The expansion and diversification of work communication on personal devices has expanded companies’ reach regarding when and where employees can conduct business and how quickly work can be done. It has also created new data governance and compliance challenges.
In March, the U.S. Department of Justice issued new guidance for owning and governing company data on personal devices. Organizations are now responsible for all company data on personal devices, including ones that fall under bring your own device (BYOD) policies and all company data on all messaging apps.
The biggest challenge of collecting such data lies in the diversity of data types from messaging apps. Companies must determine how to sort through, monitor, store and analyze exceptional amounts of mobile data and data types. Further, the list of data types is not static. New work efficiency and messaging applications emerge every year, multiplying the data companies need to assess and support, thereby multiplying risk.
Failure to properly preserve data from the required platforms in response to an investigation can result in legal trouble and hefty fines. To remain compliant, companies need to devise a plan for collecting and analyzing mobile data and establish how they will treat specific messages. As a result, mobile data governance has become more resource-intensive, complex and sensitive than ever before.
The key to a rigorous collection strategy is to get clear about what is in scope: the dates, parties and applications. That information helps companies determine which collection tools to use, which policies to enforce and how to communicate with employees most effectively to cut costs, save time and uphold ethical standards around privacy.
Pitfalls of Treating All Messages the Same
Successful mobile data collection and analysis is about finding ways to ingest all of the different file formats and centralizing them into a single form of metadata. Without that kind of synthesis, patterns and key signals in the data will be missed. However, that does not mean that organizations should treat every application the same.
For example, emojis vary depending on the application and operating system. For many years, sending a water gun emoji from an iPhone would appear as a real pistol on an Android. From a collection standpoint, companies must ensure they have customized extraction strategies, including updated emoji libraries, to pull and contextualize data types appropriately.
Additionally, messaging platforms have various security mechanisms, further complicating extraction and governance. Unencrypted SMS is the easiest to pull, as an employer can retrieve the information from the cell carrier. iMessage is the next level up, and third-party messaging applications present the biggest extraction obstacle. For example, WhatsApp boasts end-to-end encryption and Signal was built so data cannot be collected, monitored or stored.
Messaging platforms also have different data retention mechanisms. Some applications can be ephemeral, meaning messages disappear after a certain period to drive security; some platforms delete chat application data over time to reduce their technical load; and others allow messages to be unsent or edited. Retention times also vary among different platforms. For example, the free version of Slack deletes messages after 90 days, while paid Slack allows businesses to customize data disposal times.
Companies need to address each variation through technology or a policy tailored to each application to ensure they have access to the company data needed to remain compliant. This work requires procuring a variety of digital forensic tools that target required chat application data and creating policies that restrict and monitor usage of encrypted applications where data collection is not possible.
Data Overcollection Risks
Increasing regulatory requirements, the rapid adoption of mobile messaging by employees, and the growing list of chat applications and related data types means companies are responsible for collecting and storing unprecedented amounts of data from personal devices.
Typical workflows for mobile data collection have included scraping the entire device to get access to the data needed. With today’s smartphones, however, a single device can store a terabyte of data. For companies, storing that data means paying hefty server and cloud costs, spending considerable time and resources necessary to go through phones, and forcing employees to experience downtime without their devices.
Mass-scraping data from personal devices also opens companies to major privacy and security risks because they hold private data alongside corporate data. Organizations that overcollect get access to personal, sensitive data such as texts to a spouse or medical information. From an ethical perspective, employers should not treat employees like criminals, seizing and reading all of their communications. Logistically, data overcollection can also lead to security breaches that harm employee well-being (e.g., identity theft) and open the door to new lawsuits, regulatory scrutiny or even reputation risk, depending on the information found.
Creating an Effective Data Collection Policy
Digital forensics and eDiscovery tools can access and pull a narrow subset of data to reduce collection times and storage loads, which can help companies improve data security, reduce privacy concerns and keep productivity high.
Organizations must procure the right tech stack to address all relevant messaging applications and data types to ensure they are covered. Companies should also consider developing policies to further reduce risk. For example, some organizations ban Signal from their approved messaging application list and use mobile device management tools to scan for illicit application usage on company devices.
All successful mobile data governance programs include clear ownership policies around what data the company owns and the limits to extraction. In addition to these policies, employers should clearly and transparently communicate how they access data while upholding employee privacy standards. By being straightforward about data collection, companies can build trust with employees, which may also make them more likely to cooperate during critical investigations and compliance activities.
More states are expected to adopt privacy laws that bridge legal and ethical considerations. California (via the CCPA) and 18 other states have enacted privacy laws around custodial privacy with varying degrees of strictness. Regardless of the local regulatory environment, rising storage costs offer further incentive to make data collection more precise.
The key to a rigorous collection strategy is to get clear about what is in scope, including dates, parties and applications. That information helps companies determine which collection tools to use, which policies to enforce and how to communicate with employees most effectively to cut costs, save time and uphold ethical standards around privacy. Most importantly, companies need to be diligent about revisiting their data governance policies and mobile data collection strategies regularly to ensure they are assessing and supporting all relevant messaging applications and to reduce risk over time.