Five insights into mobile messaging and chat surveillance

Focus on Five

Easy-to-use and widely adopted messaging apps are a popular way for billions of people to stay in touch and share information with family, friends, colleagues, clients, vendors, and other people or organizations with whom they have relationships. Appealing as they may be, messaging and chat apps can create issues when used for business communications, including headaches for compliance and legal functions. Organizations that face or anticipate the use of these tools within their ranks can benefit from five insights into why they are popular and potentially problematic.

Mobile data is increasingly important in both litigation and regulatory matters

Companies in certain industries operate under regulatory requirements to archive, monitor, and surveil employee and customer communications. US Financial Industry Regulatory Authority (FINRA) rules dictate the handling of electronic communications involving securities broker-dealers and commodity traders.

The Health Insurance Portability and Accountability Act (HIPAA) includes procedures to safeguard patient information and the types of messages that can be sent between providers and patients. These regulations challenge the client’s or patient’s desire to communicate with their providers with the same messaging platforms they use day to day for general purposes.

Employees are using chat apps more often to perform their work

Organizational concerns about the use of messaging and chat apps are not necessarily motivated by fear of bad actors. Instead, leadership can simply feel unprepared because they are not aware of the apps that are restricted or those that are in use. The organization wants to give employees the leeway to use apps they know and enjoy, helping keep them happy and productive.

At the same time, many apps are not designed with enterprise monitoring in mind, leaving leaders to find novel ways to meet the associated compliance, discovery, and investigative requirements.


Popular apps are designed for ease of use, not compliance and litigation

The term is not intended as a slight, but many mobile messaging and chat apps may aptly be described as "consumer-grade." They are typically not built for enterprise communications and employee collaboration. They often lack controls essential to meeting compliance requirements and critical features such as legal-hold and surveillance functionality.

women working

A plan for third-party applications is essential to legal and regulatory readiness and it may include white/blacklisting

An insightful and researched list of apps to use and apps to avoid, along with clear policies and direction for usage, are essential tools for organizations operating in regulated industries to guide employees. Either contractual terms or technical restrictions can be used as a framework for the development and maintenance of a list.

If an organization wants to provide the functionality to certain employees, the establishment of use policies can clarify access and restrictions, particularly when technology constraints limit monitoring capabilities.


Surveillance and collection methods exist for some messaging apps, but capabilities can change with updates

Monitoring of app capabilities is essential to help prevent a situation where an app that is used today becomes a potential problem with the introduction of a new feature, such as video chat. Along with policy and white/blacklisting, third-party monitoring applications can add support to strengthen surveillance capabilities and activities.

When facing the need to comply with regulations or litigation, organizations may need to look beyond the collectible message application data and consider various analyses to better understand an employee’s usage.


Our take

The spread of messaging and chat apps creates an imperative for organizations to understand and create appropriate policies for the use of these applications. And, while they open doors to new methods of communications, apps also can create risks. Mitigating those risks through effective management of messaging and chat activity is complicated by the speed at which applications can change.

For regulated companies especially, but also for any company that allows its employees to use these apps, exploring the art of the possible—identifying effective risk management avenues—can equip organizations to better address the proliferation of messaging and chat.

Back to top

man mobile

Get in touch

Michael Weil

Michael Weil

Managing Director

Mike is a managing director and the Digital Forensics leader in the Discovery practice of Deloitte Financial Advisory Services LLP. He has more than 16 years of computer forensic examination experienc... More