Six Tips for Navigating Legal & Regulatory Risk in the App Age

Hands holding a smartphone resting on a laptop keyboard:  6 tips for navigating legal & regulatory risk in the app age

Many corporations in Brazil are grappling with the implications of increased mobile phone app use for business communications and collaboration. Tools like WhatsApp are growing rapidly in enterprise user adoption and providing significant advantages for employee productivity and collaboration. Yet IT, legal and compliance leaders continue to worry over the impact these tools have on regulatory compliance, IT security, data protection and investigations.

Using this approach, employees will have the flexibility to communicate using convenient tools such as WhatsApp, but ensure compliance by formalizing communications in follow-up emails, or capturing documentation by creating and storing a screenshot…

Some organizations may choose simply to prohibit the use of these types of tools. At first glance, this may seem the safest choice. But considering the widespread use of such tools and the increasing migration to mobile data in Brazil—more than 146 million people here now use WhatsApp, largely in response to changes in our country’s mobile charging system—that position is becoming more and more difficult to enforce.

For some business, especially those that are more dependent on an agile and dynamic sales teams operating on field, the more realistic stance is to accept that some employees are likely to use mobile apps, collaboration platforms and other cloud-based tools whether or not they are sanctioned by the enterprise. They therefore must determine a path forward and policies that support conscious, compliant app use. Teams can begin to mitigate the risks these new tools bring by understanding the pitfalls and establishing balanced yet strong controls. Tips for getting started include the following.

  1. Understand the nuances, limitations and risks inherent within popular communication apps. First and foremost is the fact that many messaging applications encrypt the messages in transit, which makes it very difficult to detect suspicious behavior or recover information that has been sent between two users. Even when this is taking place among employees, the organization has essentially lost control over the information and the lines between personal and corporate use have been blurred. Furthermore, activities are not logged within many messaging apps, and therefore cannot be retrieved. This becomes a particularly significant concern if an employee commits an illegal act or transaction using a messaging app, and the organization must access the messages as evidence in an investigation. Unless the organization has direct access to the device and the messages have not been deleted, the investigative team will have no way to obtain the information.
  2. Company policies. One important step towards gaining control over the use of apps is to establish strong, enforceable company policies that govern the conditions under which such apps may be used, and how, if and what company information may be shared through them. Policies should specifically delineate appropriate corporate use of mobile phones and of the apps running on them, as well as account for sanctions and the protocols that will be used if an investigation or forensic audit occurs. Acceptable use policies should also include requirements that employees must provide access to their devices, including passwords, in the event that the organization must access it for legal or regulatory reasons.
  3. Mobile device management. This is a category of technology-enabled capabilities that allow organizations to establish control and policy enforcement over decentralized devices. Ideally, employees are only permitted to use company-issued devices that are equipped with mobile device management (MDM) software. If personal devices are allowed, employees should be required to install the MDM tool and submit to the acceptable use policy that acknowledges the organization may have control over the device if/when it is used for company business or to store company information.
  4. Employee training. Ultimately, compliance is about shaping behavior and managing a change in culture. Even with strong policies, firewalls, monitoring tools and MDM, there will always be a risk of employees installing apps and taking shortcuts that make their work more efficient. This is why it’s critical to address the human element in this issue by raising awareness about the risks. Most employees want to do the right thing and simply need the education and training to understand how the organization may become exposed through improper app use, information sharing and mixing of personal and corporate data. Organizations can establish trainings around policies and compliance. This can include providing instructions for how, when and why employees should transfer information and documents shared via messaging apps to a records repository for proper storage.
  5. Enable a multi-channel approach. This is a concept through which an employee can begin a conversation or a relationship in one channel, such as a messaging application, but shift that to another channel, such as company email, when confidential or sensitive information comes into play. Using this approach, employees will have the flexibility to communicate using convenient tools such as WhatsApp, but ensure compliance by formalizing communications in follow-up emails, or capturing documentation by creating and storing a screenshot or report of conversations so that the organization has access to it. While this may create extra steps for some employees, it is a worthwhile task to help maintain a strong corporate posture in terms of information governance, data protection and compliance.
  6. Define parameters and standards ahead of regulatory guidance. In addition to addressing internal disruption, organizations must also prepare for how external factors and regulations may impact their ability to innovate and embrace or govern technological advances. Working across industry to set standards may help mitigate exposure of surprise regulations, sudden enforcement actions or penalty due to the lack of regulation. More specifically, when innovation is moving quickly, late advent of regulations can result in regulations that are no longer relevant to the treatment of the technology advancement. When key industry players take joint action to self-regulate, they can provide timely and useful guidance to define the environment and guide discussions in the development of new laws.

Businesses are undergoing unprecedented and rapid digital transformation. This shift is creating a landscape in which the use of apps in the workplace is becoming mostly unavoidable. Legal and compliance teams must acknowledge these new risks, accept them and establish ways to mitigate them. With a mindset that prioritizes healthy balance, teams can support agility within their business as well as establish meaningful and necessary control over sensitive information.

Co-Authors:

Douglas Leite, Partner, Licks Advogados
Maíra Ayres Torres, Compliance Officer , Chiesi
Antônio Gesteira, Senior Managing Director, FTI Technology

Author

  • Antonio Gesteira

    Antonio Gesteira is a Senior Managing Director within the Technology segment at FTI Consulting, and a seasoned e-discovery and forensic technology expert with more than 20 years of experience in supporting complex investigations and litigations. He has delivered more than 300 projects spanning emerging technology, data services, information security, internal and external audit support and electronic tax consulting across a variety of industries. He has led large investigations and risk management efforts in Brazil and internationally. As the Technology segment’s leader for the Brazilian market, Antonio works with clients to address a broad range of corporate risk and respond to high-stakes legal and regulatory matters.

    View all posts