Archive & Data Protection

    How to do Slack eDiscovery Without Enterprise Grid

    Streamlining eDiscovery: Proactive exports, retention policies, and employee education.

    by Emily Schwenke

    Key Points

    • This blog was originally posted on the Aware website, but with the acquisition of Aware by Mimecast, we are ensuring it is also available to visitors to the Mimecast website.
    • Higher-tier plans (Business+ and Enterprise Grid) offer better control over data, making eDiscovery easier, while Free and Pro plans limit access to message history.
    • Exporting data can be complex due to a lack of granular controls, high data volume, and issues with retention and attachments.

    Slack is an integral part of many workplaces, making it essential that legal and internal investigations teams have the capacity to perform eDiscovery in its complex network of channels and chats. However, users of Slack Free, Pro, and Business+ plans may find eDiscovery more challenging than expected. Read on to learn what you need to know about performing successful eDiscovery in Slack without Enterprise Grid.


    What is Slack Enterprise Grid?

    The Slack app is available in a range of plans and tiers to suit different users’ needs. Enterprise Grid is Slack’s premium tier, designed for use by large companies and/or those in regulated industries such as healthcare and finance. Enterprise Grid provides the scalability and security required for large enterprises with diverse teams and extensive collaboration needs.

    An important aspect of Enterprise Grid is the availability of a wide range of third-party applications and plugins that connect natively and provide additional security, governance, compliance, and data loss prevention controls for Slack. These tools connect Slack data with existing workflows to enhance and accelerate information management, supporting internal investigation and protecting valuable company data from unauthorized access or exfiltration.

     

    What other Slack tiers are available?

    In addition to Enterprise Grid, Slack offers four other plans to meet the needs of different organizations.

    • Slack Free — Slack’s entry level plan, which gives users full access to Slack features like public and private channels and DMs, with 90-day message and file access
    • Slack Pro — Slack’s entry paid tier, with workflow automations, two-factor authentication and SSO, and custom retention policies for messages and files
    • Slack Business+ — All the features of Pro plans, plus the ability to export all messages and take more granular control of channel management
    • GovSlack — A secure Slack suite designed for the unique needs of government agencies and contractors

     

    How does Slack plan tier impact eDiscovery?

    The Slack plan your organization uses can have a significant impact on message visibility and discovery. Free plans, for example, only enable workspace admins and owners to view message and file history from the past 90 days. Pro plans unlock the full history of workspace Slack messages, but admins don’t have automatic access to private channels or direct messages.

    To export a complete record of all messages from either Free or Pro plans requires petitioning Slack, who will grant requests only as needed and permitted by law. Users can work around this issue in some instances by exporting available messages from their live Slack workspace, but these messages will not be a complete record of all content.

    These limitations can make it almost impossible for Free and Pro plan owners to access historical data, or messages from private channels or DMs, in a timely fashion, or even at all. This can complicate situations where there is an urgent need to perform eDiscovery in Slack.

    Further complicating matters, the flexibility enjoyed by Slack users presents more problems when it comes to discovery and early case assessment. At any point, a user can edit or delete any message they’ve previously sent, changing the context or hiding their activity from investigators. The only way to prevent this is by archiving Slack channels, which can stop users from editing or deleting past messages. However, depending on the workspace settings, users may still be able to un-archive channels to edit past messages, making spoliation an ever-present concern.


    How does eDiscovery work in Slack Enterprise Grid?

    Workspace owners and admins of Enterprise Grid accounts have more control over their Slack data than admins of Free or Pro accounts, including the ability to export all message types. Slack offers these workspace owners a self-service tool to facilitate data exports, although they must apply to use it. Exports include all messages from public and private channels and DMs as necessary.

    In addition, Slack Enterprise Grid users can connect their workspace to data retention and discovery tools such as Aware. Aware captures a complete record of Slack messages, including revisions and deletions, in a real-time archive supported by AI-powered federated search for faster, more effective eDiscovery.
     

    How to export Slack data without Enterprise Grid

    Slack Business+ users can apply to use the same self-service export tool as Enterprise Grid account owners. However, simply exporting Slack messages is only the start. Slack exports messages as JSON files, typically opened in text viewers such as Notepad. JSON files are notoriously complex and difficult to read, making it a slow and complicated process to understand what happened during an investigation.

     

    Code snippet slack.webp


     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    5 challenges of eDiscovery in Slack Business Plus

    Lack of granular exports

    Slack’s self-service export tool makes it easier for Business Plus admins to access data from across their Slack workspace, but the lack of granular controls within the tool can add complexity. Most exports are limited only by date range, meaning for an investigation that spans several weeks or months, the results may produce tens of thousands of irrelevant messages—Aware research shows that just 100 employees will send over 34,000 messages a month.

     

    Data volume

    Manually searching thousands of messages for just a few relevant communications is a slow process, complicated by the fact that JSON exports make it extremely difficult to understand at-a-glance what is happening. This can obscure the surrounding context, making it harder for investigators to understand what is and is not relevant to their search.

     

    Lack of continuous data

    When exporting messages from Slack Business Plus, the results represent the workspace at a single moment in time. This isn’t a problem for investigations into past actions, but for discovery into an ongoing situation, additional exports may be required.

     

    Data retention settings

    Admins and owners of Slack Pro, Business+, and Enterprise Grid accounts can set custom data retention settings that purge messages from both the live Slack workspace and the Slack-held archive. Before adjusting these settings, workspace admins should carefully consider the evidentiary value of that data to future investigations, as well as any legal or regulatory obligations they may have to retain data for a specific period of time.

    Equally, a lack of retention policies can make all Slack messages discoverable during legal action, vastly increasing the work required during eDiscovery. This should also be considered when deciding how long to retain Slack data.

     

    Images, files, and modern attachments

    Slack datasets don’t just contain written messages, they’re also filled with emojis, gifs, reaction, and files. Rather than including those attachments within data downloads, Slack exports instead contain links that redirect to the files within the Slack workspace. If the file is later deleted, the link will stop working and that data will be lost.

     

    5 ways to simplify eDiscovery in Slack Business Plus

    Be proactive about exports

    At some point, most businesses will face a legal or regulatory need to review their Slack data. Something as simple as a direct subject access report (DSAR) can create hours of work for a company that doesn’t have an easy way to extract Slack messages from or about a single user. Addressing this need proactively, before it arises, is critical to responding in a timely fashion when it does.

     

    Establish data retention policies

    Data retention policies are an important part of any company’s data compliance and security posture, and Slack data is no exception. Slack Pro plans and higher all enable workspace administrators to set custom retention policies and while these can add complexity to internal investigations, they can also be used to demonstrate regulatory compliance or provide evidence of routine data purging.

     

    Educate and regularly train employees

    Your people are the first line of defense against misuse of company data in Slack and should be educated and trained accordingly. Let employees know what is an is not acceptable to share, and which channels are appropriate for linking to or distributing restricted content such as company documents. Aware research shows that without guidance, employees will share any work-related information in Slack. In the average workplace, 1:17 messages contain 3+ pieces of sensitive information.


    Enforce acceptable use policies

    In addition to training employees on acceptable use in Slack, it’s essential to deploy content moderation solutions to enforce policies and coach employees about violations in real time. Real-time moderation can reduce risk and therefore the need for internal investigations and eDiscovery by preventing the proliferation of sensitive data, noncompliance, toxicity, or harassment within the workspace.

    Centralize workspace administration

    The many tools and applications introduced by the digital transformation have added countless layers of complexity to eDiscovery processes and ESI protocols. Centralizing the administration of these tools whenever possible is an effective way of reducing this burden and simplifying eDiscovery in Slack.
     

    How Mimecast enables eDiscovery in Slack Business Plus

    Slack data uploads from Aware are the latest tool in Aware’s eDiscovery offering, designed to meet the unique needs of Slack Business Plus users. Using Aware, legal and investigations teams can import Slack backups into Aware, where JSON data is normalized, indexed, and enriched using Aware’s proprietary, best-in-class natural language processing (NLP) AI.

    Our technology, designed and built for the unique complexities of this dataset, enables users to search Slack quickly and efficiently by multiple parameters, including user and keyword, and produces results in an intuitive format that restructures conversations as they appear in Slack.

    From Aware, you can implement data holds as necessary, or export results directly into eDiscovery workflow tools like Relativity for faster, more effective eDiscovery—without Slack Enterprise Grid.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top