Instant messengers have become very popular in the workplace, not just for chatting with friends – but for conducting business and connecting with colleagues. A recent study estimated that nearly 70% of employees use instant messaging applications installed on their phones to handle official duties.
The use of instant messaging applications as the most commonly used communication tool for work may not be surprising, but what less people know is that although some mainstream communication applications provide end-to-end encryption, some other popular communication apps do not.
From the perspective of the law, professional ethics, and security, the popularity of instant messaging applications has indeed brought major new challenges that cannot be ignored for lawyers and law firms.
Confidentiality is undoubtedly an important rule that all lawyers must follow. However, instant messaging can easily make lawyers inadvertently disclose confidential and/or legally privileged information to third parties. For example, in the process of installing an instant messaging app on a mobile phone, the app may request to obtain the contact list stored on the phone, so as to enter the entire list into its server.
Therefore, lawyers who use these applications may share their clients’ personal data with third parties without their knowledge. If the mobile phone is provided by a law firm and contains a list of clients and individual lawyers, the risk posed by this problem will be even greater.
Legal privilege risk
In this fast-paced digital age, clients increasingly expect to be able to contact lawyers through the communication channel of their choice no matter when and where. For example, Mainland Chinese clients usually want to communicate with lawyers through one of the most popular communication apps in the Mainland. However, lawyers should note that this application does not provide end-to-end encryption for communication content.
What’s more, all conversations and posts conducted on the social media platform can be used as evidence in court in the Mainland. Therefore, if the customer insists on negotiating matters (including potential or current litigation matters) through the application, it may mean giving up the legal privilege of such conversations.
In order to prudently maintain confidentiality principles and legal privileges, law firms can consider making strict agreements, such as prohibiting lawyers from discussing cases with clients through instant messaging programs, so that lawyers can communicate with clients in a confidential manner and their ability to formulate relevant strategies is not affected.
Data retention risk (for records)
Law firms should review their internal policies to determine the best way to deal with lawyers leaving their jobs, and pay particular attention to issues such as mobile devices and data management. It is important to note that when a lawyer resigns, the conversations and working documents stored in his mobile device may be taken away.
Therefore, law firms must consider establishing a backup system to archive official-related information stored in personal communication devices, including chat histories, otherwise these documents and dialogues may be lost when the lawyer resigns. If the resigned lawyers are transferred to work in a law firm that is a business competitor, the problem will become more serious.
Document disclosure risk
Lawyers should also note that they have the responsibility to inform clients of what information they must provide during the disclosure process of litigation documents. Although some of the more popular communication applications do not store the user’s information in their servers (so service providers can only transfer metadata to the court or the police), customers can still choose to back up the information in the cloud.
However, it is actually quite difficult or almost impossible to determine the location of the cloud server and the degree of data protection obtained by the backed up messages.
For many (especially smaller) law firms, it can be a major challenge to supervise and/or monitor business communications for all lawyers who use third-party communications applications.
Instant messaging management technology allows management to monitor the use of instant messaging and block content that does not comply with policy requirements. Retention and storage of messages, and virus detection functions.
This technology allows law firms to monitor their usage while allowing legal and non-legal employees to communicate with the outside world through instant messaging applications. If the law firm has not yet adopted the technology, it should consider whether it is cost-effective.
Second, law firms should review their internal IT policies. If the current policy does not clearly specify the risks involved in the use of instant messaging, the firm should update its related policies. Some suggested measures include:
- Restrict (or go so far as outright prohibit) the types of documents that employees can send through instant messaging applications
- Define the appropriate way to use instant messaging in the workplace and during customer communication
- Install location tracking devices in all technical equipment
- Make specific settings on the device to remotely erase the stored data when the device is lost or stolen; and
- Confirm the scope and type of instant messaging application monitoring that its law firm should adopt
Depending on its size, law firms may also consider setting up communication applications that meet their corporate level. The benefits of this move are numerous, including the establishment of a device with an independent key to encrypt the device so that messages and data can be protected during transmission, setting up secure cloud storage, and giving the institute complete control and management of all data permission to ensure that no outsider can obtain such information.
Read more: 5 SaaS Security Risks to Consider