The Complete Slack Field Guide for Legal & Compliance Teams
How to Effectively Manage the eDiscovery and Compliance Requirements of Slack
Want this guide as a downloadable PDF?
Even before a global pandemic transformed the workplace and made remote work a standard practice across countless companies and industries, team collaboration tools like Slack were already changing how employees communicate and collaborate.
Over the last decade, Slack has greatly reduced the internal use of email within many companies—and in some instances, it has done away with it almost entirely. But it has done even more than that. It has changed the very nature of communications within companies.
Slack is more than a simple instant messaging tool. It is a collaboration hub that, yes, lets employees quickly and easily chat with one another, but it also allows them to share files, effectively collaborate in group channels, launch audio and video calls, receive automated real-time notifications of important events, easily conduct polls across an organization, share GIFs and videos, and much more.
The social media-like nature and varied capabilities of Slack has resulted in a much richer communication platform than traditional email or instant messaging services. With Slack, it’s quicker, easier, and more fun to collaborate.
The role accurate recordkeeping, active monitoring, and good information governance of Slack can play in preventing compliance issues will be discussed in greater length in the subsequent sections. Additionally, we’ll explore tools, including Slack DLP apps and Slack eDiscovery APIs, designed to simplify data discovery and security compliance for large enterprises.
First, however, we’ll look at all the benefits of Slack that have made it so ubiquitous in the modern workplace.
The Benefits of Slack
While there is some justified concern that a tool like Slack with all its constant messaging and GIF sharing can be disruptive, there is also ample evidence that it improves communication and collaboration. Cal Newport, the author of Deep Work, has even argued that companies should completely replace email with Slack.
Moreover, the COVID-19 pandemic has created an environment in which a tool like Slack is absolutely essential. With countless employees working from home, team collaboration tools have become central repositories that remote teams depend on to communicate and collaborate in real-time.
The ROI of Improved Collaboration
Team collaboration tools can have a very real impact on a company’s bottom line, especially when a large portion of its employees are working remotely. Investigating the economic impact of Workplace from Meta, Forrester found that the tool could offer a 3.9X (400%) return on investment.
Another report by Forrester claims Slack can offer a similar return. Slack’s report, “How to Achieve a 3X Return with Slack” states:
Slack offers a new paradigm for collaboration that’s native to the digital workplace. And the bottom-line benefits can’t be ignored.
A commissioned study conducted by Forrester Consulting on behalf of Slack zeroed in on these benefits for teams who switched to Slack from email and chat. Moving away from these siloed communication methods led to substantial—and measurable—gains in productivity.
In their report, The Total Economic Impact of Slack, Forrester found technical teams that use Slack see a 3X return on investment overall (The Total Economic Impact of Slack, Forrester), as well as more specific benefits on the front lines.
What Better Collaboration Looks Like
Why is a tool like Slack capable of offering such impressive returns? Simply put, because improved communication and collaboration result in a more efficient workforce. According to the Slack report mentioned in the section above, the platform allows companies to:
- Save time and money by reducing meetings and collaborating in real-time with Slack. Instead of meetings that suck up valuable time, Slack allows coworkers to quickly collaborate in the moment.
- Reduce the costs and risks of email by leveraging Slack’s platform security. Thanks to sophisticated security features and data loss prevention (DLP) tools, Slack can make it easier to keep sensitive information secure.
- Empower a workforce with Slack to improve efficiency. Make it easier for employees to connect with other people in the organization and gather the information they need.
- Offer premium customer service through Slack. Certain sectors, like financial services, can use Slack to communicate with important customers
The Legal and Compliance Challenges of Slack
While the use of Slack can be beneficial to the organization as a whole, it does introduce certain challenges—specifically for departments like legal and compliance.
Financial services, which was just mentioned at the end of the previous section, is a perfect example. As great as it is to be able to easily communicate with clients through channels and direct messages, Slack use must also comply with regulations laid out by entities like the Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and the Federal Financial Institutions Examination Council (FFIEC). Firms that neglect FINRA compliance when using Slack may face penalties and disciplinary action.
Similarly, when litigation looms, the need to implement a legal hold on Slack data comes into question. Businesses should be aware of the legal processes involved to avoid destruction of Slack data and keep any potential evidence defensible.
Team Collaboration Tools — The New Email
To understand the recordkeeping and compliance challenges of a modern enterprise collaboration platform like Slack, it’s useful to compare it to email. Although it is hard to imagine today, there was a time when organizations were not entirely sure how emails should be stored and managed to meet compliance needs. As the technology evolved, and regulators and courts started to hand down specific rules and guidance, companies slowly understood what was required of them and implemented robust retention systems and processes.
Today, just about every company understands that employee emails have to be retained for a set period (usually somewhere between three and seven years), and subsequently have some sort of email vault or other archiving solution in place. And even if an organization isn’t operating in a highly-regulated industry, the threat of litigation makes it a prudent thing to do.
Broadly speaking, emails need to be archived for the following reasons:
- Regulatory Compliance: Meeting the requirements of organizations like the FDIC, FFIEC, FINRA, and IRS, and preparing for related regulatory audits.
- Litigation and eDiscovery: Keeping detailed records of communications in the event of a legal matter, both external lawsuits and internal employee matters. As with any digital file, an email can be altered, so it’s important to have an accurate copy of the original.
- Data Security and Knowledge Management: With so much digital information being shared, it’s important for companies to monitor the flow of information and keep close track of what is being shared.
Just like with email, Slack content should be archived meet the above requirements.
Simply put, if a recordkeeping rule applies to email, it also applies to an enterprise collaboration tool like Slack. So any organization looking to understand how they should handle the recordkeeping requirements of Slack need only look at how they currently deal with email. Is every employee’s emails being archived for seven years? Then the same should happen with enterprise collaboration records.
The Recordkeeping Challenges of Slack
While the recordkeeping requirements of Slack might be similar to that of email, the practical process of collecting and retaining Slack data looks very different.
The fact of the matter is, team collaboration tools like Slack are upending traditional approaches to recordkeeping, which is why it is giving records managers, compliance professionals, and legal teams so much trouble.
Companies are used to dealing with discreet records (like emails and PDFs), but Slack has more in common with a social media platform Facebook. The following characteristics of the platform complicate the recordkeeping process:
- Real-Time Activity: Unlike with an email or PDF, content in Slack is always evolving. Not only can users chat and share files in real-time, but they can also edit their posts and delete content. This means that as soon as a record is created (by, for example, taking a screenshot) it is already outdated because the content has been altered.
- Slack’s Multifaceted Nature: Slack channels and direct messages contain far more than text messages. They consist of GIFs, reactions, videos, etc.
- App Integrations and Linked Content: Not only does Slack allow employees to share just about any file they wish, but many popular applications boast Slack integrations, which means data from sources such as Office 365, G Suite, Zoom, HubSpot, Salesforce, GitHub, and Zendesk can all be fed directly into Slack.
Slack’s Unstructured Data Problem
It’s also worth looking at the difference between structured and unstructured data.
Structured data can best be described as anything that exists within a relational database. In other words, if data resides within a relational database management system (RDBMS)—the basis for SQL (Structured Query Language)—it’s by nature highly structured. A bank account or employee directory are good examples of this. There’s high consistency in terms of fields and values across database entries, so the relational nature of the data is easy to understand and the database is quick to search.
Unstructured data is anything that does not reside in an RDBMS. And as this definition of unstructured data suggests, a lot of the data in modern enterprises would qualify as such, including PDFs, text documents, spreadsheets, presentations, images, videos, and audio files.
A team collaboration tool like Slack exists within the realm of unstructured data. So when you combine this unstructured nature with the always-on real-time activity of the platform, knowing what information is hiding inside Slack can be difficult.
Just consider the very simple Slack interaction below:
As far as legal and compliance teams are concerned, Slack and other team collaboration tools represent massive data sources that cannot be ignored—yet the information hiding inside them can be difficult to access and interpret.
In the following two sections we’ll examine what the implications of this are for both legal and compliance professionals.
Slack and the Legal Team
As with emails, PDFs, and other electronically stored information (ESI), Slack data needs to be taken into account when it comes to the discovery process.
It’s also best to assume that Slack data is discoverable. As lawyers Jessica Brown and Collin James Vierra write in their Law360 article, Are Your Slack Communications Primed For E-Discovery?, courts have had relatively few opportunities so far to consider the discovery obligations related to enterprise collaboration data. However, given how popular these platforms have become (and how much data they’re likely to contain), it’s safest for organizations to treat this particular form of ESI as discoverable.
“As more advanced e-discovery tools and techniques become available for management of channel-based data, and as use of channel-based platforms becomes more widespread within organizations, it is doubtful that companies will be able to withhold such data from discovery in all circumstances,” argues Brown Vierra.
“Thus, companies should assume that they may be compelled to review and produce channel-based data if they become subject to litigation or investigation. And, accordingly, they should take proactive steps to ensure that such data is preserved and can be collected, reviewed and produced in a manner that satisfies their legal obligations, while avoiding overproducing irrelevant or sensitive information.”
Apart from the issues of discovery, Slack is simply too valuable an evidence source to ignore. Given how much communication takes place on Slack and other collaboration platforms these days, it’s highly likely that important information could be hiding in the platform—and by ignoring Slack, teams are missing this crucial information.
Needless to say, Slack content can be highly relevant to internal employee matters related to behavior like workplace bullying and harassment.
Although the incident did not escalate to a formal legal matter, luggage company Away’s Slack controversy clearly illustrated how team collaboration content could form the foundation of a wrongful termination lawsuit.
While the relevance of Slack data to HR and other internal legal matters is obvious, it’s important to note that Slack content can also be relevant to external legal matters, especially if an organization is using the platform to communicate externally with partners, freelancers, and agencies.
In other words, it’s vital that legal teams include Slack data in its investigations and early case assessments, but how can they do this effectively?
Slack and the eDiscovery Process
Given how much data is being generated within a Slack workspace every single day, it can offer challenges when organizations try to incorporate it into existing eDiscovery workflows.
Enterprise collaboration tools like Slack, Microsoft Teams, and Workplace from Meta require a new approach to eDiscovery. In order to be able to deal with this data effectively, legal teams need to:
- Have easy access to the platform: Legal teams need to be able to access Slack records without the involvement of IT or any other department. If they have to depend on IT backups to access Slack records, the process will simply be too complex and time-consuming.
- See edited and deleted content: A particularly incriminating piece of content is likely to be edited or deleted by the user before the legal department has time to collect and preserve it, which means they should have some way of not only viewing content that is currently live on the platform, but also view data that has since been edited or deleted.
- Quickly search the platform: If relying on simple archives and backups, legal teams will struggle to find the particular content they’re looking for. Instead, they need to be able to quickly and accurately search for users, channels, and keywords that are relevant to the legal matter they’re dealing with.
- Export evidence in defensible format: Once relevant content has been found, it needs to be exported in a defensible format that proves the authenticity of the record. In many instances, legal teams will also want to export Slack data in a format that can be ingested by an eDiscovery platform like Relativity, Exterro, or ZDiscovery.
Meeting all of these needs in an efficient manner can be difficult if Slack data isn’t managed correctly. We’ll look at how companies can handle Slack data to simplify the lives of legal teams in a little while, but first we’ll also examine what the existence of Slack means for compliance departments.
Slack and the Compliance Department
As stated in Section 2 of this document, it’s useful to compare Slack with the recordkeeping requirements of email. If your organization archives all employee emails, it should also be archiving all Slack communications. If a regulator like the SEC or FINRA has laid out recordkeeping requirements that cover email, they also cover Slack communications.
Because of this, the needs of compliance departments are very similar to that of legal teams. Compliance professionals need to:
- Have easy access to the platform to find relevant records.
- See edited and deleted content that’s no longer present on the live platform.
- Quickly search the platform for relevant records.
- Export these records in a defensible format that will be accepted by regulators during an audit.
All Compliance Starts with Records Management
Apart from the issue of recordkeeping requirements, it’s important to realize that all compliance starts with good records management.
The compliance function of an organization can’t effectively assess a firm’s policies, controls, and procedures without access to reliable records of online data. For example, no compliance team can assess the risks of money laundering and terrorist financing without seeing the relevant records and data related to due diligence processes, transactions, and internal and external reporting.
The same considerations apply when it comes to assessing the risk of misselling or market abuse and insider trading. A review will be flawed if financial promotion records, checklists, and transaction records are incomplete.
In other words, there is a very close link between compliance risk and the integrity of online data. If there are no formal controls in place to manage the vast volumes of electronic data, the compliance function will be of little help when there is a regulatory matter. With so much regulatory focus on responsibility and accountability, it is crucial that the integrity of data is maintained and that everyone understands their own responsibilities.
This obviously has massive implications for the use of Slack, especially when employees are working remotely and depending on the platform to share documents. If compliance professionals don’t have access to reliable records, the potential repercussions extend far beyond fines related to recordkeeping requirements—every aspect of compliance (including those related to very serious allegations like money laundering, terrorist financing, and misselling) can be impacted.
Monitoring Slack for Compliance
Another issue worth discussing is monitoring. While accurate recordkeeping and good information governance of Slack is crucial to regulatory compliance, active monitoring can go a long way towards preventing compliance issues from escalating—and in many cases prevent them from happening altogether.
Monitoring and Data Loss Prevention (DLP) solutions—like those offered by Pagefreezer—can be used to notify compliance professionals and other stakeholders as soon as sensitive information (like credit card numbers, social security numbers, bank account numbers, etc.) is shared over Slack.
These monitoring tools can also be used to ensure that use of Slack complies with internal communication policies. As with sensitive information, text patterns can be used to monitor the platform for profanity and other inappropriate language, thereby making it easier to curb bullying and harassment in the workplace.
Mitigating the Legal and Compliance Risks of Slack
Having outlined how Slack data impacts legal and compliance teams, we can now examine how organizations can better manage this data to facilitate legal and compliance requirements.
To help teams deal with Slack data, companies should adopt the following risk-mitigating strategies:
- Set Clear Policies: Companies should have formal policies in place that guide the use of Slack. There should be a communication policy that outlines how employees should communicate on the platform (no profanity, no bullying behavior, etc.), and there should be a security policy that explains how sensitive data is monitored and protected.
- Provide Mandatory Training: Employees need to be given mandatory Slack training that outlines exactly what acceptable use of Slack looks like and discusses company policies in detail—they shouldn’t be expected to read (and sign) these policies on their own, but should instead be walked through them as a regular part of onboarding. Even though this can be time-consuming, it is one of the most effective tools available in combating improper use of a team collaboration tool.
- Carefully Manage Users, Groups, and Roles: Slack allows administrators to manage an incredible number of settings and permissions. Compliance professionals can use these capabilities to greatly reduce the risks associated with the platform. For instance, it’s possible to block file downloads and message copying on Slack’s Enterprise Grid, thereby reducing the risk that employees will download sensitive files onto their local computers. (Slack Enterprise Grid is designed with larger companies in mind. For organizations looking to implement top-level security and compliance solutions, this is the version of Slack that is required).
- Monitor the Platform: As mentioned earlier, companies should ideally monitor Slack to curb data loss but this doesn’t mean that employees need to be under constant surveillance from IT and HR teams. Modern monitoring and data loss prevention tools can automate this process, necessitating human involvement only once suspicious behavior has been flagged. Large keyword libraries of inappropriate language and sensitive data can be used to monitor conversations in real-time without anyone “spying” on employees.
- Collect and Preserve Slack Data: As mentioned earlier, Slack data can easily become central to a legal matter. And if a case finds its way to court, legal teams would need to submit authenticated evidence. This means Slack data needs to be collected and preserved in a format that would be accepted by a court. The best way to do this is to rely on an eDiscovery solution that automatically collects and preserves this data. (More on this in the sections below).
- Manage Retention Settings: Another crucial step in managing the eDiscovery of Slack is setting correct retention settings. Team collaboration tools allow you to set retention periods for channels and conversations — Slack retains all messages for the lifetime of a workspace by default. You want to make sure that these settings align with the retention periods of your larger organization. You might not want to retain messages forever, but you also do not want to delete data too quickly, leaving legal, compliance, and HR teams unable to retrieve these records.
It’s worth diving deeper into the evidence preservation and data retention aspects mentioned above, as these activities often present legal and compliance teams with the biggest challenges. We’ll discuss these in the following section.
Dealing with Slack Data for Compliance and eDiscovery
Taking Screenshots of Live Slack Data
The easiest way to tackle this task is to search for the content directly in the platform with the help of Slack’s own search functionality—and once found, to take a screenshot of it.
But this approach has a couple of issues. First, giving various legal and compliance team members admin rights that provide them with access to all private channels can make it easy to find data, but it also runs counter to the principle of least privilege and introduces privacy and security concerns. Moreover, it would not give these investigators access to direct messages between employees, so a significant blindspot would still exist.
Second, taking a screenshot of content directly in the platform doesn’t capture any metadata that would prove its authenticity. The only metadata attached to the screenshot would be that of the JPEG itself, so it would be impossible to prove that the content had not been tampered with in Photoshop or some other image-manipulation tool.
In short, the above is not a scalable or reliable approach to Slack recordkeeping.
Using Slack Data Exports
Given the limitations of the approach discussed above—as well as the clear need for some system that facilitates Slack-related litigation and compliance—Slack allows for export of workspace data.
This allows owners and admins of workspaces to:
- Export public channels (this can be done on any Slack plan).
- Generate recurring exports on the Slack Plus plan.
- Generate exports for all channels and conversations on the Enterprise Grid plan.
- Generate exports for a single user’s channels and conversations on the Enterprise Grid plan.
As is probably clear from this list, any company expecting to make regular use of Slack data for compliance and litigation needs to be on the Enterprise Grid plan. Without that, legal and compliance professionals simply won’t have access to all relevant data—specifically the private channels and direct conversations of all employees.
But even with an Enterprise Grid subscription in place this approach can still present challenges. That’s because, similar to popular social media platforms like Twitter and Instagram, Slack provides workspace data in a format that can be difficult to work with.
Slack provides data in a JSON (or TXT) file format that strips the content of its original context. In other words, you won’t see channels and conversations as they appeared on the platform. Instead, you’re left with basic files that need to be decoded in order to successfully read the Slack messages.
Every message in a JSON export includes the following:
- “type”, which indicates the type of message you’re dealing with. For example, it could be “bot_message” if it was left by a bot or app, “message_deleted” if a message was deleted, or “file_mention” if a file was mentioned. In short, every single action available in Slack has its own particular message type.
- “user”, which shows the ID of the user who created the message.
- “text”, — the actual content of the message.
- “ts”, — a timestamp indicating when the message was created.
Apart from the above, messages with extra properties can also contain the following:
- “is_starred”: true if a user has saved the message.
- “pinned_to” if a message has been pinned.
- “reactions” if there is an emoji reaction. This will be followed by the kind of reaction, as well as the users who left them.
Based on this single short message, it’s obvious that an active channel with dozens of daily messages can quickly become overwhelming, especially when you add shared files, GIFS, website links, and videos to the mix.
For legal and compliance professionals trying to work effectively with the Slack data of an entire organization with thousands of users, channels, and direct conversations, this approach simply does not work.
While it’s possible for teams to find what they need, conducting an investigation in this way is extremely difficult and time-consuming. With a platform like Slack, so much is dependent on context. Consider emojis in direct conversations. The use of a particular emoji could be perfectly innocent in one context and very inappropriate in another. Without the ability to see that message exactly as it appeared on the live platform, it’s very easy to overlook relevant evidence. The same goes for sensitive information like a credit card number or personal telephone number.
Slack DLP and eDiscovery APIs
The best solution for legal and compliance teams in large enterprises is to adopt a tool that leverages Slack’s APIs.
In order to simplify compliance and eDiscovery, Slack offers APIs that can be used by third-party vendors to offer dedicated solutions. Pagefreezer for Slack is exactly this kind of solution.
With Pagefreezer, legal and compliance teams can get access to Slack data through a dashboard that recreates the native platform exactly. So instead of dealing with confusing JSON exports, content can be viewed in its original context, complete with all the GIFs, videos, emojis, etc.
Teams can add Slack users and channels to the Pagefreezer dashboard and then instantly view a live replay of all content, including content that has been edited or deleted. They can also use advanced search to deliver relevant content across all users, direct messages, and channels.
When it comes to preparing this data for a legal matter or regulatory audit, Pagefreezer users can instantly select relevant content, add it to a case file, leave comments and notes, and then export this data to local servers. Content can be exported to file formats such as PDF, CSV, and WARC. Records are time-stamped and signed with a SHA-256 digital signature, and all associated metadata is included in the export.
Like other data sources—such as email clients, websites, and text messaging apps—Slack requires the implementation of effective legal and compliance solutions. Given how much communication is taking place over enterprise collaboration platforms these days, ignoring their existence is simply not an option for legal and compliance departments. Their content is guaranteed to become increasingly relevant to legal and regulatory matters.
That said, Slack and other team collaboration tools should not be seen purely as data sources that need to be corralled. Slack can also be a useful tool for legal and compliance professionals. How so? Well, in an era when the average enterprise uses close to 100 apps (and many use over 200), Slack offers a single repository for all these applications.
Instead of searching countless apps and platforms for hidden data, Slack can provide legal and compliance teams with a single source for identifying crucial records. Key to this are the app integrations that Slack offers. By plugging file management solutions, calendars, productivity apps, and web conferencing software into Slack, companies can gather disparate remote tools and make the job of legal and compliance professionals much easier.
#500-311 Water Street
Vancouver, BC V6B 1B8
Van Leeuwenhoekpark 1 - Office 5
2611 DW, Delft
+44 20 3744 7173
+61 (07) 3186 2199
Subscribe to our Blog
Get targeted Industry news, great tips and valuable insights