The original version of this blog was posted on the Association of Certified E-Discovery Specialists (ACEDS) blog
A 2017 survey of business professionals worldwide found that the average business professional uses 9.4 software apps for work purposes. Nearly half of the respondents said they use apps that are not sanctioned by their company’s IT department, ranging from cloud storage and project-tracking apps to the increasingly ubiquitous chat apps that facilitate instant communication.
Chat apps are useful tools that enable workers to communicate in real-time, which increases workplace efficiency. This is especially valuable in companies with a global presence as colleagues spread across multiple time zones can connect with much greater ease and at much less expense.
However, as the use of chat apps by employees for business purposes has proliferated, we have begun to see the dangers that come along with these benefits. Within the last few years, a series of high-profile litigation disputes and government investigations have been fueled by the disclosure of key information via chat apps. In 2015, the EU was rocked by a sweeping investigation into the alleged manipulation of interest rates by banks, with key evidence uncovered from instant messaging conversations harvested off enterprise chat platforms. In November 2017, litigation between Uber and Google’s Waymo unit was suddenly upended when evidence emerged that top executives at Uber used an encrypted chat app to hold secret conversations, set for automatic deletion after as little as a few seconds.
In fact, the mere use of these chat apps that are known to auto-delete has raised concerns, with the unintentional implication that the company knew the information being exchanged was in question. So whether or not the company employees have ever discussed the functionality of chat apps could create a cloud of suspicion in the event of a litigation dispute or government investigation.
Whether it’s Wickr (the app used in the Waymo-Uber dispute), Slack, Google Hangout, Signal, WhatsApp, Skype — or any one of the dozens of new apps available — the growing business use of desktop-based chat apps poses a serious legal and information risk to corporations, as evidenced by the rising number of digital forensics investigations and e-Discovery projects we’re now seeing involving data from chat apps.
Moreover, although our thoughts in this article are focused on desktop versions of chat apps, the problem is exacerbated by the use of mobile versions of those apps that are installed on employees’ phones. There is simply no way for companies to monitor employee use of chat apps on their personal devices.
If you know or have reason to believe your employees are using chat apps, here are five information risks associated with their use for business purposes, which corporate legal departments and their business colleagues ought to be monitoring:
In the example of Waymo vs. Uber, Judge Alsup admonished attorneys that counsel in future cases can be “found in malpractice” if they do not turn over evidence from such specialized tools, potentially setting legal precedence for the future expectation of preservation from these new communication platforms. Furthermore, Rule 37 (e) (2) (B) of the Federal Rules of Civil Procedure states that “If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, a judge can instruct the jury that it may or must presume the information was unfavorable to the party.” Many chat apps offer a wide array of options for ephemeral message history, with some giving the user an option to set up auto-deletion of messages in as little as five seconds. If these settings are not enabled for compliance with data retention standards and a litigation hold has been issued on communications related to a relevant matter, your organization will be unable to produce this data and be facing a serious problem in e-discovery.
In some companies, the data security protocols that govern chat apps are so lax that we have been startled to discover the trove of company information exposed through these apps. In other cases, the protocols are so stringent that it’s difficult to actually extract any data from the apps. It’s important to be able to access relevant data without making the organization vulnerable to easy data theft.
The encryption built into certain chat apps can be very complex to decipher, requiring intensive and potentially costly digital forensics investigation to access the content. This can also create a legal problem for the company if the apps are unable to be decrypted at all, leaving a litigant out of compliance with their discovery obligations to produce potentially relevant data.
Some chat apps have been criticized for possibly creating a back door security hole to bad actors, opening up vulnerabilities in the company’s IT systems. Hackers may see the use of chat apps for business purposes as a vehicle for trying to access the company’s networks or other devices so they can steal valuable corporate data. Or worse, they may seek to use the apps as a command & control (C&C) center to host malware on the victim’s system. In this case, according to research conducted by Trend Micro, hackers simply sign up to these apps like a normal user and start commanding the malware to perform all sorts of vicious attacks once it has infected the system. Essentially, they’re able to turn the entire app into a C&C system without being detected by any anti-malware or security.
The emergence of Bring Your Own Device (BYOD) policies has ushered in a wave of IT challenges for corporations, including the risks created by employee use of chat apps on personal devices or personal email accounts. This is even more difficult for corporate legal departments to monitor as the risk lies outside of the company’s official IT infrastructure.
The good news for companies who wish to reign in these risks is that there are new software tools available to companies that can help you pro-actively monitor for the use of unauthorized apps for business purposes. The best of these tools will locate potential information risks — such as unauthorized apps or data residing in unauthorized locations — so organizations can take inventory of software on connected computers and data repositories across the enterprise.
Those findings can then be shared across InfoSec, legal, compliance and audit teams to determine the appropriate next steps. This may involve confronting the employee on the use of the apps or the execution of targeted, automated deletion of any non-compliant apps in use, which allows you to get ahead of any issues before they arise and address them quickly. Of course, if a mobile phone needs to be collected and data from an employee’s mobile app use brought into an investigation, you will need access to specialized forensics software tools that can locate and analyze that type of data.
Meanwhile, if you choose to allow the use of chat apps for business purposes, make sure that your information governance policies are updated frequently in response to emerging technologies and carefully outline approved communication tools. Also make sure to instruct employees on the required settings they must use and privacy protections they must have in place.
Regardless of how you choose to proceed, it’s always a good idea to consult the experts in the field before you actually have to deal with a legal or investigatory problem related to the use of chat apps for business purposes. Consultants can evaluate your policies and systems, and provide recommendations on how to address a potential problem before it’s too late.
# # #
About the Authors
Richard Hickman is digital forensics and e-discovery manager at Eide Bailly LLP, a nationwide provider of audit, tax, accounting and business advisory services. Tod Ewasko is director of product management at AccessData, a leading provider of integrated digital forensics and e-discovery software.