How to Create and Edit Legal Holds for Slack
Retaining data in Slack is essential for responding to legal actions or performing early case assessment
Key Points
- This blog was originally posted on the Aware website, but with the acquisition of Aware by Mimecast, we are ensuring it is also available to visitors to the Mimecast website.
- Review how to perform legal holds in Slack and how to create policies that support search and eDiscovery in this complex data set.
What is a legal hold?
Legal holds, sometimes called preservation orders or litigation holds, are directives to preserve potentially important electronically stored information (ESI) for legal or compliance purposes. They’re used in litigation or in response to investigations or regulatory inquiries. Organizations use them to retain relevant data, prevent alteration or destruction of evidence, and comply with discovery obligations for court proceedings.
What is a Slack legal hold?
Over three-quarters of the Fortune 100 use Slack and need the ability to collect data and perform legal holds in the platform. The legal hold process may require legal officers to preserve Slack data, export data from a channel, or open an investigation on shared channels. Data preservation is also essential for compliance purposes, especially in highly regulated industries. Companies performing internal investigations of employee conduct may also find legal holds valuable.
Legal holds in Slack preserve messages between users in an immutable way to secure evidence. Legal holds retain many attributes of Slack messages, including:
- Participants in conversations
- Timestamps
- Contents of conversations
- Any edits or deletions that have been performed
- File sharing between custodians
- Sensitive data sharing
- Employee conduct through messaging
Failure to implement and comply with legal hold requirements can mean serious consequences, including spoliation, evidentiary and financial sanctions, and even adverse judgments.
The legal hold feature is available to Slack Enterprise Grid customers, allowing administrators and legal teams to place legal holds on select Slack channels, messages, users, and files to ensure data preservation that custodians cannot alter or delete. Through Slack legal holds, organizations develop and maintain a defensible process for protecting ESI in the event of litigation, audits, or regulatory compliance procedures.
What happens when you create a legal hold for Slack?
Messages, files, or other data from Slack associated with legal holds are preserved in an immutable archive—including edits and deletions—and become available as JSON files for litigation procedures, audits, and investigations.
Once the legal hold is placed, it overrides active data retention and deletion policies. Only if and when the hold is released will that data be repositioned for deletion.
Organizations that use Slack plans below the Enterprise Grid level, or that need legal holds preserving file data beyond Slack and from other collaboration tools, will need to use a third-party eDiscovery solution.
How do you create a legal hold for Slack?
To create a legal hold from Slack data, perform the following steps:
- Legal Hold Settings—Log in to your Slack workspace and click on your name in the sidebar. Select “Tools & Settings” and navigate to “Organization Settings.”
- Security—In the left sidebar, click “Security,” and then select, “Legal Holds.”
- Create the Legal Hold—Click the “Create Legal Hold” button to begin. Name the hold to match your organization’s naming conventions and provide an optional description.
- Choose Conversations—Select the messages and files from all conversations the custodians are part of, or just the direct messages. This is also where you’d opt for a date range if you have one.
- Add Custodians—Click “Add Custodians” to choose specific Slack users for the exact data you’d like to preserve according to your legal hold’s parameters. Each legal hold is limited to 1,000 custodians. If necessary, create multiple legal holds.
- Save the Legal Hold—After configuring the settings to your parameters, click “Save” and the new legal hold is in place.
How do you create a canvas retention or file retention policy in Slack?
In addition to text, images, and gifs, Slack users can also share files or work directly in Slack using canvas, a tool that provides a central location to store content within each channel and message set. Both files and canvas documents may also need to be retained during legal holds, although the capabilities of doing so vary depending on account tier.
To perform file or canvas retention in Slack:
- Click on the workspace name in the top left of the Slack homepage.
- Select “Settings & Administration” or “Organization Settings” in the menu.
- Choose “Messages and Files” or “File Retention and Deletion.”
Once in the file retention section, there are differing options based on your Slack subscription level.
Slack Free Users can:
- Keep files for up to one year, after which they are purged by Slack.
- Keep all files for 90 days, after which Slack will permanently delete them, including those shared from third-party apps.
Slack Pro, Business+, and Enterprise Grid subscribers can:
- Keep all files indefinitely, including deleted files, for the lifetime of the workspace.
- Keep all files for a specified number of days, after which they are permanently deleted.
- Customized file retention settings. Enterprise Grid subscribers can custom file retention policies at the organization-wide or workspace-wide level.
No matter the file retention settings, deleted files and canvas documents may still be accessible directly from Slack even if they’re removed completely from the workspace.
How do you edit or release a Slack legal hold?
There are limitations to how a legal hold can be edited. Certain edits may be performed, such as adding custodians to an existing hold, but in some cases, you may need to create a new hold.
To edit a legal hold:
- Click your workspace name in the sidebar on the home screen.
- Under “Tools & Settings,” click on “Organization Settings.”
- Click “Security,” and then select “Legal Holds.”
- Click the three dots icon next to the legal hold you’d like to edit.
- Select “Edit details” to make changes, such as the name of the hold, description, or custodians.
What you may not change are the date range or conversations or channels included in the hold. For those edits, you’d need a new legal hold.
To release an existing legal hold:
- Click your workspace name in the sidebar.
- Under “Tools & Settings” click on “Organization Settings.”
- Click “Security” and then select “Legal Holds.”
- Select the three dots icon beside the legal hold you’d like to release.
- Select “Release” to stop preserving data under that legal hold.
Once the legal hold is released, normal retention policies resume.
To reactivate a legal hold, simply return to the three dots icon beside a released legal hold and select “Activate.” The legal hold will resume.
What are the drawbacks of using legal holds in Slack?
Slack users may run into challenges with legal holds and the eDiscovery process.
First, legal holds are only an option for Enterprise Grid customers, the most expensive paid plan. Lower tiers only have file retention policy options.
Data volume is the next big challenge. As of 2019, Slack had 12 million active users. When 100 employees send more than 34,000 messages a month, you can imagine how much data volume that creates. Storing data at this level can be a costly undertaking.
Despite the mandate that legal holds preserve data in its entirety, there are gaps. Slack’s legal holds do not include Slack Connect channels or from direct messages with external users, meaning Legal officers may miss important information and conversations.
Slack’s legal holds preserve data in place, but analyzing the data is not so simple. The data is exported into complex JSON file formats, which are difficult to parse and understand.
Legal holds are meant to preserve evidence during eDiscovery and litigation proceedings, but even with a hold in place, there’s the potential for data spoliation. Slack users, depending on their admin settings, can still delete entire channels, which can mean data loss. Additionally, with Slack Connect, where two organizations collaborate through the platform, there’s a question of data ownership. If one organization places the legal hold, and the other’s data retention policies select some of the files for deletion, the legal hold will only preserve the first organization’s data. The conversation will appear one-sided. Both org owners must place legal holds over the data to properly preserve it.
How to create a companywide Slack policy that aids eDiscovery
To avoid employees using Slack in an ad-hoc way that creates data silos or otherwise makes data preservation difficult, establish clear Slack usage policies. This will make eDiscovery, legal holds, and compliance audit logs much easier to set up.
Guidelines for creating a Slack acceptable use policy
First, lay out your ground rules for when to use Slack versus other communication platforms. It’s also a good idea to specify when communications are better as DMs and when public channels are preferred.
Consider data access, permissions, and preservation wherever possible. Be clear where the organization can and will oversee Slack conversations and content for legal, compliance, and investigative purposes. Also, outline data retention and deletion schedules and how they’ll affect Slack usage.
When it comes to compliance and governance, include guidelines on sharing sensitive and confidential information. If your organization is highly regulated, be sure your employees have the tools necessary to perform their duties without jeopardizing sensitive data by sharing it inappropriately in Slack. For those overseeing Slack, specify their roles and responsibilities, including who can configure settings and manage members.
With training and enforcement in mind, give all employees thorough and proper training on Slack acceptable use policies. Ensure your Slack environment remains aligned with company policies through training updates and policy enforcement.
These measures allow organizations to fulfill data preservation needs for eDiscovery and compliance regulations with fewer pain points.
Streamline data preservation for Slack with Aware
For those areas where Slack’s eDiscovery is still difficult or less user-friendly, Aware can help. Aware is the only Slack vendor approved for eDiscovery and data loss prevention, and a GovSlack trusted partner capable of delivering on legal, compliance, and regulatory requirements.
Aware provides federated search, archiving, compliance monitoring, and people insights using proprietary natural language processing (NLP) and machine learning models that analyze Slack messages in real time. With Aware, your organization can:
- Place one-click legal holds and preserve data for eDiscovery and investigations.
- Prevent data spoliation thanks to real-time data ingestion that collects a complete record of all data, retaining context as well as preventing editing/deletion.
- Save time—searches take minutes, not hours or days, thanks to real-time data and custodian-based batch collection.
- Search the data more accurately and thoroughly with filters that make the information easily discoverable.
- Maintain complete control over privileged data with features like audit trails, role-based access, and message visibility controls.
- Integrate with your existing Slack platform and other legal workflows using Aware’s user-friendly and compatible interface and centralized dashboard.
- Set Aware’s customizable and granular retention policies for different platforms and data types as well as different sets of people and channels specific to legal or compliance as needed.
Aware makes file retention for compliance easier without making highly regulated employees feel excluded.
With Aware, legal officers can perform faster, more effective eDiscovery and legal holds in Slack. Contact us today to learn more.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!