This document summarizes a presentation on the legal and practical implications of bring your own device (BYOD) programs that allow employees to use personal mobile devices for work. The presentation discusses BYOD adoption rates and benefits, as well as privacy and security risks for organizations. It covers international privacy issues, relevant US statutes and case law, security considerations including mobile device management, and unique challenges for eDiscovery with BYOD. Implementation topics like device basics, access controls, policy design, and privacy are also summarized.
1. Wherever You Go, There You Are
(With Your Mobile Device)
Legal and Practical Implications of a Cross-Border BYOD program
March 25, 2015
Melinda McLellan
BakerHostetler
Emily Fedeles
Shook, Hardy & Bacon
Moderated by: Jonathan E. Swerdloff, Driven, Inc.
2. Join Today! aceds.org/join
Exclusive News and Analysis
Monthly Members-Only Webcasts
Networking with CEDS, Members
On-Demand Training
Resources
Jobs Board
bits + bytes Newsletter
Affinity Partner Discounts
“ACEDS provides an excellent, much needed forum… to train, network and stay current on critical
information.”
Kimarie Stratos, General Counsel, Memorial Health Systems, Ft. Lauderdale
3.
4. Jonathan is a consultant at Driven, Inc. Prior to joining
Driven, Jonathan was a litigation associate at Hughes,
Hubbard & Reed LLP with over 10 years experience that
included substantial eDiscovery experience managing
large discovery projects, analyzing enterprise data
systems, and investigations into nontraditional sources of
ESI.
Through his experience as a litigator and programmer,
Jonathan primarily focused on creative problem solving
with regard to all types of data. He analyzed and
produced complex structured data systems and developed
internal workflows for large litigations. His experience also
includes developing cost-saving legal processes,
managing legal budgets, and supervising legal personnel.
Speaker Bio
Jonathan Swerdloff
Consultant and Data Systems
Specialist
Driven, Inc.
jonathan.swerdloff@driven-inc.com
212-364-6385
5. Emily Fedeles is an associate in the Geneva office of Shook, Hardy & Bacon,
where her practice focuses on the defense of complex litigation in Europe,
West Africa, and the Middle East, including class actions, reimbursement
lawsuits, consumer protection claims, and individual product liability
claims. Emily's role includes working with other outside counsel to
coordinate defense strategies and develop supporting evidence. Emily
advises clients on litigation prevention strategies and legislative projects
that impact or alter civil liability risks - such as proposed legislation on class
actions and punitive damages - in Europe, Africa, and Asia-Pacific. As part
of that strategic advice, Emily evaluates client eDiscovery readiness
programs, advises on collection, review, and production considerations, and
considers the implications of mobile technologies, client information
technology platforms, and related social media use. Emily is an active
member of The Sedona Conference® Working Group Six. Prior to joining
the Geneva office, Emily practiced in the firm's Tampa office representing
product manufacturers against personal injury claims in both state and
federal courts in the United States.
Presenter
Emily Fedeles
Associate
Shook, Hardy & Bacon
efedeles@shb.com
+41.22.787.2000
6. Melinda McLellan is Counsel in the New York office of
BakerHostetler, where she advises clients on complex privacy,
cybersecurity, and information management issues as a member of
the firm’s national Privacy and Data Protection team. Melinda
regularly counsels companies across multiple industry sectors on a
broad range of privacy and security matters, including by advising
on how to respond to data security incidents and related regulatory
inquiries, creating and implementing internal privacy and security
policies and employee training programs, and working with
marketing teams to develop innovative and compliant new media
campaigns. Melinda is a 2005 graduate of Harvard Law School
where she served as Executive Editor of the Harvard International
Law Journal. New York Super Lawyers has selected Melinda as a
“Rising Star” for the past three years in a row.
Presenter
Melinda McLellan
Counsel
BakerHostetler
mmclellan@bakerlaw.com
212.589.4679
http://www.dataprivacymonitor.com/
7. • What is BYOD?
• Adoption rates
• Benefits to organizations
and individuals
• How does BYOD create risks
for organizations?
– The “number one e-
discovery challenge... for the
coming years”
BYOD Generally
7
8. • Tension between personal
privacy and professional needs
• Different countries, different
privacy expectations
– Employer expectations
– Employee expectations
• FTC mobile privacy guidance
(2013)
Privacy – Expectations and Guidance
8
9. • Regulation of BYOD in the EU
– Historical Backdrop
– Omnibus Data Protection Law
– Works Councils
– Examples: Germany, UK
• U.S. v. Odoni
Privacy – International Issues
9
10. • Electronic Communications Privacy Act (“ECPA”)
– Katz v. U.S., 389 U.S. 347 (1967)
– Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010)
• The Stored Communications Act (“SCA”)
– Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)
– Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008),
rev’d on other grounds sub nom. City of Ont. v. Quon, 130 S. Ct. 2619
(2010)
– Sunbelt Rentals, Inc. v. Victor No. C13-4240 SBA, 2014 WL 4274313
(N.D. Cal. Aug. 28, 2014)
• The Computer Fraud and Abuse Act (“CFAA”)
– Rajaee v. Design Tech Homes, Ltd., No. 4:13-cv-02517, 2014 WL
5878477 (S.D. Tex. Nov. 11, 2014)
Statutory and Common Law (U.S.)
10
11. • Security risks associated with BYOD
• The end node problem
• Securing mobile devices: EMMs and MDMs
• Remote wiping
Security
11
12. • Unique issues associated with BYOD
• Recent cases discussing BYOD
• Who has “control” of the device?
• Managing employee expectations
eDiscovery
12
13. • Device Basics
• Access and Use
• Designing BYOD Policies
• Privacy Concerns
Implementation Considerations
13
14. • How will the organization address employee separation and
device disposal issues?
• What types of devices will the organization support?
• If employees will be reimbursed for device purchases, how
will the reimbursement process work?
• What happens when a device is lost or stolen?
– If an employee wishes to trade in a device containing company
data, how will the organization ensure that all such data is
securely removed from the device?
– How can the organization ensure data security with respect to
company data on a personal device if an employee is terminated
or otherwise separates on bad terms?
– How will the organization recover company data if an employee
inadvertently (or intentionally) deletes it from a BYOD device?
Device Basics
14
15. • Who within the organization will be allowed to
participate in the BYOD program?
• Will the scope of employee participation differ
depending on job functions?
• What types of company data may employees
access using their devices?
• Who owns the data on the device when an
employee leaves?
• How should the organization restrict “risky”
employee behavior on the clock?
Access and Use
15
16. • What considerations go into the organization’s strategic
approach?
• How will the organization handle BYOD policy
violations?
• How will the organization address border crossing
security issues with respect to BYOD devices?
• What device security considerations are involved at the
strategic level?
• Which jurisdiction’s law will apply in various
scenarios?
• How will the organization integrate BYOD
considerations into other organizational policies?
Designing BYOD Policies
16
17. • Who within the organization is responsible for
monitoring legal developments concerning
BYOD?
• How will the organization provide notice of its
monitoring practices, and offer choices with
respect to monitoring where required?
• What additional factors should be considered
when the organization issues legal holds that
apply to BYOD devices?
Privacy Concerns
17
Hinweis der Redaktion
Hello and welcome to this ACEDS webcast, Wherever You Go, There You Are (With Your Mobile Device) – Legal and Practical Implications of a Cross-Border BYOD Program, presented by Driven. I’m your host Robert Hilson of ACEDS, and I’m joined today by three great experts, who I will introduce in a moment. But first I have two brief announcements.
I’d like to especially welcome everyone on the call who is new to ACEDS. ACEDS is a membership association owned and managed by Barbri that is committed to promoting e-discovery skill and competence through training, education, and networking. We offer the Certified E-Discovery Specialist credential, which is held by more than a thousand practitioners in the US and globally. You can join today and start receiving a number of benefits exclusive to our members, including news content, members-only webcasts, our bits+bytes newsletter, a members directory, and special benefits from our affinity partners, which now include EDRM and Tru Staffing Partners.
We will be holding our annual conference September 29 to 30 at the Gaylord National Resort in Washington, DC. A live certification prep course will precede the conference on the 28th. And we expect this to be our best show yet. We’ve announced a number of great speakers, including those you see on your screen. Earlier this month, we announced that retired US magistrate Judge Nan Nolan, who is now at JAMS, will be presenting, as well as Jeff Jacobson, the Director of the New Jersey Division of Law. They will join Judge Grimm, Judge Waxse and Judge Thomas Vanaskie among others. You can visit ediscoveryconference.com and learn more about the program and the topics we`ll cover, and if you feel so inclined, you can register to attend.
Alright, let’s get started. Our moderator today is Jonathan Swerdloff, a consultant at Driven. Prior to joining Driven, he was a litigation associate at Hughes Hubbard and he has more than 10 years of experience managing large discovery projects, analyzing enterprise data systems and conducting investigations into nontraditional sources of ESI.
Jonathan, thanks for joining us.
Jonathan is joined by Emily Fedeles, an associate in the Geneva office of Shook Hardy, where her practice focuses on the defense of complex litigation in Europe, West Africa and the Middle East, including class actions, reimbursement lawsuits, consumer protection claims, and individual product liability claims. Emily, thanks for joining us today.
By the way, all of this speakers have very impressive bios, and I encourage to go to ACEDS.org to read them all in full… Jonathan and Emily are joined by Melinda McLellan, an attorney in the New York office of Baker Hostetler. Melinda advises clients on complex privacy, cybersecurity and information management issues as a member of the firm’s national privacy and data protection team. New York Super Lawyers has selected her as a rising start three years in a row.
Melinda, thanks for being here.
Okay, before we get started, I want to encourage everyone on the call to ask questions by typing them into the questions box on the right of your screen. And we will get to them at the end of the presentation as time allows.