This document summarizes a presentation on the legal and practical implications of bring your own device (BYOD) programs that allow employees to use personal mobile devices for work. The presentation discusses BYOD adoption rates and benefits, as well as privacy and security risks for organizations. It covers international privacy issues, relevant US statutes and case law, security considerations including mobile device management, and unique challenges for eDiscovery with BYOD. Implementation topics like device basics, access controls, policy design, and privacy are also summarized.

1. Wherever You Go, There You Are
(With Your Mobile Device)
Legal and Practical Implications of a Cross-Border BYOD program
March 25, 2015
Melinda McLellan
BakerHostetler
Emily Fedeles
Shook, Hardy & Bacon
Moderated by: Jonathan E. Swerdloff, Driven, Inc.

2. Join Today! aceds.org/join
Exclusive News and Analysis
Monthly Members-Only Webcasts
Networking with CEDS, Members
On-Demand Training
Resources
Jobs Board
bits + bytes Newsletter
Affinity Partner Discounts
“ACEDS provides an excellent, much needed forum… to train, network and stay current on critical
information.”
Kimarie Stratos, General Counsel, Memorial Health Systems, Ft. Lauderdale

4. Jonathan is a consultant at Driven, Inc. Prior to joining
Driven, Jonathan was a litigation associate at Hughes,
Hubbard & Reed LLP with over 10 years experience that
included substantial eDiscovery experience managing
large discovery projects, analyzing enterprise data
systems, and investigations into nontraditional sources of
ESI.
Through his experience as a litigator and programmer,
Jonathan primarily focused on creative problem solving
with regard to all types of data. He analyzed and
produced complex structured data systems and developed
internal workflows for large litigations. His experience also
includes developing cost-saving legal processes,
managing legal budgets, and supervising legal personnel.
Speaker Bio
Jonathan Swerdloff
Consultant and Data Systems
Specialist
Driven, Inc.
jonathan.swerdloff@driven-inc.com
212-364-6385

5. Emily Fedeles is an associate in the Geneva office of Shook, Hardy & Bacon,
where her practice focuses on the defense of complex litigation in Europe,
West Africa, and the Middle East, including class actions, reimbursement
lawsuits, consumer protection claims, and individual product liability
claims. Emily's role includes working with other outside counsel to
coordinate defense strategies and develop supporting evidence. Emily
advises clients on litigation prevention strategies and legislative projects
that impact or alter civil liability risks - such as proposed legislation on class
actions and punitive damages - in Europe, Africa, and Asia-Pacific. As part
of that strategic advice, Emily evaluates client eDiscovery readiness
programs, advises on collection, review, and production considerations, and
considers the implications of mobile technologies, client information
technology platforms, and related social media use. Emily is an active
member of The Sedona Conference® Working Group Six. Prior to joining
the Geneva office, Emily practiced in the firm's Tampa office representing
product manufacturers against personal injury claims in both state and
federal courts in the United States.
Presenter
Emily Fedeles
Associate
Shook, Hardy & Bacon
efedeles@shb.com
+41.22.787.2000

6. Melinda McLellan is Counsel in the New York office of
BakerHostetler, where she advises clients on complex privacy,
cybersecurity, and information management issues as a member of
the firm’s national Privacy and Data Protection team. Melinda
regularly counsels companies across multiple industry sectors on a
broad range of privacy and security matters, including by advising
on how to respond to data security incidents and related regulatory
inquiries, creating and implementing internal privacy and security
policies and employee training programs, and working with
marketing teams to develop innovative and compliant new media
campaigns. Melinda is a 2005 graduate of Harvard Law School
where she served as Executive Editor of the Harvard International
Law Journal. New York Super Lawyers has selected Melinda as a
“Rising Star” for the past three years in a row.
Presenter
Melinda McLellan
Counsel
BakerHostetler
mmclellan@bakerlaw.com
212.589.4679
http://www.dataprivacymonitor.com/

7. • What is BYOD?
• Adoption rates
• Benefits to organizations
and individuals
• How does BYOD create risks
for organizations?
– The “number one e-
discovery challenge... for the
coming years”
BYOD Generally
7

8. • Tension between personal
privacy and professional needs
• Different countries, different
privacy expectations
– Employer expectations
– Employee expectations
• FTC mobile privacy guidance
(2013)
Privacy – Expectations and Guidance
8

9. • Regulation of BYOD in the EU
– Historical Backdrop
– Omnibus Data Protection Law
– Works Councils
– Examples: Germany, UK
• U.S. v. Odoni
Privacy – International Issues
9

10. • Electronic Communications Privacy Act (“ECPA”)
– Katz v. U.S., 389 U.S. 347 (1967)
– Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010)
• The Stored Communications Act (“SCA”)
– Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)
– Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008),
rev’d on other grounds sub nom. City of Ont. v. Quon, 130 S. Ct. 2619
(2010)
– Sunbelt Rentals, Inc. v. Victor No. C13-4240 SBA, 2014 WL 4274313
(N.D. Cal. Aug. 28, 2014)
• The Computer Fraud and Abuse Act (“CFAA”)
– Rajaee v. Design Tech Homes, Ltd., No. 4:13-cv-02517, 2014 WL
5878477 (S.D. Tex. Nov. 11, 2014)
Statutory and Common Law (U.S.)
10

11. • Security risks associated with BYOD
• The end node problem
• Securing mobile devices: EMMs and MDMs
• Remote wiping
Security
11

12. • Unique issues associated with BYOD
• Recent cases discussing BYOD
• Who has “control” of the device?
• Managing employee expectations
eDiscovery
12

13. • Device Basics
• Access and Use
• Designing BYOD Policies
• Privacy Concerns
Implementation Considerations
13

14. • How will the organization address employee separation and
device disposal issues?
• What types of devices will the organization support?
• If employees will be reimbursed for device purchases, how
will the reimbursement process work?
• What happens when a device is lost or stolen?
– If an employee wishes to trade in a device containing company
data, how will the organization ensure that all such data is
securely removed from the device?
– How can the organization ensure data security with respect to
company data on a personal device if an employee is terminated
or otherwise separates on bad terms?
– How will the organization recover company data if an employee
inadvertently (or intentionally) deletes it from a BYOD device?
Device Basics
14

15. • Who within the organization will be allowed to
participate in the BYOD program?
• Will the scope of employee participation differ
depending on job functions?
• What types of company data may employees
access using their devices?
• Who owns the data on the device when an
employee leaves?
• How should the organization restrict “risky”
employee behavior on the clock?
Access and Use
15

16. • What considerations go into the organization’s strategic
approach?
• How will the organization handle BYOD policy
violations?
• How will the organization address border crossing
security issues with respect to BYOD devices?
• What device security considerations are involved at the
strategic level?
• Which jurisdiction’s law will apply in various
scenarios?
• How will the organization integrate BYOD
considerations into other organizational policies?
Designing BYOD Policies
16

17. • Who within the organization is responsible for
monitoring legal developments concerning
BYOD?
• How will the organization provide notice of its
monitoring practices, and offer choices with
respect to monitoring where required?
• What additional factors should be considered
when the organization issues legal holds that
apply to BYOD devices?
Privacy Concerns
17