Communication methods and options for enterprises

Have you ever been in a conversation at work where someone says “let’s switch to text”?

Let’s say you switched to text; are you using a Company device?

During COVID, it became increasingly popular to find alternate communication means to connect with employees for a variety of reasons. For a majority of employees, the reasons were far from nefarious, and included things such as ease of connectivity, lack of immediate tech availability to use for calls or texts.

However, we’ve seen recently that some individuals have utilized personal messaging applications on personal devices to draw attention away from monitored devices that can report potential company noncompliance to leadership and HR. United States Regulatory Agencies have made it abundantly clear that this practice needs to come to an end, or companies will face steep penalties as a result.

One pitfall we’ve seen a lot of our clients fall into is discoverability; an audit agency comes knocking to get information on data privacy and cybersecurity practices, documentation isn’t sufficient, so these agencies require alternate information and communications to supplement their understanding of what’s going on with your company. This can come in the form of a subpoena for company chats, emails, meeting recordings, etc.

We understand that in order to conduct business, you have to have conversations, some of which are tough ones weighing legal requirements with business generation requirements. So what are you allowed to use as means for communication at your enterprise? Below are our recommendations for how to communicate appropriately and effectively, within your rights as an enterprise.

The basics

Be professional

Let’s be honest - we’ve all written something we shouldn’t before. Whether it be on social media, or in private messages, I’m sure we can think of something we’ve all sent before that we thought “hmm….should I have said that?”.

While it’s easy to fall into patterns of familiarity and informality with coworkers, especially those we work with on a day-to-day basis, our number one recommendation is to keep all your work communications professional.

Here’s an example chat between an Information Security analyst and a technology Product Owner:

PO: Hey! Found something weird in one of our products - some outside, unknown resource keeps trying to gain access to our application.

IS: strange - let’s take a look

PO: sure hope our senior engineer installed the right security features before we pushed to production haha

So what’s wrong with this chat?

A few things stand out immediately - first, the PO’s response about security features being implemented prior to production push. While this statement probably isn’t meant to suggest this, it implies that not only does this team not take company policy around production changes seriously, but also that a potential security event isn’t a big deal.

Additionally, something we see quite frequently and accidentally is stating a definitive problem before there is one. The tone of this conversation indicates they are very early into researching what the alert they’re getting even means, but the PO definitively pointed towards a potential issue from a malicious actor from the beginning regardless.

You may find out 10 minutes after looking into the issue that this isn’t what you think it is at all; but it’s been memorialized in writing that there was a potential malicious actor in your system. This information is discoverable, and once provided to any audit body, is completely up to their interpretation.

Keep nonpublic conversations in person

During COVID, it was nearly impossible to get in person time with anyone, especially decision makers at your enterprise. It became much more commonplace to memorialize a lot of enterprise decisions in writing just by utilizing alternative communication means when face-to-face wasn’t available.

Now that many employees are returning back to the office, it’s never a bad idea to encourage them to have conversations in person. We understand the need to memorialize decisions, but the lead-up to those decisions can easily be worked through in a setting that requires less documentation of the efforts leading up to that point.

Individuals working directly with enterprise Legal departments frequently find themselves in situations where they are brainstorming solutions for new compliance programs against existing technology infrastructure - this is an example where there are a lot of conversations, questions, and discussions that can happen in person, and don’t need to be memorialized in writing.

When we rolled out a privacy solution for an enterprise in 2019, we hosted in person office hours weekly to allow anyone to come ask questions that they had about how they were allowed to solution implementation of privacy rights within their systems, allowing consumers to know, access, and delete the information inside their systems at their request.

There were hundreds of conversations that occurred during those office hours that we wouldn’t necessarily want memorialized; the entire topic was so new, we frequently discussed things like what the company policy was, and what allowable exceptions to policy would be as we marched towards 2020. We also didn’t know 100% ourselves how the new programs would shape out and look. We reached a solution we were incredibly proud of, and documented extensively the process steps taken to ensure compliance with all applicable laws; but that being said, we’re also happy that we don’t have hundreds of emails out there phrasing questions the way we got some of them, such as “why should I have to do any of this compliance work when the business work I do is so important?”. As a business, that is a valid question for your technology teams to be asking. It’s just equally important your compliance teams have the right backing to prioritize and implement effectively in tandem with business objectives.

The short of it: you can get to the same place without everything documented to death; this may end up hurting you in the long run if not done strategically.

Encourage your doers to meet in person, and escalate finalized plans to decision makers the same way. Documentation should exist when it’s final and signed off on by senior leadership, and not widely accessible before that point.

Being careful about definitive statements

We mentioned this above, but this is something that is good practice for anybody communicating within professional or personal settings. It’s far too easy to state things as slightly exaggerated, or as fact when it’s largely based on our perception of the event. We can’t help ourselves, it’s something that humans will always tend to do.

In professional communications though, you may run into situations, especially in moments of panic where individuals will utilize easy communication methods (chat, email, text) to communicate an emergency in very definitive terms; anything that would prompt the recipient to drop what they’re doing. For example, some of the ones we see all the time are:

1. The entire consent system is down and nobody’s decisions are being processed

2. We’re losing revenue every minute this system is down

3. Nobody can log into their computer or do any work for weeks if this happens

4. We’ll just fix it later, it’s not really a big deal (referencing a data error remediation)

5. Clients can’t make payments, but we’ll be back online tomorrow

None of these situations ever resulted in material business revenue - none even escalated further than director level involvement. But those chats forever indicated that there was definitively an issue - and it interrupted critical business operations. Since chats weren’t deleted, these popped up during audits, and there were plenty of questions around the intention behind the meaning. It became an uncomfortable situation for everyone involved, and costly for our client continuing to litigate concerns raised with enforcement agencies.

Attorney-client privilege and attorney work products

If you’re lucky enough to be working with an attorney, you may qualify in some instances to protect your communications and documentation from discoverability through attorney-client privilege, or attorney work products.

Attorney client privilege

Attorney-client privilege may only be used when an individual is directly seeking advice from legal counsel pertaining to a matter they’re representing on behalf of the enterprise.

For example…

A senior leader is responsible for overseeing the project timelines for implementing a new security standard at an enterprise. They email an in-house attorney who has been involved in brainstorming discussions and ask them whether it’s okay to push back an implementation deadline for a week due to unforeseen complications moving from dev to beta environments.

Is this attorney-client privileged?

YES, if…

• The senior leader puts “Attorney-Client Privileged” in the email; ideally, at the beginning of the subject line or at the top of the email

• The attorney is being directly asked to weigh in on the matter

If a communication is attorney-client privileged, it is not required to be produced unless privilege is challenged during discovery; for example, you put attorney-client privileged on every email an attorney is on hoping that protects the communication.

Situations where attorney-client privilege will not hold up in court:

• Communications where the attorney isn’t being asked directly for advice

• Communications that have gotten too large; privileged communications should be kept to 10 or fewer at the most for a multi-thousand employee enterprise

• Communications to an individual supporting an attorney (such as a paralegal or compliance strategist)

• Communication threads where an attorney is added later to the party to privilege the prior messages

Attorney work products

In house counsel cannot be expected nor should they necessarily have the expertise to take all of their legal analyses and turn them into actionable technical or business strategy; that is why a variety of product and compliance management roles exist within organizations.

Attorney work products do not retain their protection of privilege as well as attorney-client privilege does, but is an effective means to produce documentation to distribute to larger groups internally while protecting that information from initial discovery.

Examples of attorney work products:

All of these types of documents can be labeled as attorney work product, but should have documented evidence that the directive from an attorney was given to produce that document:

• Architecture diagrams

• Data dictionaries

• Process guidebooks

• Roadmaps and product strategy deliverables

When attorney work product privilege won’t hold up:

• It’s used too frequently to the wrong audience, for example on every weekly status update to the technology employees on the project

• Documents not created at the direction of counsel

• Documents not pertaining to legal advice, questions, or strategy

So what now?

You probably read something in this post that made you uneasy; frequently, enterprises have too many employees to closely monitor and ensure 100% compliance with communications policies and professionalism in a multitude of communication channels. The biggest hurdle to overcome is changing the communication culture at your enterprise.

Digital Minion has the expertise of working with many Fortune 500 companies growing and evolving quickly, and finding an ever growing need to crack down on communications at their enterprise. Contact us today to learn more about how we can make the change efficiently and effectively for you.