In today’s digital age, communicating between colleagues in the workplace is easier than ever before. Instant Messaging (IM) tools such as Slack, Microsoft Teams, and Google Hangouts allow employees to quickly chat, share documents, and create meetings efficiently. While IM and traditional email platforms have similar operations, IM streamlines the process by showcasing message threads directly on the user’s screen rather than going through an inbox. For this reason, companies are increasingly choosing IM over email to perform daily tasks and improve productivity. Companies are now quickly scrambling to understand the risks associated with these tools and how to implement solutions to mitigate these risks.

Common Risks

Because these IM applications are so easy to use, it can be easy to ignore the legal and cyber threats they pose. A few of the most common risks include eDiscovery difficulties, vulnerability to hackers, sharing of confidential or sensitive information, and noncompliance with workplace policies.

  1. Electronic Discovery

In the event of litigation, companies without IM retention policies may have to search through a large amount of information that isn’t easily searchable. If companies can’t separate these messages, they might be required to produce everything, including non-relevant or non-discoverable information, presenting the organization with many unknowns and potential exposure to additional risk. Fortunately, many of these IM tools allow companies to customize their eDiscovery settings to define what data should be stored and extracted.

  1. Workplace Conduct and Compliance

Because the IM interface is visually similar to text messaging interfaces with scrolling message threads, users tend to associate the two and use them interchangeably. This can lead to employees sharing personal conversations, inappropriate content, and sometimes hostile language through IM. Not only does this decrease productivity, but it can also result in harassment and misconduct lawsuits. Companies can create strict content policies and provide training in order to prevent these workplace liabilities. Great memes and GIFs come with great responsibility.

  1. Security Threats

IM software is easily susceptible to malware, viruses, and hackers. Employees will often use IM to share documents, client data, or other sensitive company information that then becomes susceptible to these hackers. This could lead to information falling into competitors’ hands or even personal data breaches affecting employees and clients. Fortunately, companies can increase IM security by installing anti-malware software, encrypting any data sent via IM, and creating policies for information transactions.

One example of an IM security breach occurred in March 2015 when Slack was hacked. They were quick to reset the passwords of the impacted users and all went back to business as usual. 4 years later, in July 2019, Slack discovered that a number of user accounts linked to the 2015 hack had been compromised by a keylogging code that hackers used to read passwords as users entered them. Slack has addressed the situation and said that just around 1% of users fell into this category.[1] Although this breach was relatively small, it shows just how long security breaches can go unnoticed.

The information shared via IM applications is not just vulnerable to hackers but also to anyone on outside networks. IM is available to users on mobile devices and personal computers that fall outside of company firewalls and protections. If an employee accesses the IM mobile application on a public network, the information becomes overwhelmingly vulnerable. Companies should create workplace-only policies and remind employees that IM should be used for business purposes only and nothing personal. If an employee needs to communicate with the workplace while they are out of the office, they should use email, not IM.

IM Management to Mitigate Risks

There is no doubt that IM applications have many benefits. Companies just need to make sure that they are taking reasonable precautions and are prepared in the event of legal and cyber issues. Two of the most important defenses are record retention policies and training.

As a matter of policy, companies can restrict the information that may be shared or communicated on these tools. For example, they may create a prohibition on conducting business, communicating with clients, and sharing proprietary or confidential information via IM. This will force users to keep most records outside of the IM system. The remaining content in IM should then be evaluated to determine what can be categorized as a record. Once the record content has been defined, companies can alter their eDiscovery and retention settings within the IM tool. These records should be kept in accordance with the company’s records retention schedule. This will help decrease the amount of secure information stored in the application, reduce the message clutter that results from message threads, and prevent workplace litigation by improving the eDiscovery process. Most IM applications have general settings for retention policies that allow you to purge all information after a specified amount of time. This specified period should be kept as short as possible. If companies require a more detailed retention policy, they should consider incorporating specific provisions as part of their electronic records management policy.

However, none of these practices will be beneficial unless the company trains its employees. Companies should implement IM policy training upon hire, as well as annually or semi-annually to ensure that it sticks. Employees need to understand how to use IM appropriately, where to use it, and why it matters. They must understand that in today’s digital age, workplace gossip has moved from the water cooler to IM and this can be dangerous for everyone. When in doubt, don’t send it out. Utilizing all of these practices and precautions could save the company money, time, and stress. Never underestimate the power of an IM record retention schedule.

For assistance with IM record retention schedules, contact Zasio today.


[1] Whittaker, Z. (July 18, 2019). Slack resets user passwords after 2015 data breach. Tech Crunch. Retrieved from


Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.