Modern Workplace Realities: Does Employee Phone Data Belong to the Enterprise?
Editor’s Note: When employees use personal phones for work, who really controls that data? Phil Favro tackles this question directly, examining how courts decide whether companies can be compelled to produce data from devices they don’t own, but may effectively govern. At the heart of his analysis is a pivotal tension between the “legal right” and “practical ability” tests, and why the difference between them can determine whether a company walks away from a production request or gets buried in it. Drawing on recent case law, Favro shows how judges weigh not only formal policy but actual workplace behavior, exposing a gap that many organizations don’t realize exists until they’re already in litigation. A BYOD policy that looks airtight on paper may mean very little if day-to-day practices tell a different story, and Favro illustrates how that disconnect can quietly erode a company’s legal position. The piece closes with concrete guidance for organizations navigating this landscape, a timely reminder that managing employee communications isn’t just an HR concern; in today’s discovery environment, it’s a litigation risk hiding in plain sight.
Modern Workplace Realities: Does Employee Phone Data Belong to the Enterprise?
By Phil Favro, Contributing Author for HaystackID
Whether a corporate party has “possession, custody, or control” over information on employee phones is one of the more contentious issues in civil discovery.
Why, though?
Memorialized in Federal Rule of Civil Procedure 34, the possession, custody, or control requirement seems simple enough. Under Rule 34(a)(1), a party may serve a written demand to an adversary that seeks documents, electronically stored information (ESI), or other information found “in the responding party’s possession, custody, or control.”
While simple, the notion of what actually constitutes possession, custody, or control has engendered many disputes that often devolve into motion practice. That is particularly the case where parties request discovery from organizations. For purposes of Rule 34 document productions, does a corporate party have control of ESI if the requested data is in the possession of nonparty company employees? More specifically, does a company have control over text messages and other information on its employees’ personal phones?
In 2026, the answer to this question is murky, at best. Ask a lawyer and the response will probably be: “It depends.” Indeed, the answer could depend on any number of factors. One of the more significant factors is whether a company has policies that address the ownership of work-related communications and other information found on employee-owned devices. In some instances, employer policies that disclaim ownership of employee communications on personal phones have been determinative of the issue, with courts concluding that the employer does not have control over employee text messages. [1] And yet, other courts have found the employer has control of employee text messages based on company practices and ordered the entity to produce responsive communications from employee devices. [2]
Another layer of complexity on this issue involves the legal test that applies to the issue of possession, custody, or control. Most jurisdictions in the U.S. apply the “legal right” test, which requires that a party have a definitive legal entitlement to requested information before a court will require its production. A minority of jurisdictions—including courts in the U.S. Court of Appeals for the Second Circuit, such as the Southern District of New York (Manhattan)—follow the “practical ability” test. That test focuses on whether a party, as a practical matter, can obtain the requested information, irrespective of legal ownership. Further complicating things, some courts in legal right jurisdictions have increasingly dispensed with the formalities of this test to address modern workplace realities involving employee phone use.
These factual and legal considerations were on full display in the recent case of Famuyide v. Chipotle Mexican Grill. In Famuyide, the court rejected the legal right test in favor of the practical ability analysis and determined that employer policies and practices required that the defendant (Chipotle) produce responsive text messages from its employees’ personal phones. [3]
Famuyide is instructive on how courts may interpret enterprise policies and practices in determining the boundaries of possession, custody, or control. Understanding the nature and extent of those boundaries can help organizations implement policies and practices that more effectively address employee phone use and related workplace issues.
Famuyide: Practical Realities Over Legal Formalities
In Famuyide, a lawsuit arising from sexual harassment and assault allegations in the workplace, the court issued a production order directing Chipotle to turn over “all information and communications responsive to [the plaintiff’s] discovery requests obtained from any employee, including from their personal electronic devices.”
The Plaintiff’s Requested Discovery
The plaintiff sought a discovery order to produce this information—including communications Chipotle employees exchanged on the GroupMe messaging application—after Chipotle declined to produce the information. In support of her arguments, the plaintiff referenced testimony from Chipotle personnel who confirmed that Chipotle employees communicated on their personal phones about work issues, including “shift schedules, swap work shifts, and… daily operations” at the restaurant.
Chipotle’s Arguments Against Production
In response, Chipotle maintained that it did not have possession, custody, or control over its employees’ personal devices, asserting it did not have a “legal right” to obtain its employees’ GroupMe or text messages. To support its position, Chipotle emphasized that it had not issued phones or even email addresses to the plaintiff or other restaurant employees. In addition, Chipotle argued that it did not “endorse, license, authorize, or otherwise encourage its restaurant employees to use GroupMe or any other third-party messaging application for work-related communications.”
Practical Ability versus Legal Right
The court rejected Chipotle’s arguments. First, the court (Magistrate Judge Elizabeth Cowan Wright) found that it could apply either the legal right or the practical ability test since the U.S. Court of Appeals for the Eighth Circuit had not adopted one test over the other. Judge Wright dismissed the legal right test, reasoning that employers such as Chipotle could “require employees to use personal phones for business purposes, in part, to impede the ability of employees to bring claims against their employers in court.” Moreover, the court feared that a legal right test would encourage employers to implement “bring-your-own-device” (BYOD) policies so they could “shield[] themselves from discovery.” Instead, Judge Wright found the practical ability test was more suitable given modern workplace realities.
Factors Favoring Production
Under the practical ability analysis, a movant can establish the existence of Rule 34 “control” by showing that the producing party “has the right, authority, or practical ability, to obtain the documents from a non-party to the action” (emphasis in original). Applying the practical ability test, the court found that several factors weighed in favor of production. Among other things, Chipotle’s employee handbook indicated the company could seek communications from employees’ personal phones in connection with harassment investigations. In addition, Chipotle expected that its managers would collect text messages from employees’ personal phones in connection with harassment investigations, or they could face discipline, including termination. Finally, Chipotle employees, as a matter of fact, regularly communicated about work items over the GroupMe application on their personal phones. These factors tipped the scales toward establishing Chipotle’s control over work messages on its employees’ personal phones.
As part of its production order, the court directed Chipotle to issue a collection request to its employees for relevant communications if it had not already done so. In addition, Chipotle had to prepare a company-designated witness to testify about “whether and when Chipotle obtained and preserved communications (including text messages and GroupMe messages) and other responsive information on its employees’ personal devices.”
Handling “Control” Amid Modern Workplace Realities
Famuyide teaches that enterprises could have difficulty setting limitations on discovery from employee personal devices in certain cases. To be sure, there were several points from Famuyide supporting the notion of “control” that might not be present in other Rule 34 possession, custody, or control disputes. Those factors included the company handbook provision, Chipotle’s practice of collecting employee text messages in connection with other harassment investigations, and its seemingly tacit encouragement for employee use of GroupMe to discuss restaurant business.
Nevertheless, courts—in reliance on Famuyide—could very well dispense with the formalities of company policies or practices to establish that an enterprise has the practical ability to obtain text messages and other content from employee personal phones. Or courts instead could choose to follow a traditional legal right approach that respects corporate policies, particularly where practices are consistent with implemented policies. Allergan v. Revance Therapeutics, which held that the plaintiff failed to show the defendant had a legal right to obtain data from its employees’ personal devices under its BYOD policy or employee handbook, is exemplary on this point. [4]
While companies cannot control which legal test a court will adopt, they can control how a judge may perceive their policies and practices by ensuring better operational consistency. A company may wish to examine its practices to determine whether they are consistent with and properly flow from implemented policies. In particular, employee communication practices should be consistent with corporate “acceptable uses” policies. For example, if employees regularly communicate by text message rather than by an established enterprise chat application, Famuyide suggests the practice could override the policy. Similarly, if a company with a BYOD policy that disclaims ownership of employee text messages has a practice of requiring employees to “turn over their personal phones for imaging” to prove or disprove harassment allegations, that practice could establish “practical ability” for purposes of Rule 34 possession, custody, or control.
Enterprises should also evaluate their specific business requirements and needs. For some companies, the risk of litigation may justify policies that proscribe personal device use. In contrast, other businesses may feel the use of non-sanctioned messaging applications could outweigh discovery risks, provided they are prepared for the resulting production obligations.
Regardless of the approach, companies should document their process. This includes audits and other follow-ups designed to assess the effectiveness of corporate policies and practices. Documenting those steps and the business rationale behind those policies can provide a foundation for handling motion practice over disputes involving possession, custody, or control.
[1] See, e.g., Allergan, Inc. v. Revance Therapeutics, Inc., No. 3:23-CV-00431, 2025 WL 984792 (M.D. Tenn. Mar. 17, 2025), report and recommendation adopted, 2025 WL 1020485 (M.D. Tenn. Apr. 4, 2025). [2] See Miramontes v. Peraton, Inc., No. 3:21-cv-3019-B, 2023 WL 3855603 (N.D. Tex. June 6, 2023). [3] Famuyide v. Chipotle Mexican Grill, Inc. No. 23-CV-01127 (DWF/ECW), 2026 WL 765355 (D. Minn. Mar. 18, 2026). [4] See, e.g., Allergan, Inc. v. Revance Therapeutics, Inc., No. 3:23-CV-00431, 2025 WL 984792 (M.D. Tenn. Mar. 17, 2025), report and recommendation adopted, 2025 WL 1020485 (M.D. Tenn. Apr. 4, 2025).
About Phil Favro
Phil Favro is the founder of Favro Law PLLC, where he counsels clients on ESI, AI, and discovery issues and serves as a special master, mediator, and expert witness. Phil is nationally recognized for his expertise on ESI, discovery, and information governance, with courts acknowledging his credentials. See, e.g., Oakley v. MSG Networks, Inc., No. 17-CV-6903 (RJS), 2025 WL 2061665 (S.D.N.Y. July 23, 2025). This background makes Phil particularly well-suited to counsel clients and advise courts on information-related issues. As a special master, Phil is acclaimed for his collaborative approach, working with parties to find stipulated solutions to complex issues. For disputes that require adjudication, he is renowned for the clarity and vigor of his written dispositions, which are available on legal search engines.
About HaystackID®
HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface and eDiscovery AI™ technology. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.
Assisted by GAI and LLM technologies.
SOURCE: HaystackID