Information management and instant messaging - is your data inventory representative of a modern data flow?
In the last several years, many businesses adopted and relied on business instant messaging software to sustain their workforce communication, as part of a wider rethinking of how work was conducted amongst geographically distributed workforces.
As a result, Microsoft Teams adoption rates had a significant uptick in users, rising from 20 million users in 2019 to 270 million in 2022. Other workplace instant messaging platforms also gained large user bases, with Slack reporting 12 million-plus users worldwide.
With this expanded footprint of instant messaging, actions and decisions are now increasingly being made in messaging apps. This unstructured information is an area of significant unmanaged risk for organizations. There have been recent cases of companies incurring heavy fines for using messaging apps not appropriately handled from a records management perspective. In 2022 the US Securities and Exchange Commission (SEC) has fined big-name banks and brokerages a collective $1.8 billion for using private messaging apps with clients without recording the communications as required.
It's clear that the average organization needs help to overcome the challenges raised by unmanaged instant messaging data.
How does instant messaging differ from other electronic communications?
Firstly, let's get clear on exactly what instant messaging is, how it differs from other electronic communications such as email, and the challenges it brings.
Instant messaging is a synchronous communication method and can be described as live one-to-one or one-to-many electronic conversations. Email is asynchronous, whereas instant messaging is real time.
Instant messaging is proprietary. You can’t chat via Teams or Slack if you don’t have a Microsoft Teams or Slack account, and the two platforms do not talk to each other. Email is interoperable and based on a standard protocol meaning people using different email providers can still exchange emails.
Because instant messaging is proprietary, there is no uniformity regarding message transmission and structure and there can be unique features across different instant messaging services.
When it comes to Microsoft Teams, it is key to note that Teams is an instant messaging platform first and foremost with a document management component (provided by SharePoint) as a secondary element.
Does instant messaging content qualify as records?
The short answer is yes. Most jurisdictions definition of records includes all electronic or machine-readable materials and therefore instant messaging.
In the United States, the statutory definition of records as per the Presidential and Federal Records Act Amendments of 2014 (44 U.S.C. 3301) includes all machine-readable materials made or received by an agency of the United States Government under federal law or in connection with the transaction of public business.
According to The U.S. National Archives and Records Administration, agencies that allow IM traffic on their networks must recognize that such content may be a record under the definition and must manage the records accordingly.
Users need to be aware that they may be creating records using IM applications, and that they need to properly manage this content in line with regulations.
Key challenges in managing instant messaging content
Instant messaging brings with it several challenges for information, privacy and security professionals with how they manage these ever-increasing unstructured data sets. It’s because we saw customers facing these challenges that the RecordPoint Data Trust Platform now includes a Microsoft Teams Connector to help organizations overcome them.
A higher risk sensitive data will be handled inappropriately
With the increasing use of instant messaging in the workplace, the likelihood of these message threads housing sensitive information also increases. In the example below, a team member has shared an employee's Social Security Number (SSN) within a Microsoft Teams thread. This kind of behavior is common when teams are trying to complete tasks quickly or shortcut a cumbersome internal process, but it increases the potential impact of a data breach, and risks breaching privacy regulations.
Being able to identify this sensitive information that may have been shared on IM application like Teams can help with operational governance. Once identified appropriate actions can be taken to rectify and also strengthen internal policies if required.
Connecting your Microsoft Teams or other instant messaging services to the RecordPoint platform means these message threads can also be crawled for privacy signals, both Personally Identifiable Information (PII) and Payment Card Industry (PCI) data.
Following on from the example above, you can see if the organization had connected Teams to RecordPoint, that sensitive information would have been identified and correctly tagged as containing PII.
Data discovery requires a complete and continuously updated data inventory
If you are relying on instant messages to conduct business tasks that have a high level of risk, for example, authorizing someone to proceed with a significant decision, you need to take a rigorous approach to ensure that records are discoverable and can stand up to any audit or legal proceeding.
To know if instant messages exist on any given subject, you must have visibility of these messages as part of your overall data inventory. You can export Teams messages directly from Microsoft Teams, although that creates a single ‘point in time’ copy and additional content could be added to threads at any time.
RecordPoint's Microsoft Teams Connector allows organizations to manage their Teams data in-place and maintain a reliable and continuous data inventory of channel threads. Any attachments shared are connected to the corresponding Teams Channel thread text creating a more holistic record.
Poor metadata from IM platforms puts limits on data categorization
Instant messaging platforms are often metadata-poor, which can make accurate data categorization a challenge. Accurate data categorization is essential as it not only aids in discoverability for audits, legal proceedings, or data subject requests but it also helps assign retention schedules for records and data, so your organization can comply with privacy and data regulation and reduce the impact of a potential security breach. Attackers can’t access what your organization has legally disposed of, and accurately categorizing your data–including IM data–will allow your organization to remove data defensibly when it reaches the end of its retention period.Using a federated records management solution like RecordPoint allows you to enrich the metadata on a Teams Channel threads with metadata from third party systems such as a project management or HR system. For example, when a Project Manager sets a project close date in the organization’s project management system, metadata enrichment can ensure the corresponding Teams thread records have the same close date applied in the metadata.
Solving these challenges is critical for organizations
As instant messaging tools are playing a significant role in the exponential growth of data within organizations, data categorization of these records must be scalable. RecordPoint allows for automated classification at scale through metadata-based rules classification and classification using Machine Learning models.
Instant messaging is not going anywhere, so organizations must account for these new ways of working and ensure their data inventories are representative of a modern data flow. Speak to the RecordPoint team today about how our Microsoft Teams Connector can help you manage instant messaging ‘in place’ as records.
Solving the challenges of data sprawl
The pandemic has accelerated the adoption of data sources, particularly structured data, and organizations need to invest in tools to manage the sprawl.
Bringing consistency to your data management, no matter where the data is
Connectors provide the same high-value inventory and sensitive data identification to more and more data sources without the ongoing headache of integration maintenance and code-based customization