Your Employee Has Corporate Data on Her Personal (BYOD) Cellphone – And Someone Else Wants It – Now What?
As a result, there has also been a surge in third parties seeking information from these previously unlikely sources. Here, in the context of government investigations, trade secret litigation, and defamation litigation, three Chambers-rated legal experts weigh in on the risks and considerations associated with BYOD policies and the accrescent use of digital evidence in the litigation landscape.
Government Investigations Perspective
In our post-COVID-19 world, there is an ever-increasing amount of government oversight. Unfortunately, for many companies in heavily regulated industries, like healthcare, it is not a case of if your company will be the subject of a government investigation, but when. As such, your company must be prepared to respond to the inevitable. As remote work environments lead to a surge in “Bring Your Own Device” (BYOD) policies, where employees use their mobile devices and mobile phones for work purposes, the potential for sensitive corporate data to be requested by government entities such as the DOJ, FBI, or OIG becomes a pressing concern.
If your company is the subject of a government investigation and your company has a BYOD policy in place for mobile devices, the corporate data that the government will request to satisfy the subpoena or civil investigative demand (CID) will undoubtedly be found on your employees’ mobile devices. When you receive the government’s demand, one of your foremost concerns should be preserving your company’s data. To mitigate risks and ensure compliance, it is crucial for a company’s general counsel, head of compliance, and chief information officer to adopt a proactive approach in addressing the challenges posed by BYOD policies and safeguarding company data. Below, we will discuss the steps companies should take upon receiving a government demand for data, the unique challenges posed by BYOD policies, and best practices for maintaining data security in a BYOD environment.
Your company just received a government demand for company data – now what?
At the outset, the Department of Justice’s Principles of Federal Prosecution of Business Organizations make clear that your company’s full co-operation with the government is crucial if you want to minimise liability and exposure – regardless of whether any wrongdoing is uncovered by the investigation. Thus, you should ensure that all your employees take the matter very seriously and fully co-operate with the government investigation.
Issue a legal hold notice
Among the first things you should do when you receive a government demand for company data is to send your employees a notice explicitly communicating the company’s legal obligation to preserve all forms of company data that could be relevant to the government’s investigation – including any data that could be found on their devices. The memo should describe, in detail, what type of data must be preserved and how to turn off any device settings that cause phone data to be automatically deleted.
Beyond issuing a legal hold notice to custodians, you should speak with your IT department to ensure that they are aware of the legal hold, understand it, and are adjusting settings on the back end of your systems as necessary to implement the hold. Custodians with mobile devices that need to be put on hold should be contacted directly – they may have varied levels of technical know-how and may need additional assistance to preserve their devices.
BYOD device policies pose a particular concern when it comes to preserving relevant data because the company has limited control over the devices housing corporate data. If your company data is not preserved after receiving the government’s demand, whether intentional or not, your company could lose co-operation credit, or worse, have to defend against a spoliation claim.
Determine the scope of the investigation
The government will determine the scope of its investigation and what type of data it wants your company to produce. To narrow the breadth of the productions, your attorneys and the government will negotiate search terms and document custodians. If your employees use their personal devices for business, it will be especially important to negotiate with the government for search terms that reduce the chance that your employees’ private information is exposed.
Ideally, your employees will consent to and aid in the collection of company data from their devices. Nevertheless, collecting data from your employees’ devices raises significant questions relating to employees’ reasonable expectations of privacy and their individual standing to resist personal data on their devices from being surrendered to the government. Even if the government independently subpoenas an employee who refuses to grant access to their phone, your company must also consider how it will respond to an employee’s refusal to consent, given that any appearance that the company is encouraging or tolerating their employees’ choice to hinder, delay, or obstruct the inquiry will reduce any potential co-operation credit that would be considered during resolution.
Collect and produce relevant data
After determining the scope of what you must produce to the government, you should begin the collection of data. An experienced eDiscovery and IT vendor can help you develop a protocol for collecting text messages, emails, and documents from devices. If your employees only conduct business on company-provided phones, it is simply a matter of making a mirror image of the phone’s data and filtering for communications and data that are relevant to the government’s inquiry. You should also note that with mobile device technologies rapidly developing, forensic vendors may be limited in how much they can target a personal device for collection (ie, they may have to collect the entire device or iCloud backup as opposed to selecting messages based on contacts or other criteria).
Having a BYOD policy in place means that you may need to collect entire personal devices for your custodians, and you must rely on employees to truthfully report who their business contacts are for determining what to search and review. In addition to the risk of spoliation and obstruction, permitting the use of personal devices for business purposes also requires special consideration to avoid disclosure of your employee’s personal, healthcare, or banking information.
Your BYOD policy going forward
Put simply, having a BYOD policy exposes your company to potential legal, security, and reputational risk. Thus, the best practice may be a dual device policy – where business is prohibited from being carried out on personal devices and work-related devices are issued. Be that as it may, the cost efficiency and convenience of a BYOD policy is undeniable. To ensure your company data is secure on your employees’ devices, there are several best practices you should consider:
- implement clear and specific policies in writing, and uniformly enforce your company’s BYOD policy;
- develop employee departure requirements to collect and protect company data when employees end their employment;
- ensure that employees understand the scope of the company’s control of and access to company data stored on devices to avoid surprise and confusion;
- encourage employees to regularly back up personal and business data; and
- restrict company activity to applications that can be remotely monitored and managed by your mobile device management service.
Before your company is the subject of a government investigation, work closely with your compliance, legal, and information technology departments to ensure that policies are in place to protect your company’s data. If you have a BYOD policy, it is even more essential that you anticipate the challenges associated with your business being carried out on your employees’ devices.
Trade Secrets Perspective
Trade secret and non-compete litigation has been on the rise since the pandemic. One theory behind this proliferation is the movement of human capital post-pandemic, whether voluntary or as a result of re-organisations, acquisitions, or other modifications to existing business models and structures. Employee mobility has long been a source of trade secret litigation, often hand in hand with non-compete and other covenant litigation, and this period has been no different.
What is different is the degree to which the issue has been impacted by the proliferation of devices in the workplace, whether it be in the office or at home, and the prevalence of BYOD policies, which has grown over the years and shows no signs of slowing down. These devices, which include an array of smartphones, laptops, tablets, external drives, etc, – in combination with the potential for corporate data to reside on all or some of those devices – have become more central to trade secrets litigation and investigations.
Efforts companies can take to protect trade secrets
Businesses should assess procedures to protect corporate data, such as confidential or trade secret information. Procedures can include requiring execution of confidentiality policies, systematic marking of documents as confidential or proprietary, limiting access to confidential or trade secret information, requiring passcode access and/or “need to know” access to certain information, and tracking who has had access to certain confidential or trade secret information. For example, employers can have employees sign agreements limiting access to the company’s confidential information on an employee’s personal devices. In one case, Middle East Forum v Reynolds-Barbounis, a company required an employee to sign a BYOD agreement that required the employee to ensure that no one other than herself would have access to the company’s data (No CV 19-5697, 2021 WL 84054, at *1 (E.D. Pa. Jan. 8, 2021)). NDAs are also critical in business teaming relationships and prior to engaging in acquisition due diligence or related exchanges of competitive information. These efforts not only emphasise the importance to employees of maintaining the secrecy of this data and limit the risk of trade secret theft, they may also be deemed necessary to enforce any rights in trade secrets litigation.
Additionally, it has become a best practice to take steps during the hiring process to limit the risk of acquiring competitor information. For example, companies can prohibit incoming employees from bringing or using anyone else’s data and limit the company’s culpability if an employee does not comply and require representations in that regard. The value of this process was highlighted in Aon PLC v Alliant Insurance Services: along with warning new employees to not take or disclose confidential or trade secret information from past employers, the company implemented internal IT measures to prevent the transfer of trade secret or confidential information and remediate the dissemination of such information (No 23-cv-03044, 2023 WL 3914886, *4 (N.D. Ill. June 9, 2023)).
It is also essential to consider inspection and recovery policies for data on devices, including personal devices. The temporal scope of these policies should not be overlooked. In Lockton Companies LLC – Pacific Series v Giblin, a company required employees to sign a BYOD policy that provided the company the right to inspect and manage the use of information on personal devices both during and after termination. (No 22-CV-00791-SRB, 2023 WL 2754872, at *5 (W.D. Mo. Mar. 31, 2023)). Another safeguard to consider is an IT mechanism to detect the transfer or download of significant amounts of data from the system to devices or non-work email accounts. A real-time download flag can often be the first signal of trade secret misappropriation.
Reliance on trade secrets statutes to replace/supplement non-competes
There has also been a recent trend in claims relying on trade secrets statutes to replace or supplement the past reliance on non-compete provisions. Leading the trend away from non-competes, on 5 January 2023, the FTC issued a Notice of Proposed Rulemaking (NPRM) that would ban non-competes and require recission of existing non-competes for companies subject to its authority. The rule would apply not just to non-competes that expressly prohibit certain post-employment opportunities, but it would also apply to any contractual provision that functions as a de facto non-compete. Though the FTC NPRM does not have any current applicability, the discourse surrounding it is consistent with actions many jurisdictions are taking to limit or eliminate the use of non-competes to some degree.
To that end, the District of Columbia and the states in its surrounding area (known as the “DMV” – the District of Columbia, Maryland, and Virginia) are no exception as each has implemented salary caps, in addition to other limitations, on non-competes:
- The District of Columbia’s revised non-compete statute, effective 1 October 2022, restricts non-compete agreements to most employees who earn USD150,000 or more a year.
- Maryland imposed a salary threshold, effective 1 October 2023, which generally restricts non-competes for current or prospective employees who make approximately USD41,350 annually
- Virginia has imposed a similar requirement as of 1 July 2020, which prohibits non-compete agreements for statutorily defined “low wage” employees.
In the efforts to restrict the availability and enforcement of non-competes, many point to the availability of the federal Defend Trade Secrets Act (DTSA), 18 U.S.C. § 1836, and state uniform trade secret statutes. The theory is that trade secrets statutes can provide the competitive protections companies need, without the labour movement restrictions imposed by non-competes particularly at lower organisational levels within a company. Because of this trend, which can include tougher scrutiny on the enforceability of a non-compete even where non-competes are permitted, companies are wise to rely on such trade secrets statutes in litigation where applicable to address the competitive protections provided in non-competes, and to take all pre-litigation measures necessary to ensure their ability to do so.
Discovery and investigation of devices
More devices mean more risk of broad investigation and discovery. In short, the increase in the number of devices that may contain relevant data has increased the need for and scope of forensic examinations of devices to include personal devices.
Predictably, courts are encountering more forensic examinations of personal devices, such as phones and laptops, in trade secrets litigation. (GlaxoSmithKline, LLC v Brooks, No 8:22-cv-00364-PWG, 2022 WL 463070 (D. Md., Feb. 15, 2022)). Courts are also facing related issues, such as an increasing number of devices that may contain data, or issues concerning the owner of the personal device. The court in Biconvergence LLC v Attariwala dealt with such issues, and the court imposed an incremental inspection of one device that belonged to a non-party – the defendant’s husband – before deciding whether inspection of other devices was warranted (No CV 20-MC-101 (RC), 2023 WL 2086078, at *17 (D.D.C. Feb. 17, 2023) (DDC)).
As a result, spoliation – the destruction or alteration of evidence – is often an issue in trade secrets cases, which can also contribute to more expansive forensic examinations and adverse inference rulings that can negatively affect the spoliating party regardless of whether the spoliation was intentional or not. Courts confronting spoliation in trade secrets cases will award terminating sanctions (ie, default judgment or dismissal) in certain cases, particularly when the spoliating party has engaged in multiple spoliative events (eg, repeated connection of external storage devices, use of deletion software, overwriting of files, manipulation of metadata, reformatting hard drives, physical destruction of devices, or concealment of relevant devices/online storage accounts); or repeatedly disregarded the court’s authority, (eg, discovery delay tactics, failure to comply with discovery orders, or outright false testimony).
Given the extent to which spoliation is a frequently litigated issue in trade secrets cases, parties should consider issuing offensive preservation letters where litigation is an issue and including preservation provisions in temporary restraining orders and preliminary injunctions. Further, companies should pay careful attention to their own preservation obligations in such scenarios, particularly with respect to any automated periodic deletion of email systems and the recirculation of devices.
Trends in defamation claims
In 1964, the United States Supreme Court solidified decades of disparate state defamation precedents by recognising constitutional jurisprudence in the landmark case of New York Times Co. v Sullivan, 376 U.S. 254 (1964). The Court also announced that where the defendant is a public official, the plaintiff must demonstrate by “convincing clarity” that the defendant has made the offending statement with “actual malice”, that is not ill will but with knowledge of the statement’s falsity or with reckless disregard of whether the statement was false or not (Id. at 279–80, 385–86).
While New York Times only applied to plaintiffs who were public officials, the United States Supreme Court expanded the actual malice standard to public figures – one who “thrusts [himself] to the forefront” of a controversy, “with knowledge that it was false or with reckless disregard of whether it was false or not.” (Gertz v Robert Welch, Inc., 418 U.S. 323, 335, 345 (1974); Curtis Publ’g Co. v Butts, 388 U.S. 130, 134 (1967)). The underpinning of that higher burden was the concept that public officials and public figures had access to the media in a way that private figures do not. Under New York Times’ actual malice standard, public official or public figure plaintiffs have found victory in defamation lawsuits to be an uphill battle.
Recently, legal scholars and jurists have vigorously criticised New York Times’ actual malice standard as unfairly onerous to public official and public figure plaintiffs. Supreme Court Justices Clarence Thomas and Neil Gorsuch have called for the Court to reconsider New York Times and its “almost impossible standard”*.
Aside from the burdensomeness of the New York Times actual malice standard, critics point out that the assumption that public officials and public figures have greater access to the media is no longer correct. They contend that in the age of the internet and the proliferation of social media, nearly anyone can disseminate statements to the public.
Notwithstanding the chorus of voices seeking to loosen the actual malice standard, courts have not done so. To date, the United States Supreme Court has not accepted review of any defamation case that challenges the actual malice standard, and the lower courts continue to faithfully apply it.
A sampling of recent district court cases illustrates that actual malice is alive and well. In Khodorkovskaya v Gay, 5 F.4th 80, 85 (D.C. Circuit 2021), the United States Court of Appeals for the District of Columbia Circuit applied the actual malice standard in affirming dismissal of a false light case brought by Inna Khodorkovskaya, the wife of Russian oligarch Mikhail Khodorkovsky, arising from the depiction of a character named Inna Khodorkovskaya in a play. In Makina ve Kimya Endustrisis A.S. v Kaya, No 20-cv-00072, 2023 WL 6540200, at *21 (W.D. Va. Oct. 6, 2023), the court granted summary judgment to the defendant, finding that the plaintiff, a public figure, could not show that its former business partners’ statements were made with reckless disregard. Similarly, in Dershowitz v Cable News Network, Inc., No 20-61872-CIV, 2023 WL 4851704, at *5 (S.D. Fla. Apr. 4, 2023), while decrying the judicially-created actual malice standard, the federal District Court for the Southern District of Florida nevertheless granted CNN’s motion for summary judgment on the grounds that the plaintiff Alan Dershowitz, a well-known author, lawyer, law professor and commentator, could not demonstrate that any of the statements made about him were made with actual malice.
While New York Times’ actual malice standard remains applicable and continues to govern defamation jurisprudence, time will tell if the internet’s ability to make anyone a publisher will cause pressure to build to overturn actual malice as the applicable standard for public officials and public figures.
Digital communications and actual malice
The internet has had a further impact on defamation law by way of electronic communications that are available as evidence. The ubiquitous nature of emails and texts, and their infinite availability, shines a light not only on the actual knowledge (and doubts) of defendants when they publish statements, but also on whether plaintiffs who work behind the scenes may nonetheless be public figures.
As to the impact of emails to show a defendant’s state of mind, one need look no further than the well-publicised and widely followed Dominion Voting Systems case, US Dominion, Inc. v Fox News Network, LLC, C.A. No N21C-03-257, 2021 WL 5984265, at *28 (Del. Super. Ct. Dec. 16, 2021), cert. denied, 2022 WL 100820 (Del. Super. Ct. Jan. 10, 2022), and appeal refused, 270 A.3d 273 (Del. 2022). The emails of Fox News hosts expressing doubts about the statements they were making on air about the results of the 2020 presidential election made headlines, and helped plaintiff Dominion Voting Systems survive Fox News’ motion for summary judgment because Dominion’s proffered evidence in the form of employee emails demonstrating that Fox personnel knew their on-air statements were false. The Dominion Voting Systems case settled as the jury was impanelled with Fox paying the plaintiff USD787.5 million.
Similarly, on the plaintiff’s side, whether the plaintiff has “thrust himself into the vortex” of a public issue (Gertz, 418 U.S. at 351–52) as a public figure or limited public figure, is determined by all available evidence.** A plaintiff’s efforts to weigh in on an issue may be revealed through discovery of emails, texts and other electronic communications, and utilised to elevate the plaintiff from a layperson to a public figure.
For now, at least, fifty years since New York Times, actual malice is deeply entrenched in defamation jurisprudence and does not look like it will be easily dislodged. However, the forever nature of electronic communications may impact the outcomes of future defamation cases, even where New York Times’ actual malice standard continues to apply.
* McKee v Cosby, 139 S. Ct. 675, 675 (2019) (Thomas, J., concurring in denial of certiorari); Blankenship v NBCUniversal, LLC, 601 U.S. ____, 2023 WL 6558383 (2023); Berisha v Lawson, 141 S. Ct. 2424, 2424 (2021) (Thomas, J., dissenting from the denial of certiorari); see also id. at 2428 (“actual malice standard has evolved from a high bar to recovery into an effective immunity from liability”.) (Gorsuch, J., dissenting from the denial of certiorari). See also Tah v Global Witness Publ’g, Inc., 991 F.3d 231, 251–54 (D.C. Cir.) (New York Times should be overruled because, among other reasons, it allows would-be defamers “to cast false aspersions on public figures with near impunity”) (Silberman, J. dissenting in part), cert. denied, 142 S. Ct. 427 (2021); David A. Logan, Rescuing Our Democracy by Rethinking New York Times Co. v Sullivan, 81 OHIO ST. L.J. 759, 761–63 (2020)
** See Waldbaum v Fairchild Publ’ns, Inc., 627 F.2d 1287, 1297–98 (D.C. Cir. 1980) (for determination of limited purpose public figure status, the court should look to “the plaintiff’s past conduct, the extent of press coverage, and the public reaction to his conduct and statements.”).
This article was originally published by Chambers USA.