Week 3 WSJ Assignment – Do Messaging Apps Fit into the Workplace?
Question: Are employees being given adequate training on the use of messaging “apps” in the workplace?
Are there any cyber-security or privacy implications?
Do Messaging Apps Fit Into the
Workplace? Not Always Comfortably
Ephemeral messages raise questions about data security
and compliance with rules concerning corporate
communications
Kassel, Matthew. Wall Street Journal (Online)
New York, N.Y. [New York, N.Y]18 Sep 2019.
Messaging apps that can make their messages disappear, such as WhatsApp, Signal and
Telegram, have become more widespread in the workplace. The services, which allow users to
delete content within a short period, are used both for casual conversations and sensitive
conversations. But their presence in the workplace is creating tension, particularly for companies
that have to log communications and maintain records.
While some companies, including Deutsche Bank, have banned their use, those that haven't must
figure out how to strike a balance between appropriate business-related communications and
protecting employees' privacy rights.
With different options available, and the appropriateness of some under scrutiny, The Wall Street
Journal hosted a conversation by email with four experts on digital communication in the
workplace: Jules Polonetsky, chief executive of the Future of Privacy Forum, a nonprofit in
Washington, D.C.; Ifeoma Ajunwa, an assistant professor of labor and employment law at
Cornell University's Industrial and Labor Relations School and the author of a soon-to-be-
released book on technology in the workplace; Allen Chiu, chief compliance officer and global
head of litigation at Genesys, a contact-center software company; and Jacqueline Cooney,
senior director of privacy and cybersecurity at the law firm Paul Hastings in Washington, D.C.
Edited excerpts follow.
WSJ: What should companies think about when designing policies that cover these apps?
How far can they go in limiting their use by employees?
MS. COONEY: We have heard, anecdotally, that one of the issues companies are facing is that
their younger employees like to use these apps. They are a trendy and popular way of
communicating. The apps are often easier to use and offer more features than traditional email or
even texting provides. Therefore, companies should take into consideration the demographic of
their employees and their employee preferences when considering whether to allow ephemeral
messaging apps.
MR. POLONETSKY: Young people are certainly more comfortable messaging than using email
for quick communication. But a company compliance lead I was working with was most
concerned about her senior-executive team, all of whom texted each other on urgent confidential
matters on the weekends. An important solution is making sure there are available messaging
apps that are easy to use, and using the compliant enterprise versions.
Email initially entered the workplace with personal AOL and Hotmail accounts. Eventually
enterprise versions that had retention policies and controls came out and were adopted. With
enterprise Slack, Atlassian and others, the market is moving in the same direction, leaning to
allowing use of the popular tools, but with employer-customized options.
DR. AJUNWA: It is also important for employers to understand that this type of messaging
raises their liability risks. For example, employees may use such communication channels to
harass other employees, and the employer's tacit approval [of such apps] or lack of enforcement
of rules against using those types of communication channels would make the employer bear
some of the legal blame for the harassment.
WSJ: Doesn't setting a policy around how employees use apps like Snapchat invade their
privacy?
MR. CHIU: Employee privacy is important—but it should not be the only consideration when
considering the use of these types of messaging applications. There is a balance that needs to be
struck between the need for employees to retain their privacy interests in personal discussions
and for companies to maintain adequate controls over legitimate business records. Without a
policy around the use of disappearing-message applications, that balance does not give enough
weight to the fact that companies need to be able to document and understand transactions,
investigate corporate misconduct and defend themselves against claims in litigation.
MS. COONEY: In the U.S., there is no clear right to employee privacy. Employers can and
should create clear, thoughtful rules around use of their devices, software and applications, and
how employees will be monitored on employer equipment and in employer facilities. Employees
should be familiar with the rules of their organization and the communications channels they are
allowed to use and for what purposes.
MR. POLONETSKY: Employees should be able to use confidential channels for their personal
communications. But their employer needs to ensure they don't do so on a device that may also
hold sensitive data—patient records, financial records or other sensitive information—unless that
data is segregated and protected. The employee's individual right to privacy needs to be balanced
with the risk to the privacy or safety of others, and the requirements to maintain confidential
employer data.
WSJ: What about when employees text or use other apps to communicate on personal
phones? How does a company retain business communications that employees have had on
messaging apps using a personal phone?
MR. POLONETSKY: In general, mobile-device-management software can be a key solution
here, compartmentalizing the employer's apps and information on a personal phone, and
separating the personal information of employees. It's a good idea to use mobile-device-
management software that shows employees what data is being monitored to ensure employees
understand the scope of the monitoring.
A key challenge for employers is that messaging apps may upload business contacts and other
business information stored in mobile-phone contacts to their own servers or transfer data across
countries, in ways that violate employer privacy policies or data-protection agreements. The
newest versions of mobile operating systems can be set to control this, when combined with
mobile-device-management software.
DR. AJUNWA: I do not think a company should try to retain communications that an employee
has had on a personal phone. While in the U.S. workers generally do not have privacy
protections when it comes to using employer-provided devices, the use of a personal device is
generally considered outside the purview of the employer. The issue with imposing any kind of
data-retention regime, however, is that this might also be seen as tacit permission from the
employer for the employee to use ephemeral messaging apps.
MS. COONEY: If a company has data-retention requirements, ephemeral messaging apps, by
definition, cannot comply with them. There are messaging apps that are more appropriate in
business settings that allow information to be retained and recalled if necessary. However, if
messages are truly meant to "disappear," then the information relayed in those communications
should be restricted to include nonsubstantive topics, such as arranging times and places to meet,
or for personal messaging not related to any business.
WSJ: Are there any benefits to using these types of apps for work? Aren't they more secure
from hackers?
MR. POLONETSKY: For certain professions or certain high-security situations, encrypted apps
and even ephemeral apps are a key tool for employees. Domestic-violence counselors
communicating with a vulnerable victim, journalists with high-risk sources, those traveling in
countries where government surveillance is a risk should all look to encrypted services. In those
situations, confidentiality will outweigh other issues. Employers should make sure the employees
are trained on the limitations of these apps so they can use them wisely.
DR. AJUNWA: I concur, but it's important to note that there is a very limited number of
professions in which ephemeral-messaging apps could be useful. Even then, it's important to
recognize that many ephemeral-messaging apps are still vulnerable to de-encryption as security
flaws have been discovered in apps like WhatsApp, Signal, etc.
WSJ: So when and how should employees use disappearing-message apps?
MR. POLONETSKY: Organizations should make it clear to employees that they should not use
private-communications channels for work-related purposes. Companies handling financial data,
health data or other sensitive data have obligations to ensure employees don't send private files to
unauthorized parties. They also have obligations to hand over information that is the subject of
litigation, and they need to have internal governance rules about employee communications.
Third-party apps that operate completely outside the employer's governance make it impossible
to protect sensitive company data.
MR. CHIU: The expectations regarding employees' use of ephemeral or disappearing-message
apps have been an area of focus for the Justice Department, particularly in the context of
corruption investigations. In 2017, the Justice Department provided initial guidance regarding
the extent to which companies were expected to have adequate data-retention
policies—suggesting that companies should prohibit employees from using messaging apps that
did not adequately retain business communications or records altogether. Since then, the Justice
Department has revised its stance. [Such apps are no longer banned. But] companies need to
have clearly identified policies that address the use of these types of messaging apps, and in turn,
those policies should be communicated broadly to employees.
WSJ: Rather than limiting their use to nonwork matters, is there an argument that
companies should ban disappearing-message apps from the workforce?
DR. AJUNWA: My answer is yes. Employers should have an official policy banning employees
from using ephemeral messaging apps for specifically business-related communications.
Employers don't have the purview to control personal communications, but they can set rules for
business communications. Allowing employees to use disappearing-message apps for business
communications opens the employer to unnecessary liability. I don't think it's a good argument to
say that because younger workers are using these apps that makes them acceptable or appropriate
in the workplace. Rather, I think that employers should just take the hard line of banning these
apps in the context of work. Trying to create rules for their use in the workplace makes the
employer ultimately responsible for when such use contravenes the law or creates a hostile work
environment.
MR. POLONETSKY: I think employers need to be realistic and pragmatic. In some sense, the
issue of employees acting inappropriately outside the reach of the company isn't new. Business
conversations happen in restaurants and in bars. Ephemeral conversations happen in hallways.
Conversations take place without being recorded on telephones. Email and computers brought
much more communication to the workplace, but also brought it into view for the first time,
along with opportunities and obligations for compliance and tracking.
Now, some communications are moving back out of reach, as technology catches up to the
expectations of people. We don't expect everything we say to be documented for posterity.
Ephemeral communications initially caught on with teens not because of privacy, but because
they were a more casual way to communicate, a better reflection of many of our trivial
exchanges. Yes, we need policies to ensure businesses can protect against data breaches and
abuse, but it's not a terrible thing to recognize that we need some room for casual chatter that
doesn't linger.
WSJ: If employees are allowed to use such apps, is there a risk that using these apps will
create the impression of trying to hide something?
MS. COONEY: I doubt that most employees use these apps specifically for the purposes of
having secret conversations that can't be recorded. The apps are as much about functionality as
they are about confidentiality. Companies that want to allow these apps would be well positioned
to understand the potential risks if they evaluated several different options and chose one that
they believe fits their needs and risk appetite.
MR. POLONETSKY: These apps have become so commonplace that there really shouldn't be a
perception that an employee at most companies is hiding something by using a popular
messaging app. It may indeed be the case in some government agencies, where it is clear some
may be improperly moving communications that are subject to the Freedom of Information Act
or congressional scrutiny into messaging that evades review.