Employee Personal Storage Devices Create Workplace Challenges

December 2005

Library Sections:

• Expert Testimony
• Damages Analysis
• Investigations and Forensic Accounting
• Computer Forensics / Electronic Discovery
• Sarbanes-Oxley and Nonprofit Whistleblower Solutions
• Valuations and Appraisals
• Financial Reporting
• Tax Advice and News
• Other Current Events and Economic Commentary
• Interactive Tools and Personal Financial Advice

Employees have a variety of inexpensive digital storage devices available to them that, when used at work, pose significant data security issues.  An employer’s data has never been less secure and harder to control.  Lawyers should be knowledgeable of these issues in order to properly advise their clients about (i) human resource policies, and (ii) responding to, and demanding production for, electronic discovery requests.

MP3 players (including iPods), digital cameras, mobile phones with memory cards, and flash drives can be connected to an employer’s computer system, usually through a USB (universal serial bus) or firewire connection.  Storage sizes of one GB are common for digital cameras and flash drives.  MP3 players have considerably greater storage.  To put this in context, the average word processing file is around three pages long, with a size of between 25K and 35K.  That means a 20 GB iPod could hold around 700,000 documents.  Although this volume is already staggering, projections for just a short time from now have flash drives reaching 10 GB, and one inch hard disk drives reaching 60 GB.

Theft of Proprietary Information

The threat of information theft has existed since the earliest floppy disk drives, although then, the amount of data removal was much less.  CDs and DVDs increased the concern because of their ability to store much greater volumes.  Still, carrying around a stack of CDs is more conspicuous than carrying an iPod, and an iPod has so much more storage capacity.

When someone initially learns that anyone can walk into the office and take a USB flash drive, iPod, or other personal gadget from his pocket, grab multiple megabytes of data, and then leave without being detected, the first response is usually a desire to lock down computers to prevent this.

It’s not that easy.  USB connections are used for keyboards, mice, printers, scanners, and other necessary devices.  In addition, the flash drives (also called thumb drives and key-chain drives) are exceptionally handy, and add significantly to worker productivity when files need to be easily moved and shared.  Of course, this same ease makes the devices (and the data on them) so difficult to control.  Although software is available to prevent using a USB port for recording purposes, this increases network administration complexity and eliminates the advantages of this technology.

Preventing employees from bringing these devices into the workplace is difficult.  Their small size allows them to be easily carried to the office in a pocket or handbag.  Short of instituting an unfriendly policy of not allowing employees to use their own electronics, combined with an invasive search program to enforce the policy, it is virtually impossible to keep these devices from the workplace.  Even if the employer were willing to alienate its workforce, privacy and human rights laws might prevent implementation of an effective program to eliminate these devices.  For example, forbidding employees from using their MP3 players during lunch and other breaks is of questionable legality, and even more difficult to police and enforce.

Employers must consider whether the benefits from these devices outweigh the risks.  There are no easy answers, but most employers who explicitly address the issue (vs. letting events occur out of ignorance or inaction) usually do so with non-technology solutions.  If management chooses to allow the employees the convenience of using these devices at the office, clear guidance should be provided regarding expectations, and the consequences for misuse.  Generally, the solution for these risks is not more technology, but thoughtful policies and procedures.

Of course, all of these questions raise legal issues.

Other Employer Risks

These devices can also be used for uploading data, thus raising the real concern that these often unprotected devices carry a virus, worm, or other malicious program.

Because these devices are so small and portable, they are more easily lost or stolen, thus raising the issue of whether important consumer or trade secret data has been compromised.  A recent survey indicated that around 80 percent of users who transfer data to mobile devices use no encryption to protect the electronic contents.  If consumer data is recorded on such devices, the practice is likely illegal and could cause serious legal exposures.  See Federal Government’s Protection of Consumer Data for more information.

Electronic Discovery Ramifications

Once company data is copied to your employee’s personal media, the firm’s normal storage mechanisms and controls are no longer enforced.  As described above, this causes risks for malicious software and security, but such data also avoids normal rotation of media that appropriately eliminates unwanted and unneeded copies of old and superseded data.  Nevertheless, such data still belongs to the employer, and the employee is still within the employer’s control.  Consequently, a properly drafted subpoena can reach these “rogue” storage devices.

The lessons are obvious.  Parties seeking production of electronic information should draft their requests to include data maintained on employees’ personal mobile storage devices.  Similarly, employers’ policies on document retention should address the need to eliminate these extra copies after their immediate approved use is complete.

Fulcrum Inquiry is a consulting firm that assists lawyers with electronic discovery, computer forensics, and fraud investigations .