Uncontrolled text messaging exposes your company to massive risk

Texting is simple, concise, and compatible with virtually every mobile device, operating system, and wireless carrier, which makes it extremely accessible when an employee wants to communicate with their colleagues, customers, or prospects in a time-crunched, connected society.

In fact, according to the Pew Research Center, 97% of Americans who own a smartphone use them to send or receive text messages, demonstrating that mobile messaging is one of the most widely used features. But even though texting is easy, reliable, and intuitive, it can create tremendous risk for a company if it’s used for official business communications.

When considering the countless regulatory, legal, and general risk and brand management challenges that companies must manage today, e-mail and other “official” communications on social media accounts and corporate Websites might register as the only content types that need to be archived or supervised. Nevertheless, text messages must be considered, too—because in many instances they are used to conduct company business. Sending text messages between mobile devices is now one of the key ways that employees connect with each other and customers, and these records need to be maintained for completeness.

In many cases, companies don’t give text messages the same level of recordkeeping attention as other forms of digital records. They often lack an archiving solution for the retention and oversight of text messages, moreover, which can cause significant problems when facing a regulatory examination, open records request, an investigation, e-discovery event, or litigation.

Compliance, legal, IT, risk, and reputation professionals across a variety of industries are now realizing that proactively archiving text messages is necessary to alleviate anxiousness about risks arising from their records retention and oversight practices not keeping up as employee use increases. They need to meet the challenge of accurately identifying specific sources of additional risk with this form of communication as it gets leveraged by employees within their business. Text messaging without proper governance is a major gap that can no longer be ignored.

Companies must now figure out how to collect and preserve data from numerous devices, operating systems, and device ownership scenarios. It does not matter if an employee uses a corporate-issued device, a personally owned device, or a combination of the two for business-related texts. All devices are fair game for discovery in litigation if they contain relevant business communications.

Text messages must be kept in a searchable format that cannot be tampered with, destroyed, or otherwise disposed of by anyone on purpose, or accidentally. Text messages must also be produced quickly for e-discovery, public records requests, and regulatory examinations. A company may operate a tremendous number of phones through contracts with one or more carriers and erroneously assume text records are kept by carriers. Carriers don’t keep text messages for very long, however, and they aren’t obliged to provide records of them either. The responsibility for retaining and producing requested text messages lies with the organization that creates the records.

Organizations can no longer say “we didn’t know” as an excuse to avoid archiving and oversight of text messages. Several well-publicized cases involving text business messages that have been lost, altered, or mishandled in the public sector, financial services, and other industries have alerted us all to the fact that these types of messages must have oversight. Companies that aren’t yet retaining text messages will find they have plenty of technology options to help them start.

Following e-mail and social media, SMS/text messaging is perceived as the next source of the most compliance risk by compliance professionals in the financial services industry. Banning its use, however, will not work. The Smarsh 2017 Electronic Communications Compliance Survey Report reinforces that policies of prohibition of SMS/text messaging are a barrier to growing business and workforce productivity. They do not deliver compliance confidence, and they simply don’t work. Early 2017 examples of text-related firm penalties all have one thing in common: All prohibited its use for business communication. More than two thirds (67 percent) of respondents have no, or minimal, confidence that they could prove their prohibition of text messaging is actually working.

In the public sector, citizens’ expectations have changed in relation to government records. Community members and watchdog groups want to be able to readily access information from government organizations to hold public officials accountable for their decisions. Text-related public records requests are now way more common, and people routinely ask for text messages from agencies alongside e-mails and social media content. Maintaining text records to comply with open records laws means that an organization must be able to easily secure, search, and retrieve those records. Government offices have increasingly faced lawsuits over text messages if they fail to retain and manage them properly.

Now that we have discussed the circumstances that have organizations worried about text message recordkeeping challenges, let’s take a closer look at risks and the potential impact they can have on a business:

Legal risk. Text messages can also be requested as part of an e-discovery or litigation event, since texts are often considered relevant electronically stored information (ESI) within an organization. Many courts compel the production of texts in civil litigation, if a mobile device is believed to possess relevant text messages.

While other forms of electronic communication, including e-mail, are relatively straightforward to collect, archive, and extract, text is different. Companies must now figure out how to collect and preserve data from numerous devices, operating systems, and device ownership scenarios. It does not matter if an employee uses a corporate-issued device, a personally owned device, or a combination of the two for business-related texts. All devices are fair game for discovery in litigation if they contain relevant business communications.

If a company’s legal team cannot find, preserve, and produce text data in real-time and respond quickly and completely when asked to search and produce specific text messages for discovery events and litigation, the organization may face legal consequences related to data spoliation, missing records, or failure to produce requested data—not to mention high legal fees.

Reputational risk. The use of text messaging without the proper monitoring protections in place can also leave a company susceptible to brand problems. Most businesses know the importance of brand reputation, since those with a strong track record tend to attract the best employee talent and are perceived as providing more value to customers. Customers may also be more loyal and likely to recommend a company if it has a trusted reputation.

The supervision of electronic communications is critical for companies that want to find and mitigate any potential reputation risks, even if they aren’t directly related to compliance or legal issues. E-mails, social media accounts, and corporate Websites are often monitored, but text messages must be brought into this perimeter to further reduce risk. Currently, most companies do not monitor business text messages sent and received by their employees.

When a company manages its brand by monitoring text messages and other electronic communications on a regular basis, steps can be taken to quickly assess potential threats and mitigate actual problems when they occur.

Regulatory risk. In highly regulated industries, text communications need to be retained and supervised. For instance, financial services firms are required by the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) to archive and supervise electronic communications used for business purposes, including text messages—and recent surveys show firms lack confidence that they can meet those requirements.

Similarly, state governments have seen recent rulings that reinforce how text messages are classified as business records. Essentially, any highly regulated industry that has recordkeeping requirements for business communication must archive electronic messages, no matter what platform they are on—and that includes mobile devices.

Don’t get left behind

An important component of the chosen solution is the ability to archive text messages alongside other electronic communications content, including e-mail, social media, Websites, instant messaging, and collaboration platforms—to give compliance, legal, and risk and reputation professionals the ability to supervise and produce these records in one place, with a common user and administration interface. Implementing point products for specific content types leaves gaps and creates separate silos of information. This greatly complicates the process of searching for, and producing, a complete set of records when the need arises.

When a company has access to these content types with a single comprehensive archiving solution, conversations can be monitored from a broader and more holistic perspective. For instance, conversation threads can be followed easily when a discussion starts on social media, moves to e-mail, and concludes in text messages.

Businesses that recognize the benefits of comprehensive archiving will reap the rewards almost immediately when they implement it by allowing their employees to take full advantage of the productivity that text messaging provides while staying compliant and managing the risk out of it. Others that leave text messages out of their electronic communications compliance strategy, or implement multiple point products to try and address it, will lag and be playing the odds—at a time when compliance examinations, litigation procedures, and the importance of brand reputation and risk management are more central than ever to business success.

About the AuthorMike Pagani is a seasoned IT professional and recognized subject matter expert in the areas of mobility, identity and access management, network security and virtualization. Prior to joining Smarsh in November 2014, Pagani held executive-level corporate and technology leadership/spokesperson roles for Stay-Linked, Quest Software, NComputing, Dell Software and others.