Getty Images/iStockphoto

Ensuring collaboration tool compliance and governance

Collaboration tool compliance and governance have grown increasingly complex as organizations adopt cloud-based tools that generate different types of content and data.

The growth of collaboration tools means employees are communicating beyond voice, email and chat. They are also creating and using a variety of collaboration content, including meeting recordings, whiteboard content and even emoji. All that content can become unwieldy if organizations don't have a strategy for proper storage, search and archival.

Organizations without a proactive collaboration tool compliance and governance strategy risk losing control over content, regulatory fines and data leaks. They must be able to capture collaboration content in a compliant manner, especially when the use of nontext media can affect the context of a conversation.

"We've seen legal cases where a rocket ship [emoji] has been deemed to be investment advice that's encouraging to invest," said Stacey English, director of regulatory intelligence at Theta Lake, a collaboration compliance and security management platform.

Email, video meetings and screen sharing are the most commonly captured communications for compliance, according to a Theta Lake study of 600 IT and compliance professionals. Whiteboard content and emojis are the least captured communication content. For some organizations, data capture is a matter of priority.

"Do you worry more about the emojis being used in IM, or do you worry about your system not being compliant because it's leaking PII [personally identifiable information] left and right," said Christophe Bertrand, practice director for data protection, data management and analytics at TechTarget's Enterprise Strategy Group (ESG).

Challenges facing collaboration governance and compliance

Many compliance tools haven't caught up to collaboration feature advancements and the different modes of communication. The infrastructure behind most compliance tools is built to record and capture email or voice communications, English said. This can lead to compliance gaps if organizations don't have a way to record and capture video or whiteboard content.

Collaboration tools themselves can also create their own governance and compliance headaches. Most collaboration tools are SaaS-based, which means vendors are constantly pushing out new features.

Compliance teams that may have initially approved a tool may not know when a new feature is rolled out to end users, said Brian Mannion, chief legal officer at Aware, a collaboration governance, compliance and monitoring platform.

For example, many collaboration vendors are adding new AI features. But vendors aren't always clear about how user data is training their AI models and how they store that data. Even though a compliance team may have reviewed and approved a collaboration tool, that team may not have had the chance to review whether the data generated by the AI features meets governance and compliance standards, Mannion said.

"[Tools are] updated daily and not in your data center," he said. "I think new features and video [are] probably the place where legal teams are the most uncomfortable."

Managing PII in public cloud services is also a challenge for organizations, Bertrand said. About 44% of organizations said the public cloud has made managing data governance more difficult, according to an ESG data governance study of 376 organizations. One-third of respondents said they could not search, discover or manage personal data stored in the public cloud.

"That's a big issue," Bertrand said. The objective of compliance strategies should be that all personal data can be searched, discovered and managed, regardless of whether the data is stored on premises or in the cloud, he said.

The risks of not having a proactive strategy

External compliance and governance audits have become normal practice. In the last three years, organizations have had an average of seven audits by outside regulatory agencies and failed an average of two, according to the ESG study.

While failing an internal audit can provide an opportunity to improve compliance and governance, failing an external audit has consequences, Bertrand said. These consequences could include fines, increased costs to fix compliance gaps and loss of reputation.

Some organizations may think that turning off certain collaboration features addresses governance and compliance gaps. According to the Theta Lake study, more than two-thirds of organizations reported disabling collaboration features, including in-meeting chat, comments on files and screen sharing.

But disabling access may push employees to unsanctioned apps where organizations have no control or visibility.

"You're creating this unmonitored environment, and you have no idea what your staff are doing," English said.

Several large enterprises have paid fines after employees used consumer communication apps, like WhatsApp and Signal. Wells Fargo, for example, paid $125 million to the Securities and Exchange Commission after an investigation found the financial services firm used WhatsApp to conduct business communications. The firm also violated regulatory requirements by failing to retain or archive WhatsApp messages.

Creating a user agreement that's clear and concise is one way to prevent employees from using unsanctioned tools, Mannion said. These user agreements should explain how to use a collaboration tool and what employees can and can't do.

But organizations aren't just risking fines if employees move to unsanctioned apps. They're also risking not achieving ROI on their tools, Mannion said. Collaboration tool deployments can be costly. If they're not managed properly, employees might look for other apps that make their jobs easier. That lack of user adoption translates to not seeing desired ROI, he said.

IT and compliance teams must work together

A key feature of a proactive collaboration tool compliance and governance strategy is a strong partnership between IT and compliance teams.

Many organizations use multiple collaboration tools to serve different communication needs. The IT team responsible for managing collaboration deployments has the best knowledge of how tools are used by employees. IT is also responsible for managing app data collection, storage and access, which is key for compliance teams when data must be pulled and presented for compliance needs, Mannion said.

High-level executives are also getting more involved in compliance and governance strategies, Bertrand said. This benefits cross-functional teams because executive-level visibility often means more funding for compliance and governance projects, he said.

Katherine Finnell is senior site editor for TechTarget's Unified Communications site. She writes and edits articles on a variety of business communications technology topics, including unified communications as a service, video conferencing and collaboration.

Dig Deeper on Collaboration and communication security