Drafting “Bring Your Own Device” Policies that Protect Against Increased Litigation Costs and Risks

Drafting “Bring Your Own Device” Policies that Protect Against Increased Litigation Costs and Risks

During the pandemic, many businesses decided to pivot their workforce to remote or hybrid work. In doing so, some companies implemented versions of a “Bring Your Own Device” (“BYOD”) program to allow employees to use personal devices to do their jobs. While there can be cost savings and employee flexibility benefits to such programs, they also come with inherent risks. For example, when litigation requires the collection of company documents and data, the fact that an employee used their personal device for work could make discovery compliance more burdensome and costly because the employer might be required to collect, review, and produce data from employee personal devices that contain both work-related and personal data.

There are ways, however, to reduce potential risk that companies will be responsible for producing broad swaths of employee personal data. The recent case of In re Pork Antitrust Litigation[1] is instructive in this regard. There, plaintiffs sought an order compelling Hormel Foods to produce its employees’ text messages.[2]  Hormel objected that it did not have possession, custody or control of its employees’ personal cell phone data.[3] Hormel’s BYOD policy allowed, but did not require, employees to use their personal cell phones for work.

Importantly, the BYOD policy contained language which limited Hormel’s ownership to company-synced data and did not include the employee’s personal and un-synced data. And the court concluded that the fact that the policy gave Hormel the right to remotely wipe the entire phone if the security of its data was at risk did not give Hormel control over employee personal data.[4] The court cited the Sedona Conference which “has taken the position that an employer does not legally control personal text messages despite a BYOD policy when the policy does not assert employer ownership over the texts and the employer cannot legally demand access to the texts.”[5] By having a BYOD policy which explicitly limits the scope of the employer’s ownership and access, companies may be able to reduce the discovery burdens associated with having to produce employees’ personal data.

Note, though, that while Hormel Foods itself avoided the need to collect data from the personal cell phones in this case, the court enforced subpoenas directed to employees for the same text message data. But, significantly, the subpoena was not enforced against the lone employee who “observed a clear boundary about the use of her personal cell phone and could say without qualification that she did not use it in any manner for work purposes.”[6]  This suggests that limiting employees’ work to company-owned devices may be the best way to ensure that employers do not have to comply with burdensome requests to produce data from employees’ personal devices, and also to protect against employees being the subject of document subpoenas that require coordination and add another layer of expense and risk for a company in litigation.

Sarah Gohmann Bigelow

[1] No. 18-cv-1776 (JRT/HB), 2022 U.S. Dist. LEXIS 60214 (D. Minn. Mar. 31, 2022).

[2] Id. at *38.

[3] Id. at *40.

[4] Id. at *53-55.

[5] Commentary on BYOD: Principles and Guidance for Developing Policies and Meeting Discovery Obligations, 19 Sedona Conf. J. 495, 531 (2018) available at https://thesedonaconference.org/publication/Commentary_on_BYOD.

[6] In re Pork Antitrust Litig., 2022 U.S. Dist. LEXIS 60214 at *68-69 (though note that the court did order the employee to preserve her text messages).