Messaging Apps Used for Workplace Collaboration Could Open Companies to Legal Risks

GDPR Regulatory Framework

By Ashley Heilprin and Ebony Morris, of Phelps Dunbar LLP

With much of today’s workforce operating in hybrid and remote settings, employers are encouraging the use of various software as a service (SaaS) apps to promote worker communication and virtual collaboration.

The pandemic spawned a new way of working that involved less reliance on being physically in an office and rather leaned more heavily on technology and apps as means of collaboration in lieu of face-to-face interaction.

But while apps have made communicating across the office environment much easier and faster, utilizing these platforms can also leave companies open to potential risks from a data collection and storage perspective that should be considered.

Collecting information is key

Think of all of the apps and different ways that we communicate and document things in our different organizations. These are all part of the information ecosystem that have potential to bring up issues. The number of people who are using messaging apps have now surpassed social networks. Messenger apps are rapidly increasing and there’s no indication that those are going away.  If your company finds itself faced with a potential lawsuit, figuring out where all of the information and data is housed within all platforms will be critical to your case. It can also be extremely difficult to track all of the necessary data and information needed without best practices in place.

Best Practices to minimize litigation, cyber and data security risks

If you are working with confidential information, you need to think about “where are you accessing that?” Organizations should have a program of security and privacy awareness and training, including periodic reminders and updates.

  • Topics should include the protection of electronic information, computer systems, preventing malicious software, social media practices, the protection of paper records and not discussing client matters in public places.
  • There should be procedures for security incident reporting and handling and there should be a designated incident response team to handle security incidents.
  • Also, internal and client information should be backed up regularly.

Legal Hold & Preservation

If an employer finds itself in a situation where data needs to be collected for a legal matter, a legal hold should be implemented as soon as possible – there is a duty to preserve all data that is potentially relevant.

  • Consult with legal counsel as soon as possible and engage with IT personnel at early stages.
  • Notification is not necessarily sufficient, acknowledgement recommended.
  • Consider follow up acknowledgements.
  • Consider non-enterprise sanctioned data sources when notifying custodians.

Ways to preserve data from former employees

While the best course of action may be to collect all ESI in advance of termination or transition, this is not always possible. To counterbalance this, having best practices in place can help to mitigate risk.

  • Institute a waiting period before reintroducing previously used electronic equipment back into the current workforce.
  • Develop standard operating procedures around the management of ESI of departing employees.
  • Alert new employees that a legal hold is in place.
  • Keep the legal hold current.
  • Investigate ESI issues through exit interviews – ask whether the employee used personal email or personal storage devices to store company ESI that may be subject to a legal hold.

By Ashley Heilprin and Ebony Morris, of Phelps Dunbar LLP