Submission Date:
Question:
When working from a remote location, and you do not have time or the technology to take work devices with you, can using your private devices (cell phones, personal laptops,etc.) open your devices up to discoverability for any legal actions by the district or organization you are working for? An example would be using your personal phone for Zoom (if your laptop does not have the capability) for a CSE meeting or other business that may or may not contain sensitive information.
Answer:
This is a great question. An important question. And unfortunately, an all-too-infrequently asked question…
Because the answer is “YES.”
The risks and cautions and caveats related to use of employee-owned technology are endless, but here are the top five in my world:
- Educators working with FERPA-protected information should not store it on their personal devices.
- Health professionals working with HIPAA-protected information should not store it on their personal devices.
- Librarians working with patron information should not store it on their personal devices.
- Any employee working with content restricted by contract should not store it on their personal devices.
- Any employee handling sensitive data (HR, fiscal, trade secrets, business plans) should not store it on their personal devices.[1]
This is my education/not-for-profit/library top five, but I could go on and on. And while the first layer of risk posed by this issue relates to legal compliance, privacy, and security, underlying those primary concerns is the risk that in the event of alleged non-compliance, or another legal concern, the employee-owned device the information is hosted on could be subject to discovery—even if it is personal property.
What is “discovery?” Fancy lawyer talk for being subpoenaed or otherwise brought in as evidence.[2]
How does a library, museum, educational institution or archive—especially one operating ad hoc from home as a result of pandemic concerns--avoid these concerns?
Here is a 3-pronged solution:
Prong 1: know your data.
Every institution should know the information it stores, and sort it by sensitivity. From there, policy (or at least, “standard operation procedures”) should inform how such information is stored, and when/how it might get transmitted and stored (if ever) on a non-proprietary device.
Here’s an example based on the different types of information stored and transmitted by libraries: The templates for the brochures about a library’s story hour will generally be regarded as much less sensitive than the files regarding employees or patrons. So, while transmitting the story hour templates from an institutionally-owned computer to a personal machine might be okay, you would never transmit the payroll or employment history records that way. Policy and training should support awareness of the distinctions, and while the brochure templates might occasionally need to be accessed on employee-owned tech, the more sensitive types never should be.
Prong 2: know your tech.
Every institution should ensure employees who must access and store information regarded as sensitive have a work-issued account and device(s). An inventory of that technology should be maintained, so the institution is aware of precisely where the information stored on it will be.
Barring that (whether due to time or budget), networks and resources should be set up to filter out the security risk of content going to and from machines with less robust security.
Knowing your technology is set up to meet the demands of your institution’s more sensitive data is key.
But there’s one more thing…
Prong 3: Work to minimize risk, even if you can’t eliminate it.
Don’t let “perfect” be the enemy of “good.”
Stuff happens:
- A presentation where suddenly you can’t access a work file, but engineer a work-around using a Gmail address;
- An emergency situation where a sensitive file has to be opened on a home computer;
- A jump drive with both your photos from a family trip, and proprietary information, is uploaded onto a personal laptop.
Everyone[3] has had an instance where convenience triumphed over security. But that should be the exception, not the rule.
Even during times of emergency response and sudden adjustment (read: pandemic, or a crisis at the location of your organization), awareness of an institution’s data and technology can be used to minimize the exposure of more sensitive information to risky situations—even if sometimes, the end result is less than ideal. Admitting your institution is not perfect just means that in less reactive times, it must use the budget process and long-range planning to further reduce the risk, as time goes by.
And that is how to reduce the risk of employee tech getting subpoenaed in the event there is a content-related legal claim.[4]
I am grateful the member asked this question, because particularly right now,[5] this is a really common issue (although it remains a serious issue in less panicky times). So common, in fact, that I call it the “chocolate in the peanut butter” question.[6]
Why is this legal concern named after such a delicious combo? Because the imagery really isolates the problem. When it comes to using employee tech, the convenience can be all too seductive. It can be, in fact, deliciously easy.
One reason to avoid this, among many, is because that technology could be subject to discovery.
But good risk practices can minimize this risk (even if you indulge on occasion). When working from a remote location, if you do not have time or the technology to take work devices with you, use of private devices, if necessary, should only be for only the lowest-risk content. Further, to minimize the risk of data loss, non-compliance, and security, such use should only be after a qualified professional has determined it can be done with no risk, and employees are trained to keep things confidential, and remove proprietary content after it is needed.[7]
[1] By “personal devices” I also mean personal email accounts, Zoom accounts, cell phones, tablets, laptops, DropBox folders, etc. All content handled by employees for institutional purposes should be on institutional resources.
[2] How does “discovery” play out? Lots of ways. For instance, once I was defending a person whose personal laptop was subject to “discovery” in a civil case. We didn’t surrender the laptop. Normally, that might have posed a problem, but in this case, the laptop had been destroyed during a fight at a concert many years before. We had to produce the old police report to show that the property really had been destroyed, and we weren’t just resisting discovery.
[3] Okay, this is hyperbole. Hopefully it’s not “everyone” (I’m looking at you, hospitals, therapists, and the IRS).
[4] This answer does not contemplate the related but distinct issue of employer resources being use for personal purposes, or to harass others…which is the dark mirror of this issue. But good practices in one regard will lead to good practices in the other!
[5] Largely unforeseen, 100% order to work from home impacting most businesses.
[6] …although when I am feeling dramatic, I call it “data bleed.”
[7] Bearing in mind the deleted content is often never truly deleted…and thus could still be subject to discovery!
