How to Confiscate Mobile Device

Suppose enterprise has a BYOD policy empowering the enterprise to seize employee’s smartphone.  Suppose further that enterprise has reason to believe the phone contains important evidence . . . such as stolen trade secret or records of contract negotiations by employee on behalf of enterprise or photos relevant to allegations of a hostile work environment.*

Wise Steps

Enterprise considers confiscating the device and investigating whether it contains the evidence in question.  What would be wise steps for the enterprise?

1.  Consider engaging an attorney so that confidentiality of the investigation is protected under attorney work product doctrine.

2.  Document the reason for believing the device possesses relevant evidence.

3.  Consider sending the employee who owns the device a preservation letter, informing employee that she/he should avoid destroying evidence.  Remember, whatever evidence may exist on device may also be copied to online accounts controlled by the employee (e.g., cyber locker like Dropbox).

If employee destroys evidence in the face of an investigation and a preservation letter, the act of destruction itself could be grounds for action against the employee.

4.  Consider interviewing the employee formally before confiscating the device.  In recorded interview, with multiple people involved, ask employee about allegations and evidence.  If employee lies during interview, the lying itself might be grounds for taking action against employee.

5.  Ask employee if she/he consents to confiscation and inspection of
Evidence Container
device and collection of evidence.

6.  If enterprise decides to confiscate device, document justification for the decision and involvement of multiple authorities (e.g., lawyer and higher management).  Document the authority to confiscate and then then interrogate the phone.

7.  Make detailed records about the process of confiscation (e.g., narrative of when and how confiscation transpired and photos or video of confiscation and condition of device).

8.  Give employee written document (receipt) of the confiscation, describing the device (including possibly images), date and time.

9.  If enterprise investigator inspects device (including evidence extraction), involve multiple agents and keep detailed records of the inspection (including possibly narrated video of each step of inspection).

10. Take care to comply with any relevant laws, including those that forbid employer from demanding social media log-on credentials.

11.  Exercise restraint.  If the enterprise refrains from looking at data it does not need, then any argument that the employee's rights were violated is weaker.

12.  Inspection might include sophisticated forensic extraction of data and/or just video/affidavit recording of data (text, images, audio) manifest by operation of the device.

13.  Consider measures to secure collected data, such as encryption.  Encryption is a hassle because it requires the enterprise to maintain a process for storing and finding the decryption key . . .  for possibly years into the future.

14.  Ensure copy of investigative records are in hands of multiple people (e.g., lawyer and investigator).

15.  If child porn is discovered (or even suspected), contact police immediately. (horrible)

16.  If device is kept for extended time, document the justification, including notice to employee.

17.  Document return of device if and when it happens.

18.  When data collected from device is no longer needed, consider destroying the data as a measure to promote privacy.  However, privacy interest must balance against anti-spoliation law.  Also, if investigation report has spread to multiple places, destruction may be impractical.

–Benjamin Wright

Mr. Wright teaches Law of Data Security and Investigations at SANS Institute.

*Vast records can be stored on a mobile device, including text, audio, email, video, geolocation, meta data showing time that an app was accessed, content of posts to social networking services, documents uploaded to storage lockers.

. . .
Next step:  What if the device is a form of wearable computing?