Our Insights

Thought Leadership and Industry Trends

Home 9 Insights 9 Off-Channel Communications Compliance: Steps to Secure Business Messaging

Off-Channel Communications Compliance: Steps to Secure Business Messaging

Apr 18, 2024

Side,View,Shot,Of,A,Man’s,Hands,Using,Smart,Phone

In Part 1 of our off-channel messaging communications series, Bill Belt detailed the evolving SEC and DOJ enforcement stance on off-channel messaging for business. In Part 2, we will discuss how companies can address their workforce needs and embrace the productivity benefits of modern communication platforms, while ensuring proper compliance.

Acknowledgement: Identify the Problem

Managing off-channel communications can be summed up in two words: acknowledgement and adjustment. First, companies and government agencies must acknowledge that current compliance policies and solutions may not be effective in addressing the unique set of retention and preservation challenges posed by modern messaging platforms. Acknowledgment starts with a clear understanding of where an organization’s off-channel messaging apps are being leveraged, and by whom. Many companies looking internally at these items are quickly coming to terms with three realities:

The business use of off-channel, unregulated communication apps by employees is much more widespread than previously thought.
Application and device usage polices have not kept up with both the rapid advance of communication technologies and the breadth and velocity of regulatory enforcement.
Existing, in-place compliance technology solutions have not evolved to cover the rapid technical evolution of modern digital communication platforms.

Each of these areas requires a company-wide acceptance of what risks are now in play, followed by quick attention to the next phase–adjustment.

Adjustment: Modifying Device and Usage Policies

Part of this assessment requires modification of an organization’s device and usage policy. Existing device/application policies (BYOD or not) could not have possibly anticipated a global pandemic or predicted the remote shift of workforce and the massive proliferation of messaging applications or corporate communication. But if an assessment confirms that at least one internal group is using off-channel communication apps to send or receive business information subject to archiving requirements, monitoring and archiving controls must be quickly adjusted. The technical challenges associated with expanding policies to cover modern communications must also be addressed. While the general approach may be similar, the technical complexities are much more significant.

Enhanced messaging compliance requires an application solution that can capture all critical communications to and from employee users, regardless of whether the app is user controlled (WhatsApp) or managed by the business (Slack). Not surprisingly, off-channel message monitoring and archiving is an evolving industry with a variety of competitive solutions, often with different deployment configurations.

Message Archiving Essentials

Regardless of the provider or technical approach, any solid message archiving solution should include the following:

Robust security – Off channel messaging can be a mix of personal and business content and extremely sensitive. Encryption and secure access controls to any archiving solutions are critical.
Comprehensive message retention – Ensure all data is captured across all monitored channels.
Data retrieval and export functionality – Search and retrieval tools, including AI-driven features and seamless integrations with other compliance archiving and eDiscovery tools, should be included.
Automation – Look for solutions that can enhance your compliance team’s workflow efficiencies and process improvements.
Reporting and audit functionality – Track, track, track. Who accessed these records, when, where, and how? This information is critical and often required in tightly regulated environments.
Data intelligence and threat response optimization – Leverage technologies that can use monitoring and retention capabilities to respond quickly and protect the company against threats, e.g. IP theft, data loss, data exfiltration.
Scalability – The volume of off-channel messaging data can be immense. Choose a solution that is proven to scale and handle that level of volume.

Regulatory agencies have taken notice of lackluster message record keeping and are taking action. Companies need to adjust to this reality and take measures to fully manage both risk and exposure. While there are many policy and technical challenges to consider, an effective off-channel compliance solution is possible, and is essential to an organizations data governance plan.

About the Author

Brad Berkshire

Brad Berkshire is an eDiscovery, information governance, and digital forensics expert whose role at Complete Discovery Source includes leading complex projects and consulting, training, and educating internal teams as well as external clients on information governance, digital forensics, and data acquisition best practices. He also provides consulting and advisory services to the CDS forensic services team and direct support to clients with project scoping on information governance and forensics related projects. In his 25 plus years' experience working in information systems, digital forensics, and eDiscovery services, Brad has performed over 2,800 targeted data collections and forensic imaging acquisitions for cyber investigation, discovery response, and regulatory response engagements. These engagements include forensic data acquisition and data analysis for all types of digital storage including PC and Mac laptops and desktops, servers and enterprise application sources, structured databases, cloud data sources, social media sources, and mobile devices and mobile device applications sources.

01 May 2024

7th Annual Putting Insights into Practice Forum

Navigate a virtual journey through today’s biggest legal data management challenges at PIIP 2024: ADVENTURES ON THE DATA CONTINUUM

Find out more

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid		This cookie is used for storing the session ID of the user who clicked on an okt.to link.
pardot	past	The cookie is set when the visitor is logged in as a Pardot user.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_dc_gtm_UA-109542572-2	1 minute	No description
_hjAbsoluteSessionInProgress	30 minutes	No description
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description
_hjTLDTest	session	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 8 months 26 days 9 hours 2 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Our Insights

Thought Leadership and Industry Trends

Off-Channel Communications Compliance: Steps to Secure Business Messaging

Acknowledgement: Identify the Problem

Adjustment: Modifying Device and Usage Policies

Message Archiving Essentials

Brad Berkshire

7th Annual Putting Insights into Practice Forum

Our Blog

Sign Up for Our Newsletter

About CDS

Contact Us