I listen to a number of podcasts in the TWiT network.  Actually, I’m normally playing catchup as I’m subscribed to a number of their podcasts. One of the podcasts I’ve been catching up on recently is TWiL - This Week in Law - hosted by Denise Howell. It’s definitely a bit on the dry side, not as funny or lively as the TWiT or MacBreak Weekly podcasts that I tend to keep up with. If you’re dealing with technology or doing business in a technology-related field, though, it’s definitely worth checking out.

The episode I’ve been listening to lately is Episode 16, Cloud Computing and EULA Law.  One of the topics that they delve fairly deeply into in this episode is the topic of ediscovery, or the laws surrounding the legal discovery process relating to electronic assets.  They approach the issue more from a corporate perspective, discussing, for instance, the proper policies for archiving email communications and such.  They do, however, mention the employee use of personal resources and how that use could open up those personal resources to the legal discovery process.  It’s this last bit that caught my attention, both as something that is more common of a practice than anyone probably cares to admit and as something that could have more serious privacy ramifications for any employee engaging in this practice than that employee likely realizes.

To understand how broad this could be, lets look at a couple of examples of use of personal resources for transacting company business:

1. Sending company-related email from a personal email account (using your Gmail account from your iPhone was an example given in the podcast)
2. Using a personal laptop to do your work instead of a company-provided machine
3. Keeping company-related files and information in a personal Google Docs account or other personal cloud storage account

Are you guilty of any of these?  If you are, and the company you work for is ever involved in litigation where the information you handle is pertinent to the litigation, you could be exposing your personal account, and all that is in it, to the legal discovery process.  What does this mean in real terms?  Simply, it means that attorneys, paralegals, and clerks could end up combing through everything in your account or computer looking for whatever evidence they need for their case.  While only pertinent evidence would be presented in that litigation, most people would shudder at the idea of an outsider having full access to their personal information.  Now, I am certainly no attorney, but I would imagine that there would need to be clear evidence that someone was using personal resources on a regular ongoing basis in order for a judge to grant a litigant access to his or her personal resources like this, but, if there is clear evidence that pertinent information could be stored on non-corporate resources, the judge would likely be obliged to grant such access.

So what can be done to keep this from happening?  The way I see it, protecting personal privacy in a corporate environment requires a two-fold approach.  As in many instances, the first approach is education.  Employees must be made to understand the risks they are taking with regards to their privacy when they use personal resources for company business.  The second approach is one the companies themselves must undertake.  Companies need to understand that employees are likely turning to various personally-owned resources because they are more convenient.  To make sure that employees are complying with applicable laws and company policies and aren’t opening themselves up to personal exposure, corporate IT departments must make sure that corporate electronic resources are readily available and easy to use.  If, for instance, you, as a company, expect your employees to be answering email while out of the office, but your email server is only available through a hard-to-use VPN, you’re setting your employees up for failure, because they’ll turn to services they have easy access to in order to fulfill the requirements of their jobs.

So, if you’re an employee reading this, think about the ways you may be unintentionally exposing yourself.  If you’re a corporate executive or IT person reading this, think about the ways in which your employees access company data and how they jive with the requirements of their jobs.  If you don’t, you may be putting your or your employees’ personal privacy at risk.