Five Compliance Tips for Companies Using App-Based Messaging

App-based messaging is here to stay. These tools cost little or nothing, connect us with a few taps on the phone, and appeal to the digital warrior and remote worker in each of us. At home—and at work—people communicate on platforms such as Slack, Microsoft Teams, Google Chat, and iMessage.

Although these platforms play a vital role in our lives, the very features that make messaging apps so popular also create potential risks for companies whose employees use them to communicate business information.

The Securities and Exchange Commission and the Commodities Futures Trading Commission recently fined 11 financial firms a total of $549 million for practices related to app-based messaging use, including by senior executives.

The SEC cited “widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications.” The CFTC said each of four companies it investigated “failed to stop its employees, including those at senior levels, from communicating both internally and externally using unapproved communication methods, including messages sent via personal text or WhatsApp.”

How can you make sure your colleagues communicate effectively while meeting regulatory and legal obligations? Consider the five tips below.

Assess Messaging Platforms

• Inventory messaging platforms used at the company and monitor for new platforms. Although iPhones’ iMessage platform is synonymous with text messaging, the technology behind the services is different from traditional SMS and MMS-based text messaging, and iMessage should be treated as its own app-based platform.
• Assess security risks associated with each platform. Understand where data is stored—on company servers and devices or on employees’ personal devices?
• Investigate default data retention settings, whether auto-deletion can be turned off, the length of time messages can otherwise be retained, and whether it’s possible to set a specific retention period for messages by default to ensure unnecessary messages aren’t retained indefinitely while meeting regulatory/compliance obligations.
• Determine whether it’s possible to quickly begin preserving data in place for a legal hold before the need to do so arises.
• Research the process and cost to retrieve and produce messaging data.

List Approved Platforms

• Develop and track the criteria used to approve messaging platforms and whether they can be used on personal devices.
• Use the criteria to create a list of platforms approved for business use.
• When selecting platforms, consider legal and business needs to ensure that business-related electronic data is preserved and easily accessible.

Use and Retention Policies

• Policies should define when the use of messaging platforms is appropriate.
• Include whether your company will allow employees to communicate business information via messaging platforms.
• Understand and align messaging preservation policies with similar policies in the legal and IT departments. Cross-link other communications and data retention policies.

Compliance Requirements

• Understand whether your company is subject to regulatory preservation requirements and if any litigation holds are in place. Evaluate whether these obligations apply to app-based messaging.
• If you discover potential regulatory compliance issues, consult with counsel to evaluate self-reporting and remedial measures.
• Promptly issue legal holds and send periodic reminders when the duty to preserve is triggered.

Educate Stakeholders

• Conduct internal trainings on record retention and app-based messaging policies.
• Consider instituting clear escalation protocols and procedures for imposing consequences on employees and managers who fail to comply with company polices related to these platforms.
• Advise employees to generate company information on company supported systems whenever possible.
• Ensure third-party partners such as outside counsel and e-discovery vendors are aware of your approach.

App-based messaging services can increase connectivity and employee engagement. They’re not going away anytime soon. The key to reducing risk is to ensure people use them at work in a way that aligns with regulatory and legal obligations.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Jay Williams is an Orrick partner in the firm’s financial and fintech advisory practice.

Wendy Butler Curtis is Orrick’s chief innovation officer.

Jeffrey McKenna is senior e-discovery and privacy attorney at Orrick.

Write for Us: Author Guidelines