Beware of BYOD Consequences

Leave a Comment
  • Facebook
  • Twitter
  • LinkedIn
  • Delicious
  • StumbleUpon
  • Email
  • RSS

Bring Your Own Device (BYOD) is highlighted in at least one article or product feature in many tech publications lately. The theory behind the concept has merit: allow employees to use their personal devices for company purposes, thus allowing the employees to select devices they like while reducing costs to the employer. A recent Garner study, as reported by IT World, predicts that 45 percent of companies will require employees to provide their own devices by 2017.

Companies and employees need to understand potential consequences of BYOD before using the service. Without the proper infrastructure in place on the employer’s side, company data could end up in an infinite number of places. This makes data management impossible—nullifying the effects of a document retention policy—and could wreak havoc during the e-Discovery phase of litigation. From the employees’ side, they could have to relinquish their personal devices for inspection or data collection without assurance that only “company” data would be reviewed. This raises not only privacy concerns, but also the inconvenience of being without their device until the process completes. Some companies might require the ability to perform a remote wipe of the device if an employee leaves or is terminated, which, without proper precautions, could erase the device owner’s personal photos and data.

Companies that have already embraced BYOD should set clear expectations with their employees by explaining potential issues. Have a written policy signed by employees using BYOD or included in the company’s employee manual. That policy should be specific, such as whether remote erasing is required, under what circumstances, if so, and what exactly will be erased. Companies should also establish barriers between work and personal data by providing dedicated virtual images or online portals that employees can reach from their personal devices. (Numerous products exist to facilitate these offerings.) It might be less expensive to maintain company-owned devices and forbid connectivity from personal devices than to redesign the company’s technology infrastructure. The company does not want to be conducting this cost analysis while trying to respond to a discovery request of government inquiry.

Not all businesses will be able to provide their employees the latest gadgets, and employees may want to express their individuality by carrying only certain brands. When the choice pits conducting business against potentially invading personal privacy, however, the decision is easy: the employee should happily accept a company-issued device.

Posted May 20, 2013

Avoiding the Social Media Apocalypse (Published on IT-Lex.org)

  • Facebook
  • Twitter
  • LinkedIn
  • Delicious
  • StumbleUpon
  • Email
  • RSS

Attorney Daniel D. Whitehouse wishes to thank IT-Lex for publishing his post, Avoiding the Social Media Apocalypse, on January 2, 2013. You may read the post here.

IT-Lex is “a not-for-profit charitable organization dedicated to educational, literary, and scientific advancement in the field of technology law.” You can learn more about the organization here.

Posted January 12, 2013.

Encryption and e-Discovery are Often at Odds

  • Facebook
  • Twitter
  • LinkedIn
  • Delicious
  • StumbleUpon
  • Email
  • RSS

Posted 1/31/2012

Electronic Discovery doesn’t always align with other IT processes and business requirements. Some organizations need to archive data to relieve strains on data storage and comply with data retention requirements. And, increasingly, organizations are encrypting sensitive data to meet regulatory mandates and prevent data breaches. Both of these processes can impede e-Discovery readiness.

A lot of ink has been spilled discussing the impact of archival on e-Discovery. Questions asked include: Where is the data located? On what type of media is it stored? Will you be able to access and produce it in response to an e-Discovery request?

Encryption is an emerging challenge. According to Symantec’s 2011 Enterprise Encryption Trends Survey (download requires free registration), 42 percent of organizations have been unable to respond to e-Discovery requests due to encryption issues.

The problem is only going to increase. Forty-eight percent of enterprises increased their use of encryption over the past two years, and almost half of their data is now encrypted at some point in its lifecycle. But one-third of survey respondents said unapproved encryption deployment is happening on a somewhat to extremely frequent basis. Because these projects are not necessarily following the company’s best practices, 52 percent of organizations have experienced serious issues with encryption keys including lost keys (34 percent) and key failure (32 percent). In addition, 26 percent have had former employees who have refused to return keys. That means the encrypted data is essentially lost.

Fragmented encryption creates risk from the lack of centralized control of and access to sensitive information. That’s why it can disrupt critical processes such as e-Discovery and compliance monitoring. In fact, the inability to access important business information due to fragmented encryption solutions and poor key management is costing each organization an average of $124,965 per year, according to the survey.

The inability to respond to an e-Discovery request could cost much, much more. Encryption must therefore be tightly integrated with e-Discovery tools, processes, and policies. Organizations should take steps now to prevent ad hoc encryption and ensure that data can be decrypted in the event of litigation.

PDF Woes be Gone

  • Facebook
  • Twitter
  • LinkedIn
  • Delicious
  • StumbleUpon
  • Email
  • RSS
Posted 12/6/2011
 

Yesterday, 12/5/11, I received a pleasant surprise in my email inbox: an email from a fellow ABA E-Discovery and Digital Evidence Committee member informing the group about new e-filling rules in the Southern District of Florida. Effective 1/1/2012, all documents filed in the Southern District must be “text searchable.”1

Today, the blogosphere exploded after Thompson Reuters reported on a California District Court’s less-than-effective attempt to redact certain text within an order. The “redacted” material is irrelevant for the purpose of this article; what’s important is the method with which it was attempted. From what I can tell, someone selected the text to redact, highlighted it black, and published the document as a PDF. Copying the highlighted text and pasting it in a text editor revealed the masked text. Oops.

Mistakes happen, and those who learn from the mistakes are better off. So as attorneys, business owners, or computer users, let’s turn this into a learning experience.

  • First, the “redaction” method used would have worked flawlessly in a paper world. Printing the document would display the masked words in the intended manner. But the overwhelming majority of documents created today exist only in electronic format (more than 96% of them).
  • Second, not everyone would have thought to copy the background text and paste it elsewhere. Going forward, everyone reading this will check every electronically produced document for this type of masked text.2
  • Third, this example demonstrates the need for proper computer training. I’m not suggesting studying the composition of various file types and the layers that comprise each type; this situation could have been avoided much more easily. The text should have been masked using a redaction function.

Many products exist specifically to redact information within documents, and they range in price. Before you go searching the Internet for their names, check the software you already have installed on your computer. You might be surprised what you find.3

Attorneys practicing in the Southern District of Florida who submit scanned documents will need to invest in good OCR software. (Please don’t buy OCR software if you’re submitting documents created with word processing software on your computer.4 You have the capability at your fingertips already! Contact me if you’re unsure how to publish your text documents as PDFs; I’ll gladly help you with that.) One OCR product stands out in my mind, and I’ve noticed that certain consumer-level scanners are now shipping with scaled-down versions of that product.5 For someone already familiar with creating PDF documents, running the document through an OCR product should not be overly complicated.

Spending a few minutes with your PDF software can prepare attorneys to submit text-searchable documents and, I hope, prevent submitting blundered redactions.

Daniel D. Whitehouse
Attorney & Counselor at Law
Whitehouse & Cooper, PLLC

  1. Section 3G(5) is a new section that outlines the requirements for all documents filed through CM/ECF. Although PDF documents were required before, they did not have to be a text-searchable format. Click here to access the court’s redlined document.
  2. As long as you ethically may do so, of course.
  3. I am happy to email the names of three options to anyone interested, and two of those products are common applications. You can reach me at dwhitehouse at whitehouse-cooper dot com.
  4. I was surprised by the number of unsearchable documents I saw while interning for the Middle District of Florida. The tech-saavy user reading this would be surprised by the number as well.
  5. Contact me at dwhitehouse at thewhitehouselawfirm dot com if you’re curious about the product’s name.