of the device in their systems, they have the obligation to consider it for discovery.
Finally a thought if you use a personal laptop for both personal and corporate use. I know a couple folks who travel a lot and have decided to use their personal computer for corporate use so that they don’t have to travel with two laptops. To keep their personal and professional life separate, they run a corporate image of Windows on a virtual machine. Software provided by companies like VMware make this easy. By operating your corporate side as virtual machine, you effectively isolate the personal from the professional. This isn’t a guarantee that your laptop wouldn’t be seized, but if you could provide the virtual machine files, the discovery team would have all they’d need for discovery. Be sure to clear this with your company. See the disclaimer that follows …
I’m not a lawyer, nor do I play one on TV. Any questions you might have about the legal implications of using your personal device at work, you need to discuss with your company’s legal and IT departments.