It’s a simple fact, whether company-issued or personally owned, mobile phones have become embedded in the workplace. From answering emails, to remote logins, to signing documents and texting clients – these are corporate activities and property of the employer which can become potent evidence during an investigation.  As highlighted by a recent article in Corporate Counsel, e-discovery itself is still in its infancy and the requirements around data preservation related to e-discovery of mobile phones and text messages have been largely ignored, due to being perceived as creating an undue burden. However this is quickly changing as discovery methods become more advanced and mobile phones become more embedded in the workplace. The direction the courts appear to be heading is one of a “duty to preserve”.

In order to avoid being sanctioned by the courts or being accused of destruction of evidence, companies will need to respond appropriately, ensuring that any data is properly preserved so that they can present pertinent evidence when called for by the courts. However, as an entirely new legal territory for the courts and companies alike, there are some big questions that still need to be answered. When it comes to data retention practices, what are “reasonable” measures? How long must a company preserve communications? How will loss of devices be treated/handled?

While some data may be recoverable from mobile devices (even if deleted), and carriers/providers may be able to provide a certain level of data, companies should be careful not to make the mistake of operating under the false belief that they can rely on the storage or networks of such 3^rd parties.

In response, companies will need to update their BYOD policies. This may mean among other things, prohibiting SMS communication with clients. Additionally, organizations will need to; deploy employee training (to ensure compliance), perform regular/protected backups, regularly monitor usage and implement data retention policies. As also highlighted, this will pose additional financial challenges. Companies seeking to implement the strongest controls may be forced to a “company-owned device” model, where they had not previously provided mobile phones, creating additional expenses.

When addressing insurance, it will be interesting to see if any of the cyber insurers will modify their policy forms moving forward, to provide coverage for such failures by amending the definition of “wrongful act” to include "failure to preserve or retain data".