The Dark Side of Instant Messaging for Business

By Kevin J. Stanfield

How do companies balance the efficiencies of instant messaging with potential legal risks? Instant messaging applications are increasingly present in today’s corporate world and a popular form of communications both internally, between company employees, and externally with clients and partner organizations. The days of face-to-face meetings between managers and employees in conference rooms or popping into someone’s office to discuss a project are no longer the norm. Today, many modern employees are using instant messaging (“IM”) as a “virtual water cooler” or “virtual conference room” to collaborate and share information and files with co-workers and customers in real time, using platforms such as Skype for Business, Microsoft Teams, Slack and Google’s Hangouts.

IM platforms in the work place have increased in popularity in recent years as the single-office model is less common, and more often employees are spread across multiple time zones and locations or are simply working remotely. IM applications are often free, come imbedded with Office 365, and are accessible on employees’ computers and smartphones making access possible from wherever your employees happen to be. Employees leverage the speed and flexibility of IM as an alternative to more traditional methods, such as phone and email, to get their work done. IM increases workplace efficiency, allowing colleagues to communicate through rapid back-and-forth discussions and on-demand file-sharing. IM conversations tend to be candid and free flowing, without a lot of structure. When an IM conversation is over, the participants “end” the conversation by closing the IM session. Unlike a phone call or in-person conversation, however, IM sessions can be easily recorded.

The benefits of IM for businesses, however, do not come without dangers and unintended consequences, especially in situations that have led the company into litigation. Take Skype for Business, as an example. Skype is Microsoft’s business solution for IM, conferencing and file sharing, interfacing with both Outlook and Office 365. Skype’s default setting captures all of your IM sessions as a transcript and automatically stores them as items in your Outlook conversations folder.

Here are my current Skype default settings.

 

Since I have not changed the default Skype settings, Outlook keeps a searchable electronic transcript of what was “said” by all participants in my Skype conversations, the names of the participants, along with helpful time and date stamps. You can easily find specific conversations by navigating to my Outlook Conversation History Folder and entering search terms that would have come up in the conversation. Skype preserves these conversations in Outlook for months or even years after they took place.

 

Here is a recent example of a preserved conversation.

Seems like a great business feature for your company, right? Well, maybe not, especially if your employees are discussing sensitive business issues in Skype that may wind up in litigation. Just like traditional emails, conversations on Skype and similar IM platforms can be used as evidence in Court against the company, if properly authenticated and relevant. While most employees understand that what they say in an email can come back to haunt them, many employees are less restrained when it comes to what they say in IM conversations. In-house counsel and outside counsel need to assume employees are using instant messaging and be aware of the legal risks.

Real World Example of Skype Messages Used At Trial

A recent real-world example of the dark side of Skype involved a company who had received a demand letter from a dissatisfied customer threatening a lawsuit over services performed. Instead of meeting in person to discuss the customer’s problems, the company’s executive team and employees initiated a group Skype conversation to discuss what happened and the company’s position. The company’s executive team used Skype IM sessions with various subordinates to gather information about the customer. In turn, the subordinates did the same with their team members. Word quickly spread across the company about the possibility of litigation, and employees began speculating with each other via Skype, leaving a virtual conversation history the entire time. The company, unfortunately, had never changed the default Skype settings, which stored these conversations in each employee’s Outlook folder. After the customer commenced litigation, these conversations were ultimately turned over to the lawyers for the customer during discovery, and were highly damaging to the company at trial.

This real-world example illustrates the hidden danger of Skype. The informal, free flow of thought that attracts many employees to use Skype for collaboration in the first place, can document conversations in a searchable transcript that could be used by civil or criminal litigators as evidence against the company. Both State and Federal Rules of Civil Procedure and Evidence allow for the discovery and use of electronic documents in litigation, including emails, and instant messages. In the event of litigation, your employees may have inadvertently created a virtual treasure trove of damaging electronic evidence that your company may have to turn over to your opponents’ lawyers.

So, what’s the answer? Do away with Skype and all similar IM platforms in your workplace? No, but a good start is for companies to know what IM platforms are being used by their employees and establish communication protocols and retention policies for all electronic data, Skype and other IM platforms.

Suggestions from a Chief Information Officer

Mark Burke, a Chief Information Officer for a small software company and longtime user of IM platforms, suggests that CIO’s set global acceptable use policies for their companies that balance the value of the information exchanged via IM against the potential risk to the company. On one side, allowing employees to have free form, recorded discussions that can be shared with others later on can improve efficiency and often leads to better products and services. However, on the other hand, Skype’s ability to capture every free form chat session in an unmoderated manner, where employees may speculate about topics that they are not directly involved in or lack full information, can be a trap for the unwary. Skype’s capture of these conversations can be harmful to the organization and can be used against the organization in the event of legal action, as we saw in our real-word example.

The balance is to allow free form conversation, but limit company exposure by setting retention policies that delete this information after a given retention time period. In our real-world example, the company responded to its IM challenge by setting a retention policy that specified that all recorded Skype conversations are purged globally after 30 days.

Mark believes that companies should strive to find a balance between retention and risk. The first step to not being caught in the data trap is to know the trap is there in the first place. Below are some suggestions from Mark to start your conversation rather than turning a blind eye until it potentially bites you.

1. Identify what IM platforms your employees are using (authorized and unauthorized).
2. Educate your executives and employees about appropriate use, and discuss IM benefits and risks at the executive team level.
3. Review or create an Electronic Retention Policy and acceptable use policy for company data.
4. Review IT processes for data retention.
5. Evaluate how your employees use retained IM conversations.
6. Determine what retention period is most appropriate for your organization.
7. Make a plan and take action to address your company’s IM issues.

Following these suggestions will provide better insight into how your organization uses retained data and decides how to address the risks.