In Part 1 of our off-channel messaging communications series, Bill Belt detailed the evolving SEC and DOJ enforcement stance on off-channel messaging for business. In Part 2, we will discuss how companies can address their workforce needs and embrace the productivity benefits of modern communication platforms, while ensuring proper compliance.
Acknowledgement: Identify the Problem
Managing off-channel communications can be summed up in two words: acknowledgement and adjustment. First, companies and government agencies must acknowledge that current compliance policies and solutions may not be effective in addressing the unique set of retention and preservation challenges posed by modern messaging platforms. Acknowledgment starts with a clear understanding of where an organization’s off-channel messaging apps are being leveraged, and by whom. Many companies looking internally at these items are quickly coming to terms with three realities:
- The business use of off-channel, unregulated communication apps by employees is much more widespread than previously thought.
- Application and device usage polices have not kept up with both the rapid advance of communication technologies and the breadth and velocity of regulatory enforcement.
- Existing, in-place compliance technology solutions have not evolved to cover the rapid technical evolution of modern digital communication platforms.
Each of these areas requires a company-wide acceptance of what risks are now in play, followed by quick attention to the next phase–adjustment.
Adjustment: Modifying Device and Usage Policies
Part of this assessment requires modification of an organization’s device and usage policy. Existing device/application policies (BYOD or not) could not have possibly anticipated a global pandemic or predicted the remote shift of workforce and the massive proliferation of messaging applications or corporate communication. But if an assessment confirms that at least one internal group is using off-channel communication apps to send or receive business information subject to archiving requirements, monitoring and archiving controls must be quickly adjusted. The technical challenges associated with expanding policies to cover modern communications must also be addressed. While the general approach may be similar, the technical complexities are much more significant.
Enhanced messaging compliance requires an application solution that can capture all critical communications to and from employee users, regardless of whether the app is user controlled (WhatsApp) or managed by the business (Slack). Not surprisingly, off-channel message monitoring and archiving is an evolving industry with a variety of competitive solutions, often with different deployment configurations.
Message Archiving Essentials
Regardless of the provider or technical approach, any solid message archiving solution should include the following:
- Robust security – Off channel messaging can be a mix of personal and business content and extremely sensitive. Encryption and secure access controls to any archiving solutions are critical.
- Comprehensive message retention – Ensure all data is captured across all monitored channels.
- Data retrieval and export functionality – Search and retrieval tools, including AI-driven features and seamless integrations with other compliance archiving and eDiscovery tools, should be included.
- Automation – Look for solutions that can enhance your compliance team’s workflow efficiencies and process improvements.
- Reporting and audit functionality – Track, track, track. Who accessed these records, when, where, and how? This information is critical and often required in tightly regulated environments.
- Data intelligence and threat response optimization – Leverage technologies that can use monitoring and retention capabilities to respond quickly and protect the company against threats, e.g. IP theft, data loss, data exfiltration.
- Scalability – The volume of off-channel messaging data can be immense. Choose a solution that is proven to scale and handle that level of volume.
Regulatory agencies have taken notice of lackluster message record keeping and are taking action. Companies need to adjust to this reality and take measures to fully manage both risk and exposure. While there are many policy and technical challenges to consider, an effective off-channel compliance solution is possible, and is essential to an organizations data governance plan.