The BYOD Trend: What It Means For Corporate Internal Investigations

BYOD, or Bring Your Own Device, policies are growing in popularity within corporations. A recently released report from Gartner, a leading information technology research and advisory company, predicts that 38% of US employers will stop providing devices to workers by 2016. That number is estimated to increase to 50% in 2017. When employees own the devices used to access and store business related data, performing forensic examinations in support of internal investigations can become more complicated due to issues related to ownership and privacy.  To stay ahead of any potential obstacles, the implementation of a BYOD policy should be assessed from both a legal and technological perspective. For Corporate General Counsel offices, the complications in the legal arena can be summarized with one question. “Do we legally have the right to perform a forensic examination on the device in question?” Most corporate legal teams do not usually have to concern themselves with this question because the devices have traditionally been owned by the company and when assigned to an employee, a privacy, or lack of privacy, notice is issued. As a result, the company has the authority to approve searching or copying of devices it owns and loans to an employee.  However, when it comes to personally owned devices, this is where the company attorney’s need to have in place, a clearly articulated expectation of privacy policy when an employee’s own device is used for corporate business.  The lack of a Personal Device Use Policy raises doubt as to whether the company has the authority to instruct that a device be examined, short of consent or a court order.  If a Personal Device Use Policy is not in place, then it is imperative that Corporate Counsel obtain the required authorization and work closely with their investigative consultants who can provide guidance regarding the scope of any requested exam. Such assistance can be particularly important for a business that operates in multiple regions or has remote workers, due to variations in privacy laws across US states and internationally. If proper authorization is not obtained, serious civil and criminal penalties, as well as, costly employment law violations and potential lawsuits can ensue. Some of this risk can be mitigated by using a professional consulting firm, such as Capsicum Group, which maintains the Department of Commerce’s Safe Harbor Privacy Principles. Nevertheless, the importance of informed corporate counsel cannot be overstated. From the technology perspective, allowing BYOD policies can complicate internal investigations due to the inherent non-uniformity of devices. The variety of smart phones, tablets, and other mobile devices is vast and continues to grow. Corporate IT groups are often unprepared with the proper equipment, training, and/or expertise to acquire, in a forensically sound manner, the wide array of devices that employees will choose to utilize. Performing forensic examinations on personal data devices requires specialized software, training and equipment specific to the type of device. As a former member of a digital forensics group for a Fortune 500 company, I can speak first hand to the increased expenses and product delivery time delays involved when new and/or unexpected devices are encountered. Despite being relatively well funded and equipped, I would inevitably encounter a device that required a special adapter or proprietary software in order to collect data or perform an exam. Often the exigency of the matter being investigated would lead us to a resolution that caused our accounting manager to cringe; “Just put it on the corporate card.” On the spot retail purchases could devastate the most well thought out of budgets. Delay times were another factor. I believe most investigators would agree that where money can be “thrown” at a problem, time is the universal bottleneck. The time to acquire and implement new equipment can significantly reduce the chances of successfully meeting a deadline mandated by a client or a court order. Another worry from a BYOD policy derives from any security or encryption settings installed on the device by the owner. Even if a company has instituted a security policy on personally owned devices it will not mean those policies will be properly enforced. The differences in various security and encryption settings will require an experienced forensic examiner to address the complications in order to collect a forensically sound image of the device. These challenges can be addressed by using a company that specializes in digital and computer forensics examinations, as we do here at Capsicum Group. The implementation of BYOD policies can positively impact corporations when properly conceived. BYOD policies can enable a more effective and satisfied mobile workforce in a cost effective manner. Nevertheless, there are policy issues that should be discussed and established before going into effect.