Off-channel communications are here to stay and so are the rules regarding their retention and monitoring. In a 2022 sweep which included five of Wall Street’s largest banks, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) fined the collective over $1 billion in fines for allowing business to be conducted on personal devices.
Back in December 2021, JPMorgan Chase agreed to pay $200 million to regulators after its employees used WhatsApp and other chat platforms to communicate in ways that flouted federal record-keeping protocols.
“Since the 1930s, record-keeping and books-and-records obligations have been an essential part of market integrity,” said SEC Chair Gary Gensler, in the agency’s announcement. “Unfortunately, in the past we’ve seen violations in the financial markets that were committed using unofficial communications channels.”
The Evolution of Chat
Pre-mobile phone, employee and customer communications mostly took place on recorded telephone lines, Bloomberg chats, and the occasional email.
As technology developed, and the mobile phone made it easier than ever to put groups of people together, and clients began to enjoy the ease by which they could use personal devices to communicate—pushing activity further away from company-owned channels.
Fast forward and, over the last few years, the pandemic has been a boon to anyone who hates doing business over the phone. The ease with which teams can use SMS, iMessage, and chat applications like WhatsApp, Telegram, Signal, and WeChat to communicate with each other and their clients has subverted much of the oversight and control in-house legal, IT, and investigations teams need to ensure proper conduct and data preservation.
While it makes sense to point to COVID-19 as the catalyst, the pandemic only crystallized an issue that had been bubbling away for a while. Regulators have been zeroing in on these newer forms of communication and how companies manage this data for some time. Indeed, the record-keeping violations admitted by JPMorgan in its CFTC agreement dated back to July 2015.
Don’t Get Too Personal
The lines between work and home become blurred when communications are all running through one mobile phone, and this is something each organization will have to contend with when drafting new device and data guidelines.
There are a few ways to mitigate the issue of gaps in data governance, but no solution is perfect if personal devices are still in use.
Companies have tried blanket bans, with policies that prohibit the use of unapproved communication methods able to duck corporate retention policies. Prohibition is the first and most draconian defense a company can employ. Often this comes with strict adherence requirements and severe consequences for employees caught flouting the rules.
Dip sampling is another method, whereby people voluntarily offer their phones up for periodic checking. This is rarely a controlled or consistent approach, and for most people it may be a gross intrusion to have their phones, with personal photos and messages and pictures from loved ones, pored over by a stranger.
Historically, some companies would install programs on work mobiles that would track communications to aid dip sampling. But in today’s landscape, with privacy laws as stringent as ever, legal teams wisely want to avoid getting into tussles with employees over their individual rights.
The other option is incurring the cost of issuing work devices; but, of course, purchasing an $800 iPhone for every employee, and covering their monthly bills, adds up quickly.
Take Back Control of Your Data
Accommodating effective, flexible communications for employees and defensible data governance practices requires balancing privacy, convenience, and awareness.
In regards to privacy, being up to date on legal obligations to protect employees’ (and, when applicable, customers’) private data is essential. Modern organizations must respect modern employees’ desire for separation of personal and business data, and come up with ways to protect that separation. This can come into play with restrictions on which devices employees should use to conduct business communications, but applications that silo business data on personal phones may also be helpful options.
Convenience, of course, means embracing modern communications platforms when possible. The ability to collaborate via short message is now expected and even preferred by many employees; offering company-owned outlets for this type of communication, such as Microsoft Teams or Slack, can help encourage teams to keep in-scope conversations on company channels while offering the convenience they’re hoping to achieve by real-time chatting rather than sending a long-winded email and waiting for a response.
Awareness, however, is the most essential component of this trio. Respecting data privacy and responsibly leveraging convenient communications options requires an employee, and their company, to be aware of the related obligations, consequences, and actions needed in the event of e-discovery or an investigation.
That awareness can be fostered in several ways:
- Establishing and communicating processes and policies that relate to data governance both upstream and downstream. This includes device usage policies, preservation requirements, legal hold procedures, collection procedures, and data ownership parameters.
- Informing employees that disregarding device usage policies and using unauthorized communications channels can and will compromise their personal data in the event of discovery.
- Incorporating data governance concepts into required cybersecurity trainings for employees. The risk of exposure to bad actors is another reason data protection is so important for modern enterprises.
Actively Think about New Communication Channels
For those dealing with the conundrum of personal device usage among employees, the message from regulators has been clear since 2021. And whether you’re paying regulatory fines or issuing work devices to protect privacy and prevent spoliation, the costs to deal with this issue are nothing to sneeze at.
Additionally, in an October 6, 2021 speech, PLI Broker/Dealer Regulation and Enforcement 2021, the SEC’s incoming Division of Enforcement Director Gurbir Grewal stated explicitly: “You need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.”
From an internal investigations and litigation perspective, more and more matters increasingly hinge on short message data in building a case. These conversations are often a backbone of internal chatter at an organization, which means their context and content can provide crucial insights into a matter’s timeline of events—and the case strategy that could best be leveraged in response to those events.
For this reason, the ability to collect, analyze, and review short message data during discovery is as important as offering it to employees in the first place. In-house teams should ensure their technology stack is prepared for it.