This article was originally published in Corporate Compliance Insights.
How to Manage the Risks Associated with External Messaging
Do we really know what our employees are saying? Trevor Wiles and Hugh Bigwood provide an overview of the rising use of messaging applications in the workplace, their risks and benefits and how their use can be controlled.
It was recently calculated that in 2020, over 306 billion emails were either sent or received each day. This number is estimated to increase to some 361 billion daily by 2024 [Statista]. The world of emails is well-understood, and most of us have become accustomed to their use as well as the risks associated, especially around investigations and litigation. Email has become very much the conventional channel for business communication.
Around 15 years ago came the start of a new revolution: the use of messaging systems and, more recently, messaging apps. As of October 2020, the top four providers of such apps (WhatsApp, WeChat, Facebook Messenger and Viber) accounted for over 4 billion users [Statista], and it is somewhat telling that although we can produce the numbers of users, we cannot actually produce the number of messages that users may have sent.
What is also interesting is that most of us will have at least two messaging apps on our devices, the choice of which often depending on the part of the world where we live. For example, while over 55 percent of the German population use WhatsApp applications, iMessage and Facebook Messenger are significantly more popular in the United States. The statistics also suggest that our age and gender may also influence usage; those of us under 44 years of age may be more inclined and comfortable using this form of communication, and female usage has been generally seen to outweigh male usage.
Messaging apps provide an easy and convenient way not only for employees to communicate internally, but also for companies to talk with suppliers and customers. In a recent investigation carried out by Hugh, his team identified over 130 different WhatsApp groups being used by one site as the key communication method between employees. Due to their effectiveness and simplicity, messaging apps are becoming a routine business tool with the potential to overtake email; this is likely to expand further in the new “COVID” world, where the majority of interfacing with a colleague happens remotely. Employers are, therefore, facing an ever-greater challenge in keeping control of conversations occurring outside the more conventional channels. Can employers say with certainty they know what is being said and what is being discussed regarding their business?
Compliance Risks Associated with Messaging Apps
Most organizations either provide a mobile phone (or a tablet) or support the cost of an employee’s device through bring your own device (BYOD) arrangements. This is typically aimed to make an employee more reachable and to simplify communication. But while there are clear benefits, there is also risk.
For the most popular messaging apps, it is rare to have a central server or copies of conversations being downloaded to a company server. This means that there is typically no corporate record; while for many discussions and conversations, this may not be an issue, when the conversations start to relate to confidential information, pricing or other sensitive topics, it becomes an issue. How does an organization know what was actually agreed by its employees and, perhaps more importantly, can it be proved? In the case of confidential information, what may have been shared and with whom? This has implications for public disclosures as well as intellectual property protection.
Limited access also creates a barrier for internal investigations and litigation. Access to conversations held in messaging apps may be not just harder, but may in some circumstances be impossible. Although WhatsApp chats can be extracted and reviewed from the specific device, this can only be done when you have physical access to the device. This raises some interesting questions around a company’s right to access phones or any other devices (especially in the BYOD situation). Many IT security policies and technologies allow for the control of the device or even the complete wiping of a device, but few address remote access to non-standard data on the device.
This can put a company at a distinct disadvantage when trying to investigate allegations of misconduct or defend a position in litigation or in cases where a regulator uses statutory powers to access or seize devices when the company does not itself have access to the data contained within them.
In China, antitrust regulators have monitored the use of WeChat and used messages as the grounds for prosecution. In 2016, the Shanghai Price Bureau imposed a fine of ¥12 million on three subsidiaries of Haier, one of the largest home appliance companies in China, for restricting the resale prices of their distributors. The decision specially listed WeChat screenshots as evidence. Most of the cases in China so far have been in the antitrust area, but this would suggest that this will have wider implications – especially as a new law, as part of the Supreme People’s Court latest revisions to “Evidence in Civil Procedures,” which was passed on October 14, 2019, so that chats and microblogs could be counted as evidence in civil and criminal lawsuits [China.org.cn]. The new law took effect May 1, 2020. Can we expect to see similar approaches from other regulators?
In the U.K. courts, WhatsApp messages have provided crucial evidence in both criminal and civil cases. Even in internal company investigations, access to messaging apps can provide vital evidence. In one internal investigation, evidence of collusion around inappropriate conduct was clearly evidenced through discussions on messaging apps.
Should Businesses Ban the Use of Messaging Apps for Business Communications?
In response to these risks, many companies have looked to ban the use of messaging apps for business purposes. Although a ban should eliminate any associated risk, there is a significant question mark over whether a ban will actually be effective and can be realistically enforced. There is also the problem of what then replaces the chat groups – you create a void that will be filled by something.
Additionally, if, for example, customers use messaging apps, then a ban may actually impact the ability to conduct business, and it may also reduce the efficiency of certain parts of the workforce. Typically, all a ban will do is push the use of messaging apps underground, with employees using their personal phones or buying a separate second phone for this purpose, thus creating further issues from an e-discovery and corporate record point of view.
From a risk and compliance perspective, it’s in an organization’s best interest to maintain a record of conversation integrated into its business operations. However, from a morale and trust point of view, organizations must find a balance of trust, allowing employees to communicate efficiently and not deviate to “underground” methods of communication where an organization loses oversight on potentially sensitive and confidential communications taking place.
If Not a Ban, How Can Risks be Mitigated?
The risks associated with messaging apps do vary depending on the particular app used. Many apps available today do allow monitoring, such as Microsoft Teams; therefore, it is advised that companies carefully consider what apps they may wish to allow. However, a note of caution here: It may be possible to ensure that certain apps are used for internal communication, but it may be more difficult to dictate what app can be used for external messaging (this will be especially true for the small and medium-sized enterprises), as this may be driven by the market, and an individual company may have very limited influence.
Mobile device management (MDM) software has played a key role in an organization’s managing of their employee’s mobile devices. Most large organizations have some form of MDM software in place. This helps an employer ensure that the devices deployed to their employees adhere to correct protocols, such as enforcing passcode usage, remote troubleshooting and even limiting what apps can be installed on a device.
While this helps ensure employees are adhering to correct protocol, there are limitations as to what MDM platforms can do. In most cases, message logging from certain messaging apps is not possible. Additionally, organizations that have a BYOD policy are limited in how much control they can place over an employee’s device without breaching the employee’s trust. At present, Android phones now have a “work profile” feature (similar to an attempt by Blackberry in the middle of the last decade), the use of which provides the employer control of the apps used and security settings in place, while the user’s “personal profile” is out of the employer’s visibility and control. While this is a promising feature, mass adoption has yet to take place, and there is no iOS equivalent by Apple.
Overall, in order to find a fair balance between overburdening employees with strict controls and enabling the usage of any application for communicating, companies should address usage of messaging apps in a clear instant messaging policy, which can be standalone or part of a wider IT policy. Policies could include:
- When messaging apps can be used for business purposes, including both internal and external use (e.g., with customers or suppliers). If any conversations do occur on messaging apps, then these need to be followed up with an email confirmation as soon as possible. The organization should establish a similar policy for certain internal chats where maintaining a corporate record is necessary.
- Keep business and social chat groups separate and where chat groups are used, maintain good controls around who is participating (including ensuring that all participants know who may have access to conversations), as well as who can grant access and invite new participants.
- A company’s standard internet and email usage policy should apply to use of messaging apps on work phones.
- Policies are to be read and signed when collecting phone/BYOD approval with periodic reminders put in place for employees.
- Providing training on what can be done, rather than what can’t be done. Training must also contain real examples relevant to the various audiences. Creating awareness of the implications of using unmonitored communication channels is key.
There is no doubt that the use of messaging apps is now an embedded part of the current business environment and that their use will only increase. This usage does come with some risk that needs to be considered. Absolute bans or forcing particular routes of communication rarely work, as that simply leads to “underground” communication tools and more fractious levels of trust between the organization and the employee. The key is education of the risks to those at most risk – adopting the new technology, but also supplying practical guidance and controls to make it easier for people to comply.