Encrypted Messaging Apps Create New Data Privacy Headaches for Employers
Businesses have largely benefitted from the proliferation of mobile devices and text messaging apps that facilitate quick, round-the-clock communications. However, such technologies also make it increasingly difficult to monitor and control the unauthorized distribution of confidential data. On March 30, UK regulators fined a former managing director of Jeffries Group for divulging confidential client information. The banker, Christopher Niehaus, shared confidential information with two friends using WhatsApp, a popular text messaging app. The exposed information included the identity of a Jeffries Group client, the details of a deal involving the client, and the bank’s fee for the transaction. Perhaps the most surprising aspect of this story is that the leak was discovered at all. Because data sent on WhatsApp are encrypted and Mr. Niehaus used his personal mobile phone to send the messages, Jeffries Group only viewed the communications—and subsequently informed regulators—after Mr. Niehaus turned his device over to the bank in connection with an unrelated investigation.
Many employers use tools to monitor data sent to and from company-owned devices and e-mail accounts. However, companies cannot read messages delivered on programs offering end-to-end encryption, like WhatsApp or Apple’s iMessage, even if the information is sent on a company-owned device or network. Therefore, policies and tools intended to protect confidential information can be circumvented by employees using common texting apps. These technologies, which are typically free and easy to obtain, are causing headaches for employers across the country. For instance, recent media reports suggested that employees at the Environmental Protection Agency used Signal, an encrypted texting app, to surreptitiously strategize to undermine the current administration. According to other reports, White House press secretary Sean Spicer suspected his aides of using encrypted texting apps to leak information to the media.
Companies utilizing “bring your own device” practices face even greater risks. Even though end-to-end encryption may safeguard data from hackers, confidential information is often exposed when a device is lost or stolen. In fact, more data breaches are caused by lost devices and employee errors than third-party attacks. Employers can crack down on unauthorized communications by taking steps like disabling the installation of third-party texting apps on mobile devices. However, such measures may be extremely unpopular with employees who use their phones and tablets for both work-related and personal communications.
Given the growing popularity of encrypted texting apps, employers need to accept that they are not able to monitor each and every one of their employees’ electronic communications. Businesses should not over rely on data monitoring tools to secure sensitive information. Instead, it is more important than ever to enact and enforce up-to-date confidentiality policies. Employees may not understand that workplace confidentiality policies extend to communications on personal devices. Employees should be reminded to treat text messages like public in-person conversations and refrain from discussing confidential information on text message apps—even when conversing with clients or business associates. Employees should also be informed of the extensive damage a data breach can cause. Additionally, while employees may prefer using encrypted texting apps like WhatsApp and iMessage, businesses should consider offering internal messaging programs and encouraging their use for all work-related communications. Now more than ever, training employees to maintain confidentiality and make smart decisions is the most effective method of preventing leaks.