Perspective in Practice: The Risks of Free-To-Use Messaging Apps
By chance, I was contacted yesterday with a query about the use of apps (like WhatsApp) and ‘basic’ text messaging as a form of general communication between clients and service providers. I had intended to produce an article on this very subject in any case, but yesterdays’ enquiry accelerated the process!
Appreciably, communication by text message or other proprietary app is commonplace. Indeed, I’ve lost count of the number of times that taxis and carriers/courier services have dropped me a line using this technology to let me know that they are on their way. The same can be said for utilities providers and others who interact with us as private individuals, and businesses, on a daily basis.
Some organisations take the process of communication by text message/app one stage further, by making it part of an authentication process. However, as we know, at least one bank found out recently that such methodologies can be far from perfect.
But, the context of the query I received yesterday was in respect of legal organisations making use of text messages and WhatsApp as one of the main sources of communication with their clients. Clearly, this is an area where the confidentiality of information is critical to the point that it is legally privileged and regulated.
At this point, I must emphasise that I have never had a bad experience or as far as I know, had my data rights breached through the use of such messaging systems or by their proprietors. I’m a WhatsApp user myself, under certain conditions, and 95% of the time I find such services to be very useful.
But, would I use such services for the exchange of important client documents? That’s an entirely different proposition.
Bearing in mind also, that it's not just documents, but personal data too, that is in play here.
There are arguments relating to the benefits of the use of systems like these and their prevalence in everyday life can't be ignored.
But, where the regular and repeated use of extensive or confidential documentation is being transferred through such media, there is a smorgasbord of risk management aspects to consider, about which I would offer 4 words of caution: “handle with (great) care”.
First of all, we have to consider the journey of our data when we use such apps. Do we have sufficient understanding of the organisations involved? WhatsApp for instance, is linked with Facebook and also has links with the US, which has data protection regulation outside of the EU’s GDPR.
Of course, some messaging services have licensing agreements that state they will comply with the requirements of the GDPR. Other messaging services will tell you that they are highly encrypted and therefore ‘safe’. Hmmmmm...
However, even if we lived in a make-believe world where encryption methods are infallible, and technology never malfunctions and passwords are never revealed/broken, there are other weak links and risks that can creep in.
What follows is a checklist of sorts; points for consideration that will affect many organisations that use messaging services to communicate with their clients, but legal practices in particular, might find this thought-provoking.
Organisations need to map their data so that they clearly understand at least a baseline of critical aspects about the data they hold, including; what they’ve got, why they’ve got it and what they're going to do with it, the legal basis for processing it (see Article 6 of the GDPR), where they got it from (see Articles 13 and 14 of the GDPR), how it is kept (eg. on paper, electronically, emails, notebooks, etc) the location (eg. servers in the UK, filing cabinets in the office, on a consultants laptop, in a case management system which is backed up in Australia), who has access to it (and why), how long it will be kept, when will its status be reviewed, and what is its risk level (also considering Articles 9 and 10 of the GDPR).
At PDA, we’ve mapped the data for dozens of organisations and have yet to leave an organisation unsurprised as to the extent of the data they actually hold. Take for example ‘simple, old fashioned’ HR data; not many people are aware that most organisations hold at least a dozen tranches of data about their employees alone, and each of those also has separate laws and regulations in addition to the GDPR to consider. You can swiftly appreciate how this quickly unfolds into a complex task.
At PDA, we like to summarise the mapping of data (and more besides) on an Information Asset Register, usually in the form of a dashboard (an Excel file). Mapping data is going to be especially important in the face of uncertainly with Brexit; but that’s a story in its own right; for another article.
So, having understood what data an organisation holds and how it is used, it becomes possible to put in place controls to manage and protect it. In considering the true extent of this, the implications are enormous.
Some points to consider:
If the data is being transferred to or through a 3rd country (outside of the EU GDPR area) there should be a policy reflecting the risks and controls for this. Are you clear as to the conduits for the transfer of the data you send using messaging services?
Apps like these are for all intents and purposes, ‘software’. So, have you recorded the software that you are using in a register? Threat Actors (‘hackers’) use old versions of software as vulnerabilities for attacks; you need to be sure that your version is the most up-to-date.
That goes for all of the software in your network. One of my colleagues has the expertise to shut down an office network simply by accessing the office printer; all he needs to do so is to be presented with access to the 'guest wifi' at the office.
And, don’t forget the operating systems (desktop, tablets, mobile devices, etc). The security features of the latest version of an app can be rendered useless if the underpinning operating system is out of date.
Who does the device belong to? It’s irrelevant as to whether or not the device is owned by your business or is an ‘own device’ of a member or staff or belongs to a contractor/consultant/agent; it is still data that YOU are responsible for (as the 'data Controller') that is being transmitted.
With that in mind, what level of control do you actually have?
Do you have procedures to manage how long the information will be held on the device(s) and how it is shared and how it is deleted?
If used by staff on their own devices or by consultants/agents, this really should also be recorded on the firm's software asset register; otherwise, how can you be sure that the software is up to date?
And, what happens if that member of staff (or consultant) leaves the employment/service of the firm; how is the data removed and destroyed then?
If the case/client management system will not automatically integrate with the messaging system being used, what methodology do you have for recording the content of the messages so that they appear in the case management system?
Perhaps one of the biggest challenges is that because this kind of technology is so widely used, many individuals (and especially clients) could assume that it's ‘OK/safe’ to communicate in this way. For all of the above reasons, ‘safe’ is not an appropriate term to use; there is significant inherent risk communicating in this way and this needs to be communicated to clients.
In the event that a messaging system is used even only to briefly respond to a prospective client, they still need to be told about their rights as data subjects (because the organisation now has, at least, their telephone number).
Appreciably, some clients might insist upon using such services. Perhaps in matrimonial matters (where post could be intercepted by the other side) or where clients do not have a fixed postal address, or where clients want fast news for conveyancing matters. For these reasons, if such messaging services are deemed appropriate, the risks need to be clearly set out for the benefit of both the firm and the client at the outset of the matter. And, it would be sensible for a record to be kept on file as to the client’s instruction to the firm that they wish for the firm to use this type of communication with them.
It would be well to ensure that the use of such systems is considered/recorded (in addition to the documents listed above) in your:
- Risk register;
- Your strategic plan, as part of the consideration is 'how client groups are going to be served' and, if this is use of messaging becoming widespread in your firm, you might need to conduct a Data Protection Impact Assessment required and link to the strategic considerations;
- Appropriate training for staff (and I would suggest the inclusion of consultants and agents in this) in data protection, information security and appropriate training in general. SRA Mandatory Outcome 7.6 is clear on this aspect;
- Procedures for identifying and managing Data subject Access Requests (which, under the new regulations, no longer have to be in writing; they could come via a messaging app). This is a substantial area of risk, see my other article here.
- The business continuity plan (in the event that a messaging system ‘goes down’ or devices are lost/damaged/stolen and communication with the client is therefore ineffectual or interrupted).
- The list and communication of generic risks pertaining to certain types of matter/law;
- Policies and procedures for client care and communication with clients and standing terms of business;
- File review checklists; as a procedural check client consent to use the messaging system and that copies of the messages are being ) stored on the case management system.
Where messaging apps are used to communicate with outsourced providers, this should be appropriately (not ‘reasonably’) managed and protected pursuant to compliance with Article 28 of the GDPR (for all organisations) and additionally for legal organisations, Indicative Behaviour 4.3 of the SRA's 2011 code of conduct.
Where such systems are used to communicate with experts and counsel, this should be appropriately documented and controlled in the procedures for use of counsel and experts. And, if your firm uses such services, what checks/assessments have you documented as to the effectiveness of the controls that he counsel/experts/Chambers have in place themselves?
Where you are offering the use of such systems, even simply as a first point of contact advertised on your website, this should be set out in your client care policy and the associated data subject rights set out in your privacy/data protection policy on your website.
All this; simply for using a messaging app?
Many vulnerabilities arise through the use of everyday items which are so familiar to us that we find it easy to overlook the risk. We put on a seatbelt, without thinking twice, before we set off in a car, because we understand the benefit to mitigate the risk. The same should apply to messaging apps, but whereas most of us appreciate the dangers associated with car travel, we don’t always recognise the risks involved with messaging.
You might like to consider the ‘checklist’ above. And, critically, be sure to document your planning and activity. In the face of a regulator’s query, some evidence of having tried to prevent or mitigate the risk is better than none at all.
And, check licensing agreements for the apps you use. Be prepared to challenge service providers and app developers and perhaps, even to make some tough decisions about the extent of permitted use of messaging services.