Wherever You Go, There You Are (With Your Mobile Device)

Legal and Practical Implications of a Cross-Border BYOD program

March 25, 2015

Melinda McLellanBakerHostetler

Emily FedelesShook, Hardy & Bacon

Moderated by: Jonathan E. Swerdloff, Driven, Inc.

Join Today! aceds.org/join

Exclusive News and AnalysisMonthly Members-Only WebcastsNetworking with CEDS, MembersOn-Demand Training

ResourcesJobs Boardbits + bytes NewsletterAffinity Partner Discounts

“ACEDS provides an excellent, much needed forum… to train, network and stay current on critical information.”

Kimarie Stratos, General Counsel, Memorial Health Systems, Ft. Lauderdale

Jonathan is a consultant at Driven, Inc. Prior to joining Driven, Jonathan was a litigation associate at Hughes, Hubbard & Reed LLP with over 10 years experience that included substantial eDiscovery experience managing large discovery projects, analyzing enterprise data systems, and investigations into nontraditional sources of ESI.

Through his experience as a litigator and programmer, Jonathan primarily focused on creative problem solving with regard to all types of data. He analyzed and produced complex structured data systems and developed internal workflows for large litigations. His experience also includes developing cost-saving legal processes, managing legal budgets, and supervising legal personnel.

Speaker Bio

Jonathan SwerdloffConsultant and Data Systems SpecialistDriven, Inc.jonathan.swerdloff@driven-inc.com212-364-6385

Emily Fedeles is an associate in the Geneva office of Shook, Hardy & Bacon, where her practice focuses on the defense of complex litigation in Europe, West Africa, and the Middle East, including class actions, reimbursement lawsuits, consumer protection claims, and individual product liability claims. Emily's role includes working with other outside counsel to coordinate defense strategies and develop supporting evidence. Emily advises clients on litigation prevention strategies and legislative projects that impact or alter civil liability risks - such as proposed legislation on class actions and punitive damages - in Europe, Africa, and Asia-Pacific. As part of that strategic advice, Emily evaluates client eDiscovery readiness programs, advises on collection, review, and production considerations, and considers the implications of mobile technologies, client information technology platforms, and related social media use. Emily is an active member of The Sedona Conference® Working Group Six. Prior to joining the Geneva office, Emily practiced in the firm's Tampa office representing product manufacturers against personal injury claims in both state and federal courts in the United States.

Presenter

Emily FedelesAssociateShook, Hardy & Baconefedeles@shb.com+41.22.787.2000

Melinda McLellan is Counsel in the New York office of BakerHostetler, where she advises clients on complex privacy, cybersecurity, and information management issues as a member of the firm’s national Privacy and Data Protection team. Melinda regularly counsels companies across multiple industry sectors on a broad range of privacy and security matters, including by advising on how to respond to data security incidents and related regulatory inquiries, creating and implementing internal privacy and security policies and employee training programs, and working with marketing teams to develop innovative and compliant new media campaigns. Melinda is a 2005 graduate of Harvard Law School where she served as Executive Editor of the Harvard International Law Journal. New York Super Lawyers has selected Melinda as a “Rising Star” for the past three years in a row.

Presenter

Melinda McLellanCounselBakerHostetlermmclellan@bakerlaw.com212.589.4679http://www.dataprivacymonitor.com/

7

• What is BYOD?• Adoption rates• Benefits to organizations

and individuals• How does BYOD create risks

for organizations? – The “number one e-

discovery challenge... for the coming years”

BYOD Generally

8

• Tension between personal privacy and professional needs

• Different countries, different privacy expectations– Employer expectations– Employee expectations

• FTC mobile privacy guidance (2013)

Privacy – Expectations and Guidance

9

• Regulation of BYOD in the EU – Historical Backdrop– Omnibus Data Protection Law– Works Councils– Examples: Germany, UK

• U.S. v. Odoni

Privacy – International Issues

10

• Electronic Communications Privacy Act (“ECPA”)– Katz v. U.S., 389 U.S. 347 (1967)– Stengart v. Loving Care Agency, Inc., 990 A.2d 650 (N.J. 2010)

• The Stored Communications Act (“SCA”)– Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004)– Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008), rev’d

on other grounds sub nom. City of Ont. v. Quon, 130 S. Ct. 2619 (2010)– Sunbelt Rentals, Inc. v. Victor No. C13-4240 SBA, 2014 WL 4274313

(N.D. Cal. Aug. 28, 2014)

• The Computer Fraud and Abuse Act (“CFAA”)– Rajaee v. Design Tech Homes, Ltd., No. 4:13-cv-02517, 2014 WL

5878477 (S.D. Tex. Nov. 11, 2014)

Statutory and Common Law (U.S.) Customer logo

11

• Security risks associated with BYOD• The end node problem• Securing mobile devices: EMMs and MDMs• Remote wiping

Security

12

• Unique issues associated with BYOD• Recent cases discussing BYOD• Who has “control” of the device?• Managing employee expectations

eDiscovery

13

• Device Basics• Access and Use• Designing BYOD Policies• Privacy Concerns

Implementation Considerations

14

• How will the organization address employee separation and device disposal issues?

• What types of devices will the organization support?• If employees will be reimbursed for device purchases, how will the

reimbursement process work?• What happens when a device is lost or stolen?

– If an employee wishes to trade in a device containing company data, how will the organization ensure that all such data is securely removed from the device?

– How can the organization ensure data security with respect to company data on a personal device if an employee is terminated or otherwise separates on bad terms?

– How will the organization recover company data if an employee inadvertently (or intentionally) deletes it from a BYOD device?

Device Basics

15

• Who within the organization will be allowed to participate in the BYOD program?

• Will the scope of employee participation differ depending on job functions?

• What types of company data may employees access using their devices?

• Who owns the data on the device when an employee leaves?

• How should the organization restrict “risky” employee behavior on the clock?

Access and Use

16

• What considerations go into the organization’s strategic approach?

• How will the organization handle BYOD policy violations?• How will the organization address border crossing

security issues with respect to BYOD devices? • What device security considerations are involved at the

strategic level? • Which jurisdiction’s law will apply in various scenarios? • How will the organization integrate BYOD considerations

into other organizational policies?

Designing BYOD Policies Customer logo

17

• Who within the organization is responsible for monitoring legal developments concerning BYOD?

• How will the organization provide notice of its monitoring practices, and offer choices with respect to monitoring where required?

• What additional factors should be considered when the organization issues legal holds that apply to BYOD devices?

Privacy Concerns