“Text Messaging Can Expose Your Company to Significant Risks”: In this article, Mike Pagani explains that texting is quick, easy, reliable and efficient — but if it’s used for official business communications, it can create tremendous risk for a company. Organizations of all sizes need to put the right policies in place, and implement automated text archiving and supervision systems as soon as possible—before it’s too late.

Texting is simple, concise and supported by virtually every mobile device, operating system and wireless carrier. This makes it the go-to preference employees need to communicate with their colleagues, customers, or prospects in a time-crunched, always-connected society.

Ungoverned Text Messaging is a Growing Concern

Even though texting is quick, easy, reliable and efficient — if it’s used for official business communications, it can create tremendous risk for a company. When you consider the countless regulatory, legal and general risk and brand management challenges that companies must manage today, you might think email and other “official” communications using social media accounts and corporate websites are the only content types that need to be archived or actively supervised. Although its use by employees for official company business is often prohibited by organizations, the reality is text messaging does get used and therefore should be governed the same way as all other channels. Sending text messages between mobile devices is now one of the key ways that employees connect with each other and customers, and these records need to be maintained for completeness.

Compliance, legal, IT and risk and reputation professionals across a variety of litigious and regulated industries are now realizing that proactively automating the archiving and supervising of text messages is necessary to mitigate the myriad of potential risks arising from their records retention and oversight practices not keeping pace as employee use increases. Text messaging without proper governance is a major gap that can no longer be ignored.

The following considerations have organizations of all sizes concerned about meeting the recordkeeping challenges related to text messaging:

  1. Text messages must be kept in a searchable format that cannot be tampered with, destroyed, or otherwise disposed of by anyone deliberately, or accidentally. Text messages must also be produced in a timely manner for e-discovery, public records requests, and regulatory examinations or audits to meet firm deadlines.
  2. A company may operate a tremendous number of mobile devices through contracts with one or more carriers, and erroneously assume text records are being retained by the carriers. Carriers typically only keep text messages long enough to ensure delivery to all parties before deleting them from their systems, and they aren’t obliged to provide records of them, either. The responsibility for retaining and producing requested text messages lies with the organization that creates the records.
  3. Organizations can no longer say “we didn’t know” as an excuse to avoid archiving and performing proper oversight of text messages. Several well-publicized cases involving text business messages that have been lost, altered, or mishandled in the public sector, financial services, and other industries have alerted us all to the fact that these types of messages must have proper oversight. The good news is organizations that aren’t yet retaining text messages will find they now have many technology options to take care of the issue.

Following email and social media, SMS/text messaging is perceived as the next biggest source of compliance risks by compliance professionals in the financial services industry. The Smarsh 2017 Electronic Communications Compliance Survey Report revealed that when SMS/text messaging is allowed for business communications, nearly half (48%) of firms said they still do not have an archiving/supervision solution in place. In addition, over two thirds (67%) of respondents said they are not confident that they could prove the prohibition of text messaging for business purposes is working.

In highly regulated industries, text communications need to be retained and supervised. For instance, financial services firms are required by the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) to archive and supervise electronic communications used for business purposes, including text messages—and recent surveys show firms are not confident that they can adequately meet those requirements.

Not Just Compliance Risks – Legal Risks Too

Text messages can also be requested as part of an e-discovery or litigation event, since texts are often considered relevant electronically stored information (ESI) within an organization. Many courts compel the production of texts in civil litigation, if a mobile device is believed to be the source of relevant text messages – regardless of whether the device and account used is owned by the individual or the business entity.

While other forms of electronic communication, including email, are relatively straightforward to collect, archive, and extract, text is different. Companies must now figure out how to collect and preserve data from numerous devices, operating systems, and device ownership scenarios. It does not matter if an employee uses a corporate-issued device, a personally owned device, or a combination of the two for business-related texts. All devices and messages they produce are fair game for discovery in litigation if they contain relevant business communications.

If a company’s legal team cannot find, preserve and produce text data in real-time, and respond quickly and completely when asked to search and produce specific text messages for discovery events and litigation, the organization may face legal consequences related to data spoliation, missing records, or failure to produce requested data—not to mention high legal fees.

Be Proactive with Text Message Compliance and Risk Mitigation

Archiving, monitoring and producing text message data needs to become a core part of your overall electronic communications risk-based surveillance preparedness. Organizations of all sizes need to put the right policies in place, and implement automated text archiving and supervision systems as soon as possible—before it’s too late.

An important component of the chosen solution is the ability to archive the text messages directly from mobile carriers for employer-issued devices or using a device-resident BYOD containerization application for personally owned devices alongside all your other electronic communications content. Text messages should be governed the same way as email, social media, websites, instant messaging and collaboration platforms — to give compliance, legal, and risk and reputation professionals the ability to supervise and produce these records in one place, with a common user and administration interface. Implementing point products and systems for specific content types leaves gaps and creates separate silos of information. This greatly complicates the process of searching for, and producing, a complete set of records when the need arises.

When a company has access to these content types with a single comprehensive archiving solution, conversations can be monitored from a broader and more holistic perspective. For instance, conversation threads can be followed easily when a discussion starts on social media, moves to email, and concludes in text messages.

Businesses that recognize the benefits of comprehensive archiving will reap the rewards almost immediately when they implement it by allowing their employees to take full advantage of the productivity that text messaging provides while staying compliant and managing the risk out of it. Others that leave text messages out of their electronic communications compliance strategy, or implement multiple point products to try and address it, will lag and be playing the odds — at a time when compliance examinations, litigation procedures and the importance of brand reputation and risk management are more central than ever to business success. It’s time to stop ignoring the issue and take the proper measures to enable your employees to get the full business benefits of using text messaging while making its usage compliant and safe in the process.


Mike Pagani

Mike Pagani is the Senior Director of Product Marketing and Chief Evangelist for Smarsh. Mike is a seasoned IT professional and recognized subject matter expert in the areas of mobility, identity and access management, network security and virtualization. Prior to joining Smarsh in November 2014, Mike held executive-level corporate and technology leadership/spokesperson roles for Stay-Linked, Quest Software, NComputing, Dell Software and others.

Related Post

Got Compliance News?

We do!  Sign up for CCI’s free weekly eBlast to get GRC news, views, jobs & events delivered to your inbox once a week.  Cancel anytime.

Click to Subscribe.