RAQs: Recently Asked Questions

Topic: Usage of personal devices at risk of legal discoverability - 4/27/2020
When working from a remote location, and you do not have time or the technology to take work devic...
Posted: Monday, April 27, 2020 Permalink

MEMBER QUESTION

When working from a remote location, and you do not have time or the technology to take work devices with you, can using your private devices (cell phones, personal laptops,etc.) open your devices up to discoverability for any legal actions by the district or organization you are working for? An example would be using your personal phone for Zoom (if your laptop does not have the capability) for a CSE meeting or other business that may or may not contain sensitive information.

WNYLRC ATTORNEY'S RESPONSE

This is a great question.  An important question. And unfortunately, an all-too-infrequently asked question…

Because the answer is “YES.”

The risks and cautions and caveats related to use of employee-owned technology are endless, but here are the top five in my world:

  • Educators working with FERPA-protected information should not store it on their personal devices. 
  • Health professionals working with HIPAA-protected information should not store it on their personal devices. 
  • Librarians working with patron information should not store it on their personal devices. 
  • Any employee working with content restricted by contract should not store it on their personal devices.
  • Any employee handling sensitive data (HR, fiscal, trade secrets, business plans) should not store it on their personal devices.[1]

This is my education/not-for-profit/library top five, but I could go on and on.  And while the first layer of risk posed by this issue relates to legal compliance, privacy, and security, underlying those primary concerns is the risk that in the event of alleged non-compliance, or another legal concern, the employee-owned device the information is hosted on could be subject to discovery—even if it is personal property.

What is “discovery?”  Fancy lawyer talk for being subpoenaed or otherwise brought in as evidence.[2]

How does a library, museum, educational institution or archive—especially one operating ad hoc from home as a result of pandemic concerns--avoid these concerns?

Here is a 3-pronged solution:

Prong 1: know your data.

Every institution should know the information it stores, and sort it by sensitivity. From there, policy (or at least, “standard operation procedures”) should inform how such information is stored, and when/how it might get transmitted and stored (if ever) on a non-proprietary device.

Here’s an example based on the different types of information stored and transmitted by libraries:  The templates for the brochures about a library’s story hour will generally be regarded as much less sensitive than the files regarding employees or patrons.  So, while transmitting the story hour templates from an institutionally-owned computer to a personal machine might be okay, you would never transmit the payroll or employment history records that way.  Policy and training should support awareness of the distinctions, and while the brochure templates might occasionally need to be accessed on employee-owned tech, the more sensitive types never should be.

Prong 2: know your tech.

Every institution should ensure employees who must access and store information regarded as sensitive have a work-issued account and device(s).  An inventory of that technology should be maintained, so the institution is aware of precisely where the information stored on it will be.

Barring that (whether due to time or budget), networks and resources should be set up to filter out the security risk of content going to and from machines with less robust security.

Knowing your technology is set up to meet the demands of your institution’s more sensitive data is key.

But there’s one more thing…

Prong 3: Work to minimize risk, even if you can’t eliminate it.

Don’t let “perfect” be the enemy of “good.”

Stuff happens:

  • A presentation where suddenly you can’t access a work file, but engineer a work-around using a Gmail address;
  • An emergency situation where a sensitive file has to be opened on a home computer;
  • A jump drive with both your photos from a family trip, and proprietary information, is uploaded onto a personal laptop.

 

Everyone[3] has had an instance where convenience triumphed over security.  But that should be the exception, not the rule.

Even during times of emergency response and sudden adjustment (read: pandemic, or a crisis at the location of your organization), awareness of an institution’s data and technology can be used to minimize the exposure of more sensitive information to risky situations—even if sometimes, the end result is less than ideal.  Admitting your institution is not perfect just means that in less reactive times, it must use the budget process and long-range planning to further reduce the risk, as time goes by.

And that is how to reduce the risk of employee tech getting subpoenaed in the event there is a content-related legal claim.[4]

I am grateful the member asked this question, because particularly right now,[5] this is a really common issue (although it remains a serious issue in less panicky times). So common, in fact, that I call it the “chocolate in the peanut butter” question.[6]

Why is this legal concern named after such a delicious combo?  Because the imagery really isolates the problem.  When it comes to using employee tech, the convenience can be all too seductive.  It can be, in fact, deliciously easy.

One reason to avoid this, among many, is because that technology could be subject to discovery.

But good risk practices can minimize this risk (even if you indulge on occasion). When working from a remote location, if you do not have time or the technology to take work devices with you, use of private devices, if necessary, should only be for only the lowest-risk content.  Further, to minimize the risk of data loss, non-compliance, and security, such use should only be after a qualified professional has determined it can be done with no risk, and employees are trained to keep things confidential, and remove proprietary content after it is needed.[7]



[1] By “personal devices” I also mean personal email accounts, Zoom accounts, cell phones, tablets, laptops, DropBox folders, etc.  All content handled by employees for institutional purposes should be on institutional resources.

[2] How does “discovery” play out?  Lots of ways.  For instance, once I was defending a person whose personal laptop was subject to “discovery” in a civil case.  We didn’t surrender the laptop.  Normally, that might have posed a problem, but in this case, the laptop had been destroyed during a fight at a concert many years before.  We had to produce the old police report to show that the property really had been destroyed, and we weren’t just resisting discovery.

[3] Okay, this is hyperbole.  Hopefully it’s not “everyone” (I’m looking at you, hospitals, therapists, and the IRS).

[4] This answer does not contemplate the related but distinct issue of employer resources being use for personal purposes, or to harass others…which is the dark mirror of this issue.  But good practices in one regard will lead to good practices in the other!

[5] Largely unforeseen, 100% order to work from home impacting most businesses.

[6] …although when I am feeling dramatic, I call it “data bleed.”

[7] Bearing in mind the deleted content is often never truly deleted…and thus could still be subject to discovery!

 

Tags: COVID-19, Emergency Response, Employee Rights, Privacy

Year

0

2016 4

2017 24

2018 29

2019 42

2020 76

Topics

501c3 2

Academic Libraries 2

Accessibility 5

ADA 9

Archives 1

Assignments 1

Association Libraries 2

Behavioral misconduct 1

Board of Trustees 5

Branding and Trademarks 1

Broadcasting 1

Budget 1

Cease and desist 1

Children in the Library 1

Circular 21 1

Contact tracing 1

CONTU 2

copyleft 1

Copyright 74

COVID-19 55

CPLR 4509 4

Crafting 1

Criminal Activity 1

Data 2

Defamation 1

Derivative Works 3

Digital Access 10

Digital Exhibits 1

Digitization and Copyright 12

Disclaimers 3

Discrimination 1

Dissertations and Theses 1

DMCA 2

Donations 3

DVDs 1

E-Books and Audiobooks 2

Ed Law 2-d 1

Education Law Section 225 1

Elections 2

Emergency Response 43

Employee Rights 9

Ethics 4

Executive Order 4

Fair Use 29

Fan Fiction 1

Fees and Fines 3

FERPA 6

First Amendment 1

First Sale Doctrine 3

FOIA/FOIL 1

Forgery and Fraud 1

Friends of the Library 2

Fundraising 1

Health Management 1

Hiring Practices 1

Historic Markers 1

HRL 1

Identity Theft 1

IRS 1

Labor 3

Laws 21

Liability 1

LibGuides 1

Library Buildings 1

Library Card Policy 2

Library Cards 2

Library Programming and Events 9

Library Purchases 1

Licensing 3

LLCs 1

Loaning programs 1

Local Organizations 1

Management 16

Meeting Room Policy 6

Memorandum of Understanding 1

Microfilm 1

Movies 6

Municipal Libraries 5

Music 12

Newspapers 3

Omeka 1

Online Programming 11

Open Meetings Law 2

Oral Histories 1

Overdrive 1

Ownership 1

Parodies 1

Personnel Records 2

Photocopies 15

Photographs 1

Policy 37

Preservation 2

Privacy 12

Property 3

PTO, Vacation, and Leave 1

Public Access 1

Public Domain 7

Public Health 2

Public Libraries 14

Public Officers Law 1

Public Records 2

Quarantine Leave 2

Records Management 1

Remote Learning 1

Reopening policies 8

Retention 5

Retirement 1

Ripping/burning 1

Safety 4

Salary 2

School Ballots 1

School Libraries 6

Section 108 2

Section 110 2

Section 1201 1

Security Breach 2

Sexual Harassment 2

SHIELD Act 2

Sick Leave 1

Smoking or Vaping 2

Social Media 4

SORA 1

Story time 3

Streaming 14

SUNY 1

Swank Movie Licensing 3

Taxes 4

Teachers Pay Teachers 1

Telehealth 1

Template 3

Textbooks 3

Umbrella Licensing 2

Universal design 1

VHS 4

Voting 1

W3W 1

WAI 1

Work From Home 1

Yearbooks 3

Zoom 2

The WNYLRC's "Ask the Lawyer" service is available to members of the Western New York Library Resources Council. It is not legal representation of individual members.