Your Device Is Private? Ask Tom Brady

However you feel about Tom Brady, the Patriots and football air pressure, today is a learning moment about cell phones and evidence. If you think the NFL had no business demanding the quarterback’s personal cell phone—and, by extension, that your company has no business demanding to see your cell phone—you’re probably wrong. In fact, your company may very well find itself legally obligated to take data from your private cell phone. New Norm Welcome to the wacky world of BYOD—bring your own device. The intermingling of personal and work data on devices has created a legal mess for corporations that won’t be cleared up soon. BYOD is a really big deal—nearly three-quarters of all companies now allow workers to connect with private devices, or plan to soon. For now, you should presume that if you use a personal computer or cell phone to access company files or email, that gadget may very well be subject to discovery requirements. Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends First, let’s get this out of the way: Anyone who thinks Tom Brady’s alleged destruction of his personal cell phone represents obstruction of justice is falling for the NFL’s misdirection play. That news was obviously leaked on purpose to make folks think Brady is a bad guy. But even he couldn’t be dumb enough to think destruction of a handset was tantamount to destruction of text message evidence. That’s not how things work in the connected world. The messages might persist on the recipients’ phones and on the carriers’ servers, easily accessible with a court order. The leak was just designed to distract people. (And I’m a Giants fan with a fan’s dislike of the Patriots). But back to the main point: I’ve heard folks say that the NFL had no right to ask Brady to turn over his personal cell phone. “Right” is a vague term here, because we are still really talking about an employment dispute, and I don’t know all the terms of NFL players’ employment contracts. But here’s what you need to know: Technology and the Law There’s a pretty well-established set of court rulings that hold that employers facing a civil or criminal case must produce data on employees’ personal computers and gadgets if the employer has good reason to believe there might be relevant work data on them. Practically speaking, that can mean taking a phone or a computer away from a worker and making an image of it to preserve any evidence that might exist. That doesn’t give the employer carte blanche to examine everything on the phone, but it does create pretty wide latitude to examine anything that might be relevant to a case. For example: In a workplace discrimination case, lawyers might examine (and surrender) text messages, photos, websites visited and so on. It’s not a right, it’s a duty. In fact, when I first examined this issue for NBCNews, Michael R. Overly, a technology law expert in Los Angeles, told me he knew of a case where a company actually was sanctioned by a court for failing to search devices during discovery. Work Gets Personal “People’s lives revolve around their phone, and they are going to become more and more of a target in litigation,” Overly said then. “Employees really do need to understand that.” There is really only one way to avoid this perilous state of affairs—use two cell phones, and never mix business with personal. Even that is a challenge, as the temptation to check work email with a personal phone is great, particularly when cell phone batteries die so frequently. The moral of the story: The definition of “personal” is shrinking all the time, even if you don’t believe Tom Brady shrank those footballs. For further reading: here’s a nice summary of case law.