By Ana Cabassa-TorresKevin ReissMatthew Rotertand Levon Sutton

Published in Law360

In recent years, many companies have found “Bring Your Own Device” (“BYOD”) policies to be beneficial in the ordinary course of business.  However, BYOD plans can create a natural tension between the employer’s need to meet its discovery obligations and the employee’s interest in privacy when it comes to litigation.  A recent decision in the In re Pork Antitrust Litigation, pending in the United States District Court for the District of Minnesota, suggests that a properly crafted BYOD policy that strikes a balance between protecting the company’s interests and the employees’ interests may be determinative of whether the company has any legal right or practical ability to collect unique data from an employee-owned BYOD device.  If developed appropriately, a BYOD policy can address corporate security (including the use of mobile device management tools and the ability to wipe devices if threats are detected) while also drawing clear lines to demarcate that unique data sources likely to contain personal information, such as text messages, belong to the device owner and not the employer – even if the employee uses text messaging for work purposes.   

Even a well-crafted BYOD policy cannot, however, exclude text messages or other unique data on an employee-owned BYOD device from discovery.  If such data is outside the company’s possession, custody, or control, opposing counsel can still subpoena the employee to request the production of unique, relevant data from mobile devices.  And, absent a clear affirmation from the employee that no relevant data exists or a reasonable search regarding the existence of such relevant data, courts can (and likely will) compel such production, as the court decided in In re Pork Antitrust Litigation

When Does a Company Have Possession, Custody, and Control Over Employees’ Text Messages

It has been well documented that there is a circuit split regarding what constitutes possession, custody, or control (“PCC”).[1]  In some jurisdictions, PCC for discovery is limited to data to which the responding party has the “legal right” to obtain.  Other courts have taken a broader approach and found PCC when the responding party has the “practical ability” to obtain the relevant data.  Some courts, including the District of Minnesota, have utilized both approaches.  Whether a company has PCC over text messages from an employee-owned BYOD device, therefore, requires a fact specific analysis and may vary depending on the jurisdiction.  A properly crafted BYOD policy may keep text messages or other unique content from employee-owned BYOD devices outside the company’s PCC. 

BYOD policies effectively act as a contract between the employer and the employee and define (i) who is responsible for purchasing the device; (ii) whether any reimbursement is available for employee-owned devices used for business purposes; (iii) whether mobile device management software (MDM) must be deployed; (iv) what would be considered “company data”; and (v) under what circumstances, if any, the company would be allowed to unilaterally reset the device back to factory settings.  BYOD policies can also define if and when the company can collect or image employee-owned devices in the event of litigation.  The court in In re Pork Antitrust Litigation, for example, found Hormel’s BYOD policy to sufficiently limit the access granted to the company to employee-owned BYOD devices to exclude those devices from Hormel’s possession, custody, or control.  The court reached this decision despite the fact that Hormel (i) reimbursed employees for the use of mobile devices for business purposes; (ii) required the implementation of mobile device management software; and (iii) allowed for the company to remotely and unilaterally reset factory settings on employee-owned BYOD devices in certain circumstances – all of which may suggest a certain degree of control.  The court, however, focused on Hormel’s BYOD policy being optional for all employees defined as eligible and language in the BYOD policy that made clear what data is and is not owned by Hormel.  Specifically, Hormel did not explicitly assert ownership, control or ability to access, inspect, copy, image, or limit personal text messages – even if the employee used text messaging software for business purposes.[2] 

Importantly, the court explicitly stated that this decision did not need to settle the “legal right” versus “practical ability” conflict because under either standard the text messages in question fell outside Hormel’s PCC.  The court also noted that this decision was in-line with guidance provided by the Sedona Conference that an employer does not legally control text messages when, as was the case with Hormel’s BYOD policy, the controlling BYOD policy does not assert employer ownership over the texts, and, absent such an assertion of ownership the employer cannot legally demand access to such texts.[3]

While determining PCC for text messages or other unique data from an employee-owned BYOD device can decide thorny issues such as who has the duty to preserve and the format of document requests seeking data from such devices, BYOD devices still present unique issues within discovery.

What Constitutes a “Reasonable Search”

Determining that text messages and other unique data on an employee-owned BYOD device are outside the PCC of the company does not mean such data is exempt from discovery.  It does mean, however, that the requesting party would need to issue subpoenas directly to the employee custodian(s).  This may require the requesting party to demonstrate that the data sought is likely to include relevant information and may be more susceptible to cost-shifting depending on that showing. 

Further, actual collection and processing of employee-owned BYOD devices may be avoided if, after a “reasonable search,” the employee custodian can attest that no unique, relevant data exists on the subject device.  The court in In re Pork Antitrust Litigation was again instructive on what constituted a “reasonable search.”  Specifically, that court found that a “reasonable search” required providing sufficient information to the employee-custodian such that they “understood the full scope of what kinds of communications [the requests] might encompass” and employee-custodians could not merely rely on “their memories about whether they might have sent or received responsive or relevant texts.”[4]  Failing a “reasonable search” may lead to an order compelling the collection and production of text messages or other unique data with at least some of the cost of doing so being borne by the employee-custodian. 

Who conducts the “reasonable search” and when, should also be a consideration.  The In re Pork Antitrust Litigation court’s decision was directed at counsel for an employee custodian after a motion to compel had been filed.  To avoid such proceedings, conducting a “reasonable search” may mean multiple conversations with the employee-custodian – starting with any custodial interviews conducted as soon as the employee-custodian is identified as an individual likely to have relevant data – even if the company’s BYOD policy is drafted to exclude such information from the company’s PCC. 

Based on the court’s standards outlined in In re Pork Antitrust Litigation, counsel must do more than rely on vague statements from the employee-custodian, such as that they adhered to acceptable use policies limiting the use of text messages or that they do not use text for work-related matters.  Ascertaining whether or not employee-owned devices may have unique, relevant data can help inform meet and confers before subpoenas are issued, reducing burden and cost for both parties.  Having that conversation, along with requesting that the employee-custodian preserve any relevant information, may also help avoid claims of spoliation and help inform decisions on whether employee-custodians should have independent retained counsel. 

If an employee-custodian does have independent retained counsel and the employee custodian’s BYOD device is subject to discovery, counsel should not rely on statements made to the company or company’s counsel and should revisit whether relevant text messages or other unique data may exist.  Failing to do so may, again, lead to a court order compelling production from such devices.

What Steps Can be Taken to Protect the Privacy of an Employee-Custodian

If efforts to exclude text messages or other unique data stored on an employee-owned BYOD device from discovery are unsuccessful, efforts can still be made to protect the privacy interests of employee-custodians as the court explained in In re Pork Antitrust Litigation.  If the collection and production of such data appears likely, the parties should:

  • Include provisions in the protective order that protect the interest of employee-custodians (i.e., limiting who can see data collected from an employee-owned device).
  • Establish limits on what might be subject to review (i.e., communications exchanged with specific phone numbers and for specific time frames).
  • Allow for independent review of collected data for relevance prior to production.
  • Work with third-party collection vendors to identify processing strategies to minimize the volume of personal data subject to review.

Things to Consider if a Company Has a BYOD Policy

While a properly drafted BYOD policy can limit the company’s discovery obligations as to employee-owned BYOD devices, this does not mean that employee-owned BYOD devices will be immune from discovery in all circumstances.  Further, such BYOD policies may also have the effect of limiting employers’ access to employee communications for non-litigation purposes (i.e., internal investigations).  As a result, companies should evaluate their current BYOD policies and consider whether such risks are appropriately balanced.  Unfortunately, there is no one-size-fits-all approach for every organization or even for every employee within an organization, but a BYOD policy should consider:

  • Which employees are eligible for BYOD plans.  For example, high ranking executives or other employees most likely to use text messaging for business purposes (such as sales teams) could be excluded from BYOD plans and issued corporate-owned devices.
  • How “company-owned data” and “personal data” are defined. 
  • Whether the employer can request data potentially relevant to litigation be preserved – including personal data – even if the employer cannot request collection of that data directly.
  • Whether mobile device management software should be installed and how it can/should be used.  For example, can the employer remotely conduct a factory reset on an employee-owned BYOD device, and under what circumstances would that be appropriate?
  • What constitutes an “acceptable use,” including what software is used for business purposes.  For example, can text messaging be used for business purposes at all or even just for logistics (i.e., providing directions to a client meeting), whether encrypted messaging platforms such as WhatsApp can be used, and how will such guidelines be enforced?

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1]See, The Sedona Conference, Commentary on Rule 34 and Rule 45 “Possession, Custody, or Control,” 17 Sedona Conf. J. 467 (2016).

[2] Hormel’s BYOD policy defined company-owned data as “all data that is sourced from Hormel systems and synced between the mobile device and its servers” which included company email, calendars and contacts. 

[3] One issue that is not addressed in the decision but should be front of mind: whether companies need to prohibit the use of non-approved systems/applications on BYOD (i.e., non-company systems that are synced) if business and/or client information that is confidential will be in the communication as the business needs to take reasonable steps to maintain confidentiality and the absence of control could indicate a risk to the business confidentiality of any data on that non-approved system or application.

[4] In re Pork Antitrust Litigation, at 5.