High-Profile Investigations by SEC, CFTC & Congress Target Mismanagement of Text Messages
This week, two high-profile investigations have highlighted the enormous financial and legal risks created by lax management of employees’ text messages, apps, and personal mobile devices in the workplace.
First was the announcement of a months-long probe by the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) of several Wall Street banks, which concluded that the banks had failed to comply with fundamental recordkeeping laws and regulations dating back to the 1930s and 40s. The widespread non-compliance, which occurred at all levels within the organizations, stemmed from employees’ routine use of personal devices, email accounts, and text messaging apps for regulated financial transactions and related communications. The targeted institutions failed to maintain records of these communications and transactions as required by law. As a result, the two federal agencies slapped fines on them totaling One Billion Dollars to punish the recordkeeping violations.
At the same time, the U.S. House Select Committee investigating the January 6 attack on the Capitol has learned that the U.S. Secret Service purged critical text messages sent and received by agents protecting the President, White House, and Congress on January 5 and 6 after the Department of Homeland Security (DHS) Office of Inspector General (OIG) had requested those messages. The Secret Service explained that the destruction of critical evidence of events surrounding the attack on the Capitol occurred as part of a routine tech refresh that had been in the works for months. Without taking a position on the wisdom or timing of that effort, one thing is clear from both the Secret Service texting debacle and the banks’ regulatory lapses: In both cases, there apparently were no effective workplace policies in place to ensure that important organizational communications were protected from co-mingling with personal data and preserved for recordkeeping purposes; and if the policies were in place, they were not enforced.
Several lessons come out of these unfortunate revelations: First, as we’ve been saying for years, a Bring Your Own Device (BYOD) policy can be a bit of a Trojan Horse. The modest savings an organization might realize by shifting mobile device and service costs to its employees is more than offset by the potential legal and financial risks of lessened control over employees’ use of mobile devices to transact business.
By removing or diminishing enterprise oversight and control over mobile devices used for work, an enterprise is tempting fate. For example, what happens when a disgruntled employee leaves the company with their personal device and all the data on it? What happens if an employee who has access to corporate computing systems from their personal device downloads an app containing spyware, which works its way into your corporate network? And how does a regulated business or a governmental entity honor its obligations to maintain records in the ordinary course of business when employees are using their own devices to communicate with vendors, customers, and business partners?
Any organization that permits its employees to conduct business via text messaging or other mobile apps must have effective automated procedures in place to regularly archive and retain such electronic records for compliance, accounting, regulatory, and other reasons. Yet, employees who use their own personal devices for business will almost surely resist automatic archiving of their text messages – which is widely available – if it means that their personal communications saved on those devices will also be preserved for posterity.
There are applications and procedures aplenty to address these issues, and it is rather surprising that, at such high levels of business and government, these relatively simple and affordable measures have not been implemented. Don’t make the same mistakes.
Employees need to use mobile devices and services to work efficiently; but they should not use the same device for both personal and business use. All electronic business communications, regardless of the device on which they originate, should be retained for at least one year in a format that prohibits alteration or destruction. Any employee that is permitted to access enterprise data, including email, from a mobile device should be required to use a device that is controlled by enterprise IT and can be wiped clean, updated, scanned for malware, etc., by the organization at any time. Moreover, a Mobile Device Management (MDM) solution should be installed to ensure that each employee with a company-issued device is not using that device for unauthorized purposes, such as copyright infringement, personal social media interactions, or harassment. Enterprises should prohibit the downloading of any unvetted, unauthorized apps and this prohibition should be enforced through the MDM solution.
As a condition of receiving an enterprise-subsidized mobile device, each employee should be required to agree in writing to the enterprise’s terms and conditions of mobile use. Those terms and conditions should address information security, good citizenship (e.g., silence ringer in meetings), risk avoidance (e.g., not using the device while driving), and cost control (e.g., using Wi-Fi wherever available). Finally, every enterprise should consistently enforce its policies to send employees a clear message that it takes those policies seriously. Laissez faire management of mobile devices can have real consequences, as recent developments remind us.
You may also enjoy Kevin’s related podcast, where he discusses this matter with TC2’s Joe Schmidt. If you would like more information or have questions about this matter, please feel free to contact this article’s author, Kevin DiLallo.