Prior to the pandemic, the move away from email to modern collaboration platforms seemed like another empty promise. From the perspective of a technology lawyer, the enticement of solutions like Microsoft Teams, Slack, or Workplace as replacements for email felt like another risk to manage due to all the data going across them—a concern shared by other risk professionals.
Then the pandemic hit, forcing instantaneous staff relocations to home offices. This drove an unprecedented and radical shift in internal business communications. Seemingly overnight, companies went from email to collaboration platforms, creating yet another level of risk requiring legal oversight and advanced, updated controls. And these platforms remain popular as employees and others return to the office. For example, daily usage of Microsoft Teams increased 260% in 2020, paid Slack membership increased 42% from 2020 to 2021, and messages sent across collaborative platforms increased 184% in 2020.
What Are Collaboration Tools?
As with any risk evaluation involving technology, it is critical to understand how the collaboration platforms work and how they are to be used—and how to address risks.
Collaboration platforms are a conglomeration of several technologies such as group chat, direct messaging, file storage, and video, as well as the ability to add any number of third-party applications (e.g., Slack alone has over 2500 apps just one click away from integration).
Employees use them differently than email. Communications over Slack, Teams, Yammer, etc., tend to be quick, unstructured, and informal, utilizing short form conversations. They are filled with business communication data in the form of screen shots, links, and emojis. We refer to these as business content objects (BCOs).
In addition, these collaboration platforms get updated regularly, so it’s important to stay on top of new features. And to develop a great working relationship with your IT team and/or technology partners.
Controls that mitigate the risks associated with the unstructured data within collaboration platforms fall into three familiar areas:
- Intelligent record retention;
- eDiscovery; and
- Data loss prevention (DLP).
Intelligent Record Retention
Collaboration platforms are more than just standard business communications like emails and memos. They often serve as repositories for project teams, M&A activity, policy development, or code repositories.
These efforts often last for several years so the simple application of a 30-day retention policy used for emails, while logical from a risk standpoint, will destroy the underlying value of the collaboration platform. Intelligent record retention deletes risky data while allowing other data to remain as long as the business finds sufficient value in the information.
The daily use of these collaboration platforms by employees and the creation of BCOs require companies to actively manage this data as records and not informal transmissions.
Case in point. In February 2021, a federal court in California concluded that a company had to search its Slack messages because business communications relevant to the case existed within the tool. (Benebone LLC v. Pet Qwords Inc.) The fact that the company used a modern collaboration tool like Slack rather than email was immaterial. It is the relevant business communications that are critical, not the technology platform. From my perspective, the court concluded the company’s business messages must be included in eDiscovery.
The eDiscovery Process
BCOs that have not been deleted as part of the intelligent record retention process must be included in the eDiscovery process. Typically, collaboration platforms do not always have this requirement baked in, so it is important to test the “out of the box” search functionality to see how the tool presents the results natively. The tool’s search results are critically important as it will instruct counsel on the type of meta data and other information available in response to a litigation request. The search result should group BCOs together, not in a jumbled, chronological list of every communication across the platform, but organized by conversation just as the user commonly sees it.
Search results should also yield insights into unique collaboration tool data such as group participants. This allows the identification of additional custodians and determines if user data needs to be captured before it can be deleted. Since companies typically have more than one collaboration platform implemented, these types of tasks can get even more complex and tedious.
Data Loss Prevention
Another important risk to address is securing the data in your collaboration platform. DLP enables an understanding of data in their collaboration platforms. Some companies attempt to accomplish this with a written user agreement prohibiting employees from entering certain data types l (i.e., credit cards, passwords, Social Security numbers, etc.).
A sounder practice is to use DLP tools that constantly monitor, scan, and classify the data types that exist across the entire collaboration ecosystem. This way, companies can create appropriate controls commensurate with the data stored in the collaboration platform.
For example, a DLP scan may identify a business unit uses Workplace to create “electronic notes” containing sensitive data. The business would need to implement appropriate access controls to the collaboration platform data or identify another technology solution that has appropriate controls.
But simply enforcing a written policy that no sensitive data should be in the collaboration platform does not actually address the identified business need and will drive the sensitive data into other non-approved tools that are less secure or managed.
Firms are making significant investments in these technologies to increase employee communication, modernize the tech stack, and create more effective knowledge management. It is important that the necessary and balanced controls are implemented along with regular compliance monitoring.
Just as email controls took several decades to implement and tune, this will not happen overnight. Resist the urge to implement controls that mitigate every possible risk at the expense of causing your collaboration tool(s) to be less effective. It may be counter intuitive, but creating a low-risk tool that no one wants to use poses a greater overall risk in that it will drive employees to any number of non-approved technologies.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Brian L. Mannion is chief legal officer of AwareHQ where he manages all legal and privacy functions and works closely with legal, risk, and IT teams at leading global organizations to manage the implications of collaboration data for legal and compliance.