Originally published in 2016, this post continues to provide timely suggestions for employees who choose to BYOD. Don't ignore these best practices to protect your data.
Bring your own device (BYOD) programs give you the flexibility to choose the technology that comes most naturally and can help you be more effective at work. But how can you make sure your personal data is safe from prying eyes if your employer becomes involved in litigation?
The short answer is: You can’t. However, you can increase your odds by managing a work device separate from your personal device.
You can also follow some best practices to potentially minimize the attention your personal data will receive during discovery and review. Before we get to that, let’s talk about some common considerations.
One Device or Two?
Your company’s BYOD policy might require making personal data accessible in the event of litigation. In many cases, your personal data won’t be relevant to the matter, and it won’t be produced or referenced in court. However, if it’s intermingled with work data on your device, it may become discoverable, meaning someone in your organization—or, even worse, an adverse party—will need to examine it in the course of searching for data that is relevant.
Although the safest way to protect data is completely separating personal and work data on different devices, if you choose to use one device for both purposes, you may want to ask your personal lawyer or your employer’s lawyer some questions—remembering, of course, that your company’s lawyer represents the company, not you:
- Is personal data on my device accessible in the event of litigation?
- What if I only use certain applications solely for work purposes and other applications solely for personal use? Will data from my personal applications be discoverable?
- What sort of personal data could be accessed?
- What are some smart things I can do to protect my privacy?
Perhaps, however, these questions have already been answered. This leads us to the first of our five tips for protecting your information.
1. Know your company’s policies
Snuggling up on the couch with a glass of wine and a riveting BYOD policy may not be your ideal Sunday evening, but understanding these policies is a necessary step in protecting personal data on your devices.
It’s likely your organization has multiple policies in place regarding device security for you to review. It is your responsibility to read and understand them so you can comply holistically. Company policies extend beyond BYOD, so make sure you do your homework—and stay up to date on any changes to the policies over time.
Your employer may have integrated a BYOD policy with their acceptable use policy. These policies aim to protect data, and complying with both will help you and your employer avoid security risks.
2. Separate personal and company data
This is where having two devices can actually simplify your life. That said, if you must use only one device for both personal and work purposes, it is best to use separate applications for work and personal data. For example, using SMS exclusively for personal exchanges and something like Slack for work can make discovery of work data simpler—hopefully reducing the need to review your personal information.
If your work becomes involved in litigation, you’ll receive a legal hold notice and your legal team may interview you as a custodian. During both of those touchpoints, if you can tell your legal team with certainty that none of your work data resides as SMS on your phone, they may be able to set aside data from that app from the start of their review.
3. Understand how and when device wiping happens, if at all
Under certain circumstances, a device might be subject to data deletion—meaning your company can remotely wipe all data from your device. This is most common when a device is lost or stolen, and it ensures none of your information—personal or professional—lands in the wrong hands. Your device may also be subject to this process if you leave the company.
You don’t want to be caught unaware of this process in a stressful situation—you’ll have enough to worry about when you’re taking off on a flight home from a conference and realize you left your phone on the seat back in the terminal. The added surprise of having all family photos wiped from your device will be aggravating. Look for answers to the following questions to ensure you’re fully aware of these practices before disaster strikes:
- Is the data in my device subject to automatic or remote deletion?
- What events trigger automatic deletion?
- Is remote deletion part of the standard employee termination process?
- Is my approval required for the remote deletion?
- Is my personal data retained in case of automatic or remote wipe?
- Am I entitled to any reimbursement for the loss of personal data?
4. Have strong security settings on your personal device
In addition to protecting personal data from litigation, follow proper security measures to make sure your data is safe from hackers. As evidenced by the recent Apple-FBI debate, a lot of energy and attention—technological and political—goes into building these protections and addressing how they may be circumvented. It doesn’t make sense for consumers to ignore them.
There are many settings on your device that help protect data and privacy. The following tips can help you secure your mobile device:
- Create a strong passcode.
- If you have an Apple device, use Touch ID, Apple's biometric fingerprint authentication technology.
- Use two-factor authentication when it’s available in your applications. This requires logging in with an email address, and verifying your identify with a code sent to that email address from the app.
- Be smart about what data you give your applications permission to access. For example, does your bank really need to know your location?
- Disable access to your applications from your lock screen—yes, even Siri—and disallow text message previews.
- Put up additional layers of defense where possible by implementing passwords in applications that make it optional to do so.
Though some of these measures may seem like no-brainers, a surprising number of consumers don’t take advantage of them. Don’t make that mistake.
5. Be aware of your company’s mobile device management application
A growing number of organizations are using mobile device management (MDM) applications on their employees’ devices. These programs allow an administrator to control access to certain functions of an application on a smartphone, tablet, or computer. Additionally, MDM ensures that company protocol is followed and offers employees flexibility and security when bringing their own devices.
For example, Relativity Binders offers integration with MobileIron. MobileIron is an MDM application that allows the administrator to set certain permissions when using Binders and other applications on the device.
If your device is subject to MDM governance, here are some things to consider:
- You may be responsible for installing the application on your own device. Work closely with your IT team to ensure you’re setting it up properly.
- Your company’s MDM application may be the method your employer uses to remotely wipe your device in the event it becomes compromised.
- MDM applications may monitor your information—such as location data—as you’re using the device. This is another potential reason not to use an MDM-governed device for personal purposes.
Ultimately, the decision to bring your own device to work is one that places a lot of responsibility in your hands. Ensure your work and personal data are protected not just by following your company’s minimum requirements, but also going the extra mile when it comes to device security.
Have an interesting BYOD story? Share it with us via @RelativityHQ on Twitter.
Rishi Khullar was a product manager at Relativity, focused on the development and evolution of mobile apps for Relativity.