What is Slack Legal Hold?
In the context of e-discovery for corporations, a legal hold — sometimes referred to as a litigation hold — is a process by which companies preserve electronically stored information (ESI) when they are subject to litigation or anticipate litigation. Once a legal hold has been issued, ESI must be retained in its original format, even if at some point it might have been automatically deleted under the company’s regular business procedures.
Similar to e-discovery holds, the purpose of a Slack legal hold is to prevent the deletion and modification of relevant ESI, in this case, from the communications platform Slack . As corporate legal teams know, in civil investigations and lawsuits, failure to comply with hold directives has led to significant financial consequences, whether because of fines or spoliation.
In recent years, many businesses have adopted the popular messaging app Slack as a primary business tool, and with its increasing adoption comes the need for companies to stay vigilant with their data preservation practices so that they can comply with legal obligations.
In civil investigations and lawsuits, the failure to comply with hold directives has led to significant financial consequences for companies, whether those are in the form of monetary sanctions or adverse inference instructions.
The Implications of Legal Hold in Slack Communication
To set the stage for a comprehensive understanding of foolproof legal hold management for Slack, we focus first on why legal holds matter in this popular communication platform. It’s easy to treat Slack conversations as ephemeral data, but the federal rules and a slew of ediscovery decisions make it clear: Slack communications can be broadly discoverable. And when they are, there is no question that relevant data must be preserved.
The risks of non-compliance are too high to take a chance on not being proactive; the consequences range from sanctions to spoliation of evidence claims, both of which can be damaging to an organization. Commencing a lawsuit or government investigation where there may be some exposure means fitting at least 8 rounds of donuts on your checklist of pre-trial best practices. That list must include a legal hold notification policy for relevant custodians of Slack communication. And you need to make sure that policy is enforced.
What will trigger preservation obligations on Slack? The answer depends on the unique set of facts and circumstances in each case, but some common scenarios when legal holds are necessary include:
Ransomware
Client dispute
Simple tort claim
FMLA claim
Business tort
Patent infringement
Trade secret violation
Shareholder suit
Regulatory investigation
Government allegations
Generally, when the preservation duty is triggered for litigation, it spans relevant content on Slack as well as ancillary data you generally retain such as metadata, source code, etc.
Implementing Legal Hold in Slack
To implement legal holds in Slack, it is important to have a clear understanding of the steps involved and the resources needed to set them up effectively. Below is a step-by-step guide to configuring legal holds in Slack:
Establish your legal requirements: Before you can set up a legal hold in Slack, it’s essential to determine the legal requirements for preserving your data. This could be a result of an ongoing litigation, an audit, or a regulatory investigation. Understanding the scope of your legal obligations is crucial to determining who needs to be placed on legal hold and which data should be preserved.
Identify custodians: After establishing the legal process, the next step is to identify the custodians who should be placed on legal hold. A custodian is a person or entity that possesses information relevant to the matter at hand. Once the custodians are determined, you can create a range of holds to be applied to the appropriate individuals.
Creating hold roles: When creating a hold, you will need to work with your administrators to set up the hold roles directly in Slack. To do this: a. Access your workspace settings either from the header bar or by clicking on your workspace name. b. Select "Settings & administration," and then click on "Manage apps." c. Choose a direct message app and create a hold role.
Assigning actions: Slack allows administrators to take several actions during the creation process, such as: a. Create a notification list: Specify which legal holds will be used for a legal hold manager. b. Assign a hold expiration date: Set rules for holding information.
Putting a user on hold: Once you have created the legal hold policies and the corresponding roles, the next step is to put a user on hold. To do this: a) Input the user(s) required to place on hold b) Enable notification settings if necessary c) Add custom properties if needed.
Preserve the data: If feasible, preserving the data is advisable as you begin collecting it. For example, some preservation options include exporting the data from Slack or using a third-party eDiscovery tool to export or preserve the information.
Visualize the data and start the collection: Once the custodians and dates are specified, you can start the collection process.
Generate a legal report: This is typically generated once the collection starts.
Best Practices in Managing Slack Legal Holds
Considerations for Maintaining Legal Holds
When a legal hold is issued, there are several best practices to follow to ensure that no electronically stored information (ESI) is deleted before it is saved.
First, an administrator for Slack must ensure that the hold notification is sent to all custodians through the Usage page of the Slack web interface:
Ensure custodians understand their obligations by providing them with clear instructions on actions they should take using Slackbot and chat messages:
Best practices for managing legal holds extend beyond simply notifying custodians that a hold is in place.
Slack administrators are also responsible for managing conversation data during the hold period. Best practices for keeping organization data as long as custodians are required to maintain that data include:
Additionally, even if data is no longer required to be kept by the organization, it may still be subject to export, so it is good practice to review data before releasing the holds.
Slack administrators will want to consider how to maintain legal holds based on the size of the organization, the number of custodians, the number of workspaces, and the quantity of data as well as any other relevant facts.
Legal and Compliance Implications
Legal and compliance considerations are essential components of establishing an effective legal hold. Slack legal hold is no different. Knowing the legal framework that regulates Slack legal hold is crucial to ensuring you effectively communicate the organization’s preservation obligations. For example, the Federal Rules of Civil Procedure (FRCP) require litigants to preserve potentially relevant information, including information on third-party applications that store and share information like Slack. Other federal and state legislation requires organizations to preserve potentially relevant communications when there is a reason to believe a litigation hold may be necessary. E-Discovery laws and practices differ between federal and state courts. In some instances, preservation obligations may extend to the organization’s third-party vendors.
At the federal level, one of the most relevant statutes is the Federal Rules of Civil Procedure, Rule 37(e). The rule provides details and guidelines with respect to the following:
States also have their own rules and statutes regarding eDiscovery and preservation requirements.
Below are just a few examples of states that have enacted state-level eDiscovery preservation rules, statutes, and guidelines:
Compared with the complex regulatory environment of GDPR, regulations surrounding conservation in the United States are more straightforward. However, given the increasingly inter-connected business world and the growing number of cross-border transactions, compliance monitoring is essential. The evolving regulatory landscape is risky. The fines associated with not complying can be steep. For example, if your company is involved in an investigation as to whether it has violated specific European Union (EU) competition laws, the EU can request the preservation of evidence related to the investigation. Non-compliance can result in fines of up to 1% of a company’s annual revenue. Or consider another example , the Digital Millennium Copyright Act (DMCA) is a copyright law that includes provisions designed to protect online service providers from liability for copyright infringement committed by those who use their services. As a service provider, if you receive a proper DMCA takedown notice and you do not comply, it can cost you big-time. If you have business in the U.S., you are not immune to DMCA liability. Beyond federal e-Discovery-related regulations, there are compliance considerations for regulated industries like healthcare, financial services, and energy:
Bottom line: Compliance considerations are always evolving. Staying up-to-date is crucial. An effective legal hold should take these laws, regulations, and standards into account. Comprehensive understanding of the relevant laws is paramount to the effective use of a legal hold in a litigation matter. Failure to preserve information in accordance with applicable laws, standards, and regulations is a costly mistake to make. Beyond legal and compliance considerations, there is an additional consideration for companies subject to industry regulations. Organizations that are subject to industry compliance standards must consider the consequences of failing to preserve necessary communications on a staff member’s personal accounts or workplace-arranged messaging platforms. In some cases, employees may view the platform as less formal and private than other forms of communication. Slack legal hold helps you overcome challenges related to educating employees on the need to include preservation language in non-work-related communications avenues when necessary. In another likely scenario, employees see no difference between their work and non-work related work and may resist efforts to use more formal and regulated systems.
Pitfalls, Challenges, and Solutions in Managing Legal Holds in Slack
There are a number of challenges businesses may face when attempting to implement and maintain legal holds from Slack. Some of these challenges include: problematic notifications to custodians, difficulty understanding the legal hold status of individual custodians, many custodians managing multiple channels, retrievability and accessibility challenges, and understanding retention periods for non-HIPAA data.
Traditionally, businesses were able to send notices and reminders for legal holds through interoffice memos and emails. These typically had a high success rate in that custodians could not deny receiving them. Also, custodians usually do not have many different sources of potentially relevant data. In contrast, with Slack, the problems begin at the notice stage itself. Slack does not allow non-admins to create single direct message chats with anyone else. Because of this, some custodians may claim to have never received a message if none of their messages are showing up. However, there is a solution to this.
When the system admin sends the notice to custodians, they should also copy themselves on the notice. They can then check their Slack messages after 72 hours. If none have been sent out or no non-admin user has sent a message back, then the custodians were never notified, and it is recommended that a different form of notice be used.
Knowing whether a custodian is on legal hold and where that designated channel is located is vital. A business can make this simpler through the use of automation tools, such as Python/Google Sheets. Through this method, a system admin could take a screenshot of a Google sheet containing the names, status, and notes of each custodian on legal hold. Then, a Python automated task could find the names of active Slack users on the Google Sheet, and send them a DM at the same time as notifying the system admin in a designated channel.
This problem is more common than most people think. With the "closed/private" nature of Slack channels, custodians may need to be added or removed for channels that are no longer public. If the custodian doesn’t actively check their messages, they may not notice that they have been removed until they try to access the channel again. The solution to this is for a system admin to generate an updated list of all the active channels on a quarterly basis and remove any out-of-date information.
Like a traditional email inbox, all messages in a Slack channel are retrievable and accessible, with the caveat that they were not deleted from Slack. However, as a non-HIPAA-compliant product, Slack may contain PHI items which, while not required to be removed, need to be scrubbed in order for the account to be HIPAA-compliant. If the organization is not HIPAA-compliant though, scrubbing may not be necessary.
Since the retention period of non-HIPAA data is much longer than HIPAA data, custodians may want to save relevant data from 2013, even if that information is not HIPAA-related, so that they may be in full compliance. That would work perfectly for a single device; however, many custodians have multiple devices. What happens then? The solution is that if an individual wants to preserve information on other devices, such as their computers or tablets, they can do so by exporting channels to .CSV files that they can export to their own devices.
Case Examples and Practical Uses
Real-life examples and case studies offer invaluable insights into the application of Slack legal hold. In recent class action litigation involving a major financial institution, the court ordered a company-wide Slack legal hold as part of its discovery protocol. By the time the case settled, months later, well over 80% of users—nearly 10,000 employees—had been placed under the order. Although only a few key custodians were named, the sheer size of the legal hold saved the company from committing a significant spoliation blunder in a case in which the stakes were extraordinarily high.
In another case, an energy company faced a set of complex OSHA occupational hazard complaints. The investigation threatened to explode into a class action lawsuit because of the dynamic nature of the workforce, which was based in remote locations. Given the large number of warehouses and production facilities spread across several states and the array of employee roles being addressed, it was important to issue a broad Slack legal hold covering an estimated 2,500 workers to ensure that all relevant data was preserved.
A global aerospace company faced a government investigation related to a merger affecting multiple divisions. Span-of-time restrictions proved difficult to manage, particularly when an agency required access to deleted Slack data from an affected division, which turned out to be crucial in making certain legal determinations.
A private equity firm learned a hard lesson in 2018 when it missed the chance to preserve relevant evidence in a lawsuit related to a health care investment. Although the asset manager was not a lead investor, it sought and received routine reports from the portfolio company. However, the investor never sought Slack user information or other data related to those reports after the suit was filed. Despite remedial efforts, the investment firm could not reproduce the audit trail of its own reporting. The company ultimately settled the case, but not before making it clear that when managing a large portfolio of investments, a comprehensive Slack hold can prevent the burden of later piecing together missing information.
Future Considerations for Digital Communication and Legal Holds
In the context of digital discovery, there are certainly a few innovative areas, but arguably none have been more disruptive than the impact of Slack and Slack-like products and collaborative tools on legal holds. With these new tools, the importance of proactive and defensible legal hold processes has never been more critical. Organizations need to understand how this ever evolving landscape may impact their legal hold obligations . A few things to keep an eye on as this is a rapidly changing area:
- How will legal hold products evolve to keep pace with new tools like Slack?
- How will the courts deal with issues such as Slack discovery?
- Searchability of data in any electronic format is addressed in the FRCP – will these collaborative platforms fall into this category?
- Will the FRCP evolve to address any further electronic format issues such as cloud environments or collaborative platforms?
- Will alternative dispute resolution forums provide guidance for collaborative platform coined discovery issues?
- What are the anticipated issues in the future and how can organizations proactively prepare now?
- What guidance do the courts provide now for future applicability?