Don't Say No to BYOD and Personal Clouds, But Understand the Legal Risks When You Say Yes

While you have undoubtedly heard all the gloom and doom stories regarding individuals using personally owned devices or personally controlled cloud services like Dropbox, SkyDrive, Google Drive, Idrive, Evernote and similar services, don't forget the law of unintended consequences.

By Alan Brill, Senior Managing Director,, Jonathan Fairtlough, Managing Director, Kroll
Thu, December 05, 2013

Network WorldThis vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

While you have undoubtedly heard all the gloom and doom stories regarding individuals using personally owned devices or personally controlled cloud services like Dropbox, SkyDrive, Google Drive, Idrive, Evernote and similar services, don't forget the law of unintended consequences.

IT can't possibly anticipate every possible risk presented by the use of these technologies, but one thing is for certain: If employees store corporate information on their own devices or in the cloud using one of these services, they may open the company up to legal implications under the U.S. Federal Rules of Civil Procedure (FRCP). A A

The law requires with few exceptions that each side in a civil lawsuit diligently search for and preserve information that is "reasonably calculated to lead to the discovery of admissible evidence" and to provide it to the other side including any electronic data and its associated metadata. A

It is important for IT leaders to discuss this subject and related corporate policy with your company's senior leadership and in-house or outside counsel to ensure that anything that could affect legal discovery is handled properly and to help mitigate the risk of severe penalties that could be imposed by judges for discovery failures.

[RELATED:How to become a BYOD guru]

Top considerations when looking at this issue should include:

* The duty to preserve evidence in hard or electronic format starts as soon as it's reasonably anticipated there will be litigation, whether your company would be the plaintiff or the defendant. The company's general counsel will help determine when this duty is imposed and if/when you must notify employees that they may not delete relevant information or otherwise cause it to become unavailable. (You may also have to take steps to stop automatic time-based destruction of relevant evidence.)

* How laws apply to new technologies is vague/uncharted. For example, under U.S. federal law, companies are required to disclose information within their possession, custody or control, but how that might apply to Bring Your Own Device (BYOD) efforts or personally controlled clouds is murky. It would seem unlikely a court would allow for relevant information to be excluded or withheld because it was stored in personal clouds, and in fact, this information could and likely would -- be accessed by way of court orders and subpoenas against the "owning" employee. A

Continue Reading

Originally published on www.networkworld.com. Click here to read the original story.
Our Commenting Policies