Slack, Microsoft Teams, & Zoom are here to stay – what are the business implications?
COVID-19 has changed the way enterprise users work, where they work, and has significantly accelerated business adoption of chat and collaboration platforms such as Slack, Zoom, and Microsoft Teams, all of which now have tens of millions of daily users.
Many businesses are required, either by compliance mandates, litigation needs, or industry best practices, to archive electronic communications (primarily email), but what are the top considerations you need to weigh when evaluating what the adoption of these new communication channels mean for your company’s information governance and compliance considerations?
1.SEC Regulations & FINRA 2019 Report on Examination Findings & Observations
For financial institutions, the relevance of chat data to regulations such as SEC 17a-3, 17a-4, & FINRA Rule 3110(b)(4) has been reinforced by FINRA, with their 2019 Facts & Findings Report serving as a prime example. The report identified the following problem and proposed the following solutions, relating to the governance of new-age digital communications.
Use of Prohibited Digital Channels – In some instances, firms prohibited the use of texting, messaging, social media or collaboration applications (e.g., WhatsApp, WeChat, Facebook, Slack, or HipChat) for business-related communication with customers, but did not maintain a process to reasonably identify and respond to red flags that registered representatives were using impermissible personal digital channel communications in connection with firm business. Red flags could be detected through, for example, customer complaints, representatives’ email, outside business activity reviews, or advertising reviews.
Establishing Comprehensive Governance – Some firms maintained governance processes to manage firm decisions and develop compliance processes for each new digital channel, as well as new features of existing channels. Such firms worked closely with their marketing, compliance, and information technology departments, as well as their third-party vendors, to monitor the rapidly evolving array of communication methods available to their associated persons and customers.
Controlling Permissible Digital Channels – Firms with holistic supervision and record retention programs and policies clearly defined permissible (as well as prohibited) digital channels; blocked prohibited digital channels (or prohibited features of permitted channels); restricted the use of messaging and collaboration apps that limit the firm’s ability to comply with its recordkeeping requirements (such as apps with end-to-end encryption or self-destructing messages); established how permitted communications will be stored in a compliant manner, and implemented supervisory review procedures for communication and recordkeeping that are appropriate for the firm’s business model and tailored to each digital channel.
2. Business-critical data can easily be lost
In August of 2020, KPMG experienced a technical incident during which 145,000 globally-dispersed users had their Microsoft Teams chat history erased. While many CIOs do not encourage using chat channels like Slack and Teams for formal communications or business-critical content, the reality of today’s virtual workplace is that employees are using a mix of these tools and email to get their work done and exchange information. Having a solution to archive, backup, and search this content to ensure it is never deleted or improperly disposed of, or improperly used is critical to the health of day to day employee productivity and business operations.
3. HR considerations for the virtual workplace
In 2018, the Equal Employment Opportunity Commission (EEOC) saw a 50% increase in the total number of workplace harassment lawsuits filed relative to 2017, and secured settlements totaling $70,000,000 USD for 41 complainants alleging sexual harassment. In response to this recent uptick in harassment suits, HR departments have worked tirelessly to align policies to these new standards and workplace climate, only to have their efforts disrupted by a significant shift to telecommuting and working from home in 2020.
Without implementing the necessary controls to monitor and enforce workplace policies across virtual workplaces such as Teams, Zoom, and Slack, HR departments will see even more of these complaints – and remain hamstrung in their investigation capabilities, unless they are able to reference and retrieve the chat data relevant to the complaint or legal request. Please read section 5 for more details on how an Ohio Attorney General was removed from office following an HR investigation involving instant messages.
4. GDPR, CCPA, & Data Privacy Regulations
Recent data privacy legislation such as the EU’s GDPR and California Consumer Protection Act (CCPA) has subjected enterprises to a new reality – they must be able to fulfill “data subject access requests,” or DSARs, within thirty days, or risk a fine of up to 4% of annual revenue. From an operational standpoint, this means the business must commit resources to collect all data concerning the requester (many of which are ex-employees), review it for personal information, separate that personal information from the business information, and then send the personal information back to the requester.
The process to collect, review, and redact this data across multiple sources including email, network drives, and chat communications can take days for some companies, so archiving all of this data into one place provides the streamlined collection, search, and review capability your team needs to fulfill these requests in a timely manner and avoid penalties, without requiring additional human capital and resources to take part in the effort.
5. Electronic communications are public records
Government organizations that archive email as part of their Freedom of Information Act (FOIA) or Public Records Act (PRA) response obligations need to immediately consider the role of chat data as public records as well. Fulfilling these records in a transparent manner is the government’s obligation to the public, and crucial to maintaining public trust, but is a complicated matter due to the fact that government employees often conduct personal and professional business on government devices, and laws vary (at least in the US) on a state by state basis.
Computer-based instant messages in government offices are not immune from open records requests, either. Although the messages usually have to involve discussion of public business to be considered public records, in cases of potential corruption or improper behavior, even private instant messages have been released. In 2008, for instance, Ohio Attorney General Marc Dann was impeached and eventually resigned after the Columbus Dispatch requested records pursuant to a sexual harassment case and inadvertently uncovered instant messages and e-mail that revealed an affair between Dann and his scheduler. – RCFP, 2009
As the RCFP report details, government agencies in all 50 states need to weigh their requirements for email, chat, and SMS archiving, and this is a requirement that dates back prior to 2010, but has come all the more important now given the rise of remote working, chat communications, and mobile devices.
6. Analytics for Employee and Customer Sentiment
In addition to employee productivity, many enterprises use chat to deliver customer service. By monitoring internal and customer-facing chat channels, enterprises can run analytics and keyword searches to gather information and sentiment on things such as new product and service launches, customer satisfaction, and identify potential problems with employees before they become HR or business issues. According to Splunk’s 2020 “The State of Dark Data,” survey, 91% of 1300 CIOs who responded know that they need to extract more value out of their enterprise data, but 60% also acknowledged that more than half of their data is not captured, analyzed, or known to exist because they lack the tools needed to understand it. This fact begs the question – what advantages lie in your business data that your organization fails to recognize?
The team at UGA has developed our PremCloud Connect solution to help organizations govern this chat data no matter which archive solution you use today – Microsoft 365, EAS, Zovy, or something else.