Companies keep business records for regulatory and legal reasons, with IT departments and records managers typically holding the keys to the records kingdom, sometimes assisted by outside vendors. In financial services, records are frequently examined for compliance purposes, and comprehensive record keeping is a specialty of its own. In addition, protecting proprietary and business IP is vital, as is safeguarding confidential customer information.
But when employees use their mobile devices for personal and business communications, danger lurks. Text messages are the fast-growing source of business record risk.
Nearly all employees text, and many mix business and personal messages. A business record may be created every time an employee taps out a text, and the records can quickly multiply when the text is answered, shared, forwarded, revised, or deleted.
What happens to all these texts?
It’s hard to say because text message record keeping policies and procedures are in their infancy.
However, companies that don’t incorporate text messages into their business record archiving systems are squarely in harm’s way.
Text message archiving sounds daunting, and with good reason. Most messaging systems lack functions for message capture, search and retrieval, identification and preservation. And there are many different devices, service providers, and text messaging systems (some promising disappearing messages, anonymity or encryption), with unique features and operations. Adding to the challenge, record keeping rules aren’t uniform — their applicability depends on the type of record, type of business, regulatory agency involved and other factors. User privacy is also a thorny records management issue.
How do you know if texts are business records?
Rule of thumb: If a text message includes information about business activities or functions, it’s usually an official business record. A 2015 court case involving government employees’ text messages provides a good example of this rule. The Washington Supreme Court said business-related texts on private cell phones were public records under the Washington Public Records Act: “Records can qualify as public records if they contain any information that refers to or impacts the actions, processes, and functions of government.”
If a company can’t produce its business records, it can’t defend legal claims against the organization, or prove lawful conduct in a supervisory exam. Inability to produce text message records can undermine corporate claims and defenses. In some courtrooms, judges reject claims of “lost” mobile device records, and allow negative inferences to be drawn about what incriminating evidence may have been in the missing electronic communications.
There are other risks, too. Experts say most mobile-based security breaches are caused by employees. Compounding this, employees using their own mobile devices don’t feel particularly responsible for loss of company data on those devices. Some employees disable company-required security on their phones. A 2016 Verizon Data Breach Investigations Report also notes few organizations prioritize securing mobile devices.
Companies can no longer pretend they don’t know their employees use text messaging for business communications. However, they can reduce the risks by adopting text message policies and enforcement guidelines. Here are some first steps that companies can take to begin the process:
- Train employees on business record keeping responsibilities, so they understand what business records are and why they must be kept.
- Establish business texting policies and guidelines. May business be done by texting to or from an employee’s personal accounts? What restrictions apply? Examples: No deleting business text messages from devices without permission; no encryption apps or burner phones may be used to hide business messages;
- Establish and communicate consequences for employee text message violations.
- Implement the policies, audit for compliance, apply sanctions when necessary.