Pagefreezer

The Complete Slack Field Guide for Legal & Compliance Teams

How to Effectively Manage the eDiscovery and Compliance Requirements of Slack

Want this guide as a downloadable PDF?

Even before a global pandemic transformed the workplace and made remote work a standard practice across countless companies and industries, team collaboration tools like Slack were already changing how employees communicate and collaborate.

Over the last decade, Slack has greatly reduced the internal use of email within many companies—and in some instances, it has done away with it almost entirely. But it has done even more than that. It has changed the very nature of communications within companies.

Slack is more than a simple instant messaging tool. It is a collaboration hub that, yes, lets employees quickly and easily chat with one another, but it also allows them to share files, effectively collaborate in group channels, launch audio and video calls, receive automated real-time notifications of important events, easily conduct polls across an organization, share GIFs and videos, and much more.

The social media-like nature and varied capabilities of Slack has resulted in a much richer communication platform than traditional email or instant messaging services. With Slack, it’s quicker, easier, and more fun to collaborate.

The role accurate recordkeeping, active monitoring, and good information governance of Slack can play in preventing compliance issues will be discussed in greater length in the subsequent sections. Additionally, we’ll explore tools, including Slack DLP apps and Slack eDiscovery APIs, designed to simplify data discovery and security compliance for large enterprises.

First, however, we’ll look at all the benefits of Slack that have made it so ubiquitous in the modern workplace.

SECTION 1

The Benefits of Slack

While there is some justified concern that a tool like Slack with all its constant messaging and GIF sharing can be disruptive, there is also ample evidence that it improves communication and collaboration. Cal Newport, the author of Deep Work, has even argued that companies should completely replace email with Slack.

Moreover, the COVID-19 pandemic has created an environment in which a tool like Slack is absolutely essential. With countless employees working from home, team collaboration tools have become central repositories that remote teams depend on to communicate and collaborate in real-time.

The ROI of Improved Collaboration

Team collaboration tools can have a very real impact on a company’s bottom line, especially when a large portion of its employees are working remotely. Investigating the economic impact of Workplace from Meta, Forrester found that the tool could offer a 3.9X (400%) return on investment.

Another report by Forrester claims Slack can offer a similar return. Slack’s report, “How to Achieve a 3X Return with Slack” states:

Slack offers a new paradigm for collaboration that’s native to the digital workplace. And the bottom-line benefits can’t be ignored.

A commissioned study conducted by Forrester Consulting on behalf of Slack zeroed in on these benefits for teams who switched to Slack from email and chat. Moving away from these siloed communication methods led to substantial—and measurable—gains in productivity.

In their report, The Total Economic Impact of Slack, Forrester found technical teams that use Slack see a 3X return on investment overall (The Total Economic Impact of Slack, Forrester), as well as more specific benefits on the front lines.

What Better Collaboration Looks Like

Why is a tool like Slack capable of offering such impressive returns? Simply put, because improved communication and collaboration result in a more efficient workforce. According to the Slack report mentioned in the section above, the platform allows companies to:

  • Save time and money by reducing meetings and collaborating in real-time with Slack. Instead of meetings that suck up valuable time, Slack allows coworkers to quickly collaborate in the moment.
  • Reduce the costs and risks of email by leveraging Slack’s platform security. Thanks to sophisticated security features and data loss prevention (DLP) tools, Slack can make it easier to keep sensitive information secure.
  • Empower a workforce with Slack to improve efficiency. Make it easier for employees to connect with other people in the organization and gather the information they need. 
  • Offer premium customer service through Slack. Certain sectors, like financial services, can use Slack to communicate with important customers

SECTION 2

The Legal and Compliance Challenges of Slack

While the use of Slack can be beneficial to the organization as a whole, it does introduce certain challenges—specifically for departments like legal and compliance.

Financial services, which was just mentioned at the end of the previous section, is a perfect example. As great as it is to be able to easily communicate with clients through channels and direct messages, Slack use must also comply with regulations laid out by entities like the Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and the Federal Financial Institutions Examination Council (FFIEC). Firms that neglect FINRA compliance when using Slack may face penalties and disciplinary action.

Similarly, when litigation looms, the need to implement a legal hold on Slack data comes into question. Businesses should be aware of the legal processes involved to avoid destruction of Slack data and keep any potential evidence defensible.

Team Collaboration Tools — The New Email

To understand the recordkeeping and compliance challenges of a modern enterprise collaboration platform like Slack, it’s useful to compare it to email. Although it is hard to imagine today, there was a time when organizations were not entirely sure how emails should be stored and managed to meet compliance needs. As the technology evolved, and regulators and courts started to hand down specific rules and guidance, companies slowly understood what was required of them and implemented robust retention systems and processes.

Today, just about every company understands that employee emails have to be retained for a set period (usually somewhere between three and seven years), and subsequently have some sort of email vault or other archiving solution in place. And even if an organization isn’t operating in a highly-regulated industry, the threat of litigation makes it a prudent thing to do.

Broadly speaking, emails need to be archived for the following reasons:

  • Regulatory Compliance: Meeting the requirements of organizations like the FDIC, FFIEC, FINRA, and IRS, and preparing for related regulatory audits.
  • Litigation and eDiscovery: Keeping detailed records of communications in the event of a legal matter, both external lawsuits and internal employee matters. As with any digital file, an email can be altered, so it’s important to have an accurate copy of the original.
  • Data Security and Knowledge Management: With so much digital information being shared, it’s important for companies to monitor the flow of information and keep close track of what is being shared.

Just like with email, Slack content should be archived meet the above requirements.

Simply put, if a recordkeeping rule applies to email, it also applies to an enterprise collaboration tool like Slack. So any organization looking to understand how they should handle the recordkeeping requirements of Slack need only look at how they currently deal with email. Is every employee’s emails being archived for seven years? Then the same should happen with enterprise collaboration records.

The Recordkeeping Challenges of Slack

While the recordkeeping requirements of Slack might be similar to that of email, the practical process of collecting and retaining Slack data looks very different. 

The fact of the matter is, team collaboration tools like Slack are upending traditional approaches to recordkeeping, which is why it is giving records managers, compliance professionals, and legal teams so much trouble. 

Companies are used to dealing with discreet records (like emails and PDFs), but Slack has more in common with a social media platform Facebook. The following characteristics of the platform complicate the recordkeeping process:

  • Real-Time Activity: Unlike with an email or PDF, content in Slack is always evolving. Not only can users chat and share files in real-time, but they can also edit their posts and delete content. This means that as soon as a record is created (by, for example, taking a screenshot) it is already outdated because the content has been altered.
  • Slack’s Multifaceted Nature: Slack channels and direct messages contain far more than text messages. They consist of GIFs, reactions, videos, etc.
  • App Integrations and Linked Content: Not only does Slack allow employees to share just about any file they wish, but many popular applications boast Slack integrations, which means data from sources such as Office 365, G Suite, Zoom, HubSpot, Salesforce, GitHub, and Zendesk can all be fed directly into Slack.

Slack’s Unstructured Data Problem

It’s also worth looking at the difference between structured and unstructured data.

Structured data can best be described as anything that exists within a relational database. In other words, if data resides within a relational database management system (RDBMS)—the basis for SQL (Structured Query Language)—it’s by nature highly structured. A bank account or employee directory are good examples of this. There’s high consistency in terms of fields and values across database entries, so the relational nature of the data is easy to understand and the database is quick to search.

Unstructured data is anything that does not reside in an RDBMS. And as this definition of unstructured data suggests, a lot of the data in modern enterprises would qualify as such, including PDFs, text documents, spreadsheets, presentations, images, videos, and audio files.

A team collaboration tool like Slack exists within the realm of unstructured data. So when you combine this unstructured nature with the always-on real-time activity of the platform, knowing what information is hiding inside Slack can be difficult.

Just consider the very simple Slack interaction below:

Now look at how that interaction appears on the backend:
Making sense of that is virtually impossible. And submitting it to a regulator or court will only result in confusion.

As far as legal and compliance teams are concerned, Slack and other team collaboration tools represent massive data sources that cannot be ignored—yet the information hiding inside them can be difficult to access and interpret.

In the following two sections we’ll examine what the implications of this are for both legal and compliance professionals.

SECTION 3

Slack and the Legal Team

SECTION 4

Slack and the Compliance Department

Although it’s advisable that all companies keep detailed records of Slack data, it’s non-negotiable in highly-regulated sectors (like banking) where firms are expected to archive all communications.

As stated in Section 2 of this document, it’s useful to compare Slack with the recordkeeping requirements of email. If your organization archives all employee emails, it should also be archiving all Slack communications. If a regulator like the SEC or FINRA has laid out recordkeeping requirements that cover email, they also cover Slack communications.

Because of this, the needs of compliance departments are very similar to that of legal teams. Compliance professionals need to:

  • Have easy access to the platform to find relevant records.
  • See edited and deleted content that’s no longer present on the live platform.
  • Quickly search the platform for relevant records.
  • Export these records in a defensible format that will be accepted by regulators during an audit.

All Compliance Starts with Records Management

Apart from the issue of recordkeeping requirements, it’s important to realize that all compliance starts with good records management.

The compliance function of an organization can’t effectively assess a firm’s policies, controls, and procedures without access to reliable records of online data. For example, no compliance team can assess the risks of money laundering and terrorist financing without seeing the relevant records and data related to due diligence processes, transactions, and internal and external reporting.

The same considerations apply when it comes to assessing the risk of misselling or market abuse and insider trading. A review will be flawed if financial promotion records, checklists, and transaction records are incomplete.

In other words, there is a very close link between compliance risk and the integrity of online data. If there are no formal controls in place to manage the vast volumes of electronic data, the compliance function will be of little help when there is a regulatory matter. With so much regulatory focus on responsibility and accountability, it is crucial that the integrity of data is maintained and that everyone understands their own responsibilities.

This obviously has massive implications for the use of Slack, especially when employees are working remotely and depending on the platform to share documents. If compliance professionals don’t have access to reliable records, the potential repercussions extend far beyond fines related to recordkeeping requirements—every aspect of compliance (including those related to very serious allegations like money laundering, terrorist financing, and misselling) can be impacted.

Monitoring Slack for Compliance

Another issue worth discussing is monitoring. While accurate recordkeeping and good information governance of Slack is crucial to regulatory compliance, active monitoring can go a long way towards preventing compliance issues from escalating—and in many cases prevent them from happening altogether.

Monitoring and Data Loss Prevention (DLP) solutions—like those offered by Pagefreezer—can be used to notify compliance professionals and other stakeholders as soon as sensitive information (like credit card numbers, social security numbers, bank account numbers, etc.) is shared over Slack.

These monitoring tools can also be used to ensure that use of Slack complies with internal communication policies. As with sensitive information, text patterns can be used to monitor the platform for profanity and other inappropriate language, thereby making it easier to curb bullying and harassment in the workplace.

SECTION 5

Mitigating the Legal and Compliance Risks of Slack

SECTION 6

Dealing with Slack Data for Compliance and eDiscovery

What does it look like for legal and compliance teams to deal with Slack data in practical terms? Say, for instance, a specific piece of Slack data is needed for a legal matter or regulatory audit. How would teams find that relevant piece of content and export it?

Taking Screenshots of Live Slack Data

The easiest way to tackle this task is to search for the content directly in the platform with the help of Slack’s own search functionality—and once found, to take a screenshot of it.

But this approach has a couple of issues. First, giving various legal and compliance team members admin rights that provide them with access to all private channels can make it easy to find data, but it also runs counter to the principle of least privilege and introduces privacy and security concerns. Moreover, it would not give these investigators access to direct messages between employees, so a significant blindspot would still exist.

Second, taking a screenshot of content directly in the platform doesn’t capture any metadata that would prove its authenticity. The only metadata attached to the screenshot would be that of the JPEG itself, so it would be impossible to prove that the content had not been tampered with in Photoshop or some other image-manipulation tool.

In short, the above is not a scalable or reliable approach to Slack recordkeeping.

Using Slack Data Exports

Given the limitations of the approach discussed above—as well as the clear need for some system that facilitates Slack-related litigation and compliance—Slack allows for export of workspace data.

This allows owners and admins of workspaces to:

  • Export public channels (this can be done on any Slack plan).
  • Generate recurring exports on the Slack Plus plan.
  • Generate exports for all channels and conversations on the Enterprise Grid plan.
  • Generate exports for a single user’s channels and conversations on the Enterprise Grid plan.

As is probably clear from this list, any company expecting to make regular use of Slack data for compliance and litigation needs to be on the Enterprise Grid plan. Without that, legal and compliance professionals simply won’t have access to all relevant data—specifically the private channels and direct conversations of all employees.

But even with an Enterprise Grid subscription in place this approach can still present challenges. That’s because, similar to popular social media platforms like Twitter and Instagram, Slack provides workspace data in a format that can be difficult to work with.

Slack provides data in a JSON (or TXT) file format that strips the content of its original context. In other words, you won’t see channels and conversations as they appeared on the platform. Instead, you’re left with basic files that need to be decoded in order to successfully read the Slack messages.

Every message in a JSON export includes the following:

JSON reaction
Here is what a simple message (“Hello world”) would look like if it has been starred and pinned, and if it has a couple of reactions.
  • “type”, which indicates the type of message you’re dealing with. For example, it could be “bot_message” if it was left by a bot or app, “message_deleted” if a message was deleted, or “file_mention” if a file was mentioned. In short, every single action available in Slack has its own particular message type.
  • “user”, which shows the ID of the user who created the message.
  • “text”, — the actual content of the message.
  • “ts”, — a timestamp indicating when the message was created.

Apart from the above, messages with extra properties can also contain the following:

    • “is_starred”: true if a user has saved the message.
    • “pinned_to” if a message has been pinned.
    • “reactions” if there is an emoji reaction. This will be followed by the kind of reaction, as well as the users who left them.

Based on this single short message, it’s obvious that an active channel with dozens of daily messages can quickly become overwhelming, especially when you add shared files, GIFS, website links, and videos to the mix.

For legal and compliance professionals trying to work effectively with the Slack data of an entire organization with thousands of users, channels, and direct conversations, this approach simply does not work.

While it’s possible for teams to find what they need, conducting an investigation in this way is extremely difficult and time-consuming. With a platform like Slack, so much is dependent on context. Consider emojis in direct conversations. The use of a particular emoji could be perfectly innocent in one context and very inappropriate in another. Without the ability to see that message exactly as it appeared on the live platform, it’s very easy to overlook relevant evidence. The same goes for sensitive information like a credit card number or personal telephone number.

Slack DLP and eDiscovery APIs

The best solution for legal and compliance teams in large enterprises is to adopt a tool that leverages Slack’s APIs.

In order to simplify compliance and eDiscovery, Slack offers APIs that can be used by third-party vendors to offer dedicated solutions. Pagefreezer for Slack is exactly this kind of solution.

With Pagefreezer, legal and compliance teams can get access to Slack data through a dashboard that recreates the native platform exactly. So instead of dealing with confusing JSON exports, content can be viewed in its original context, complete with all the GIFs, videos, emojis, etc.

Teams can add Slack users and channels to the Pagefreezer dashboard and then instantly view a live replay of all content, including content that has been edited or deleted. They can also use advanced search to deliver relevant content across all users, direct messages, and channels.

When it comes to preparing this data for a legal matter or regulatory audit, Pagefreezer users can instantly select relevant content, add it to a case file, leave comments and notes, and then export this data to local servers. Content can be exported to file formats such as PDF, CSV, and WARC. Records are time-stamped and signed with a SHA-256 digital signature, and all associated metadata is included in the export.

SECTION 7

Conclusion

Like other data sources—such as email clients, websites, and text messaging apps—Slack requires the implementation of effective legal and compliance solutions. Given how much communication is taking place over enterprise collaboration platforms these days, ignoring their existence is simply not an option for legal and compliance departments. Their content is guaranteed to become increasingly relevant to legal and regulatory matters. 

That said, Slack and other team collaboration tools should not be seen purely as data sources that need to be corralled. Slack can also be a useful tool for legal and compliance professionals. How so? Well, in an era when the average enterprise uses close to 100 apps (and many use over 200), Slack offers a single repository for all these applications. 

Instead of searching countless apps and platforms for hidden data, Slack can provide legal and compliance teams with a single source for identifying crucial records. Key to this are the app integrations that Slack offers. By plugging file management solutions, calendars, productivity apps, and web conferencing software into Slack, companies can gather disparate remote tools and make the job of legal and compliance professionals much easier.

1-888-916-3999
support@pagefreezer.com

Head Office:
#500-311 Water Street
Vancouver, BC V6B 1B8
Canada

Europe Office:
Van Leeuwenhoekpark 1 - Office 5
2611 DW, Delft
The Netherlands

UK Office:
+44 20 3744 7173

Australia Office:
+61 (07) 3186 2199

Subscribe to our Blog

Get targeted Industry news, great tips and valuable insights

©2024 Pagefreezer Software Inc. All Rights Reserved. Privacy Policy and Acceptable Use Policy. Commercial use and distribution of the contents of this website is not allowed without express and prior written consent of Pagefreezer Software Inc. subject to existing copyright exceptions and limitations.