From: Subpoena BYOD Mobile Law – How to Confiscate Mobile Device

Posted on 2013/04/02

a quick re-post from Subpoena BYOD Mobile Law

How to Confiscate Mobile Device by Benjamin Wright

Suppose enterprise has a BYOD policy empowering the enterprise to seize employee’s smartphone.  Suppose further that enterprise has reason to believe the phone contains important evidence . . . such as stolen trade secret or records of contract negotiations by employee on behalf of enterprise or photos relevant to allegations of a hostile work environment.

Wise Steps

Enterprise considers confiscating the device and investigating whether it contains the evidence in question.  What would be wise steps for the enterprise?

1.  Consider engaging an attorney so that confidentiality of the investigation is protected under attorney work product doctrine.

2.  Document the reason for believing the device possesses relevant evidence.

3.  Consider sending the employee who owns the device a preservation letter, informing employee that she/he should avoid destroying evidence.  Remember, whatever evidence may exist on device may also be copied to online accounts controlled by the employee (e.g., cyber locker like Dropbox).

If employee destroys evidence in the face of an investigation and a preservation letter, the act of destruction itself could be grounds for action against the employee.

4.  Consider interviewing the employee formally before confiscating the device.  In recorded interview, with multiple people involved, ask employee about allegations and evidence.  If employee lies during interview, the lying itself might be grounds for taking action against employee.

5.  Ask employee if she/he consents to confiscation and inspection of

Evidence Container

device and collection of evidence.

6.  If enterprise decides to confiscate device, document justification for the decision and involvement of multiple authorities (e.g., lawyer and higher management).

7.  Make detailed records about the process of confiscation (e.g., narrative of when and how confiscation transpired and photos or video of confiscation and condition of device).

8.  Give employee written document (receipt) of the confiscation, describing the device (including possibly images), date and time.

9.  If enterprise investigator inspects device (including evidence extraction), involve multiple agents and keep detailed records of the inspection (including possibly narrated video of each step of inspection).

10. Take care to comply with any relevant laws, including those that forbid employer from demanding social media log-on credentials.

11.  Exercise restraint.  If the enterprise refrains from looking at data it does not need, then any argument that the employee’s rights were violated is weaker.

12.  Inspection might include sophisticated forensic extraction of data and/or just video/affidavit recording of data (text, images, audio) manifest by operation of the device.

13.  Ensure copy of investigative records are in hands of multiple people (e.g., lawyer and investigator).

14.  If child porn is discovered (or even suspected), contact police immediately. (horrible)

15.  If device is kept for extended time, document the justification, including notice to employee.

16.  Document return of device if and when it happens.

–Benjamin Wright

Mr. Wright teaches Law of Data Security and Investigations at SANS Institute.

Posted in: reading