Archive & Data Protection

    The Complete Guide to eDiscovery in Slack

    Safeguard your organization against Slack legal and compliance risks

    by Emily Schwenke

    Key Points

    • This blog was originally posted on the Aware website, but with the acquisition of Aware by Mimecast, we are ensuring it is also available to visitors to the Mimecast website.
    • Courts now view Slack messages as potential "smoking guns" in liability cases, making effective eDiscovery essential.
    • Third-party tools with real-time ingestion are crucial for capturing edited or deleted messages, preserving a complete record for investigations.

    Every organization using Slack as part of its collaboration technology stack should have a plan in place to handle legal, compliance, and HR investigations within its complex, sprawling dataset. This post explores what business leaders need to know about conducting eDiscovery in Slack data, the challenges it presents, and how to proactively secure their entire digital workplace.

    What is Slack?

    Slack is a messaging application that helps coworkers to collaborate in real time from any location. Its simple interface and customizable features make it an attractive choice for businesses and employees alike, and it has enjoyed widespread adoption in recent years.

    What is eDiscovery?

    eDiscovery, or electronic discovery, involves searching electronically stored information (ESI) to find relevant content in response to legal, compliance, and other investigatory need. ESI includes Slack data, meaning at any moment a business could be obliged to produce specific Slack content from within the vast dataset of daily messages generated by employees.

    In recent months, courts and regulators have begun to focus more intently on collaboration data. In a court filing, the FTC noted that “In some cases, Slack messages have been found to contain the 'smoking gun' regarding liability.” To date, several courts have ruled that the technical difficulty of performing eDiscovery in these datasets is no excuse for failing to meet legal obligations to do so.

    Why is collaboration data so difficult to search?

    The datasets generated by collaboration tools like Slack differ from traditional business communications in several key ways. Firstly, these datasets are truly massive—the average employee sends around 30 Slack messages per day, which adds up to tens of millions each month for even modest sized businesses. Furthermore, these messages lack the formal structure of letters, emails, or memos. They are short, conversational, and filled with acronyms and emojis whose meaning can change in a moment.

    Traditional eDiscovery software may lack the ability to assess if a case of sexual harassment in the workplace boils down to the inappropriate use of an emoji. Worse, a traditional eDiscovery tool might not capture emojis at all.

    Another challenge faced by legal officers performing eDiscovery in Slack datasets is the nonlinear, fragmented nature of their messages. What begins as a conversation in a public group can shift seamlessly to direct messages, viewable only by the immediate participants. Understanding the complete context of Slack messages is therefore more challenging than, for example, email, with its clear structure and linear format.

    Finally, businesses may face challenges even viewing their Slack data to begin with. Free Slack accounts can only view 90 days of message history and administrators have to apply to Slack to access direct and private messages sent by users within their Slack environment. This can present difficulties if the business cannot satisfy Slack as to its need to view the messages in question—and the end users can edit or delete those messages at any point before they are exported for review, potentially deleting forever any evidence they contained.

    Is eDiscovery possible in Slack?

    Despite these difficulties, eDiscovery in Slack is possible. However, it requires the use of the right plan and, potentially, third-party eDiscovery tools to search Slack datasets efficiently and effectively.

    Which Slack plans support eDiscovery?

    FeatureFree PlanPro PlanBusiness+ PlanEnterprise Grid
    Message & file history90 daysUnlimitedUnlimitedUnlimited
    Data encryptionYesYesYesYes
    Custom retention PoliciesNoYesYesYes
    Export for all messagesNoNo

    Yes

     

    Yes
    Discovery API integrationNoNoNoYes

     

    Only Slack Enterprise Grid supports Slack’s Discovery API, which connects the Slack workspace with third-party eDiscovery, data loss prevention (DLP), and offline backup vendors. Users with Business+ plans can export all messages, including direct messages and private group conversations, and upload them into external eDiscovery applications for review, giving them the ability to perform eDiscovery within their Slack dataset.

    However, this method of performing eDiscovery does not capture message revisions or deletions, meaning a custodian can potentially remove evidence without being detected. For this reason, selecting a third-party vendor authorized through Slack’s Discovery API is the most effective way for an organization to secure a Slack workspace and fulfill discovery and compliance obligations.

    Must-have features for a Slack eDiscovery vendor

    When considering an eDiscovery vendor for Slack, ensure they offer the following:

    • Approved integration with Slack: The vendor should have seamless integration capabilities with Slack to efficiently access and extract relevant data. Check the Slack App Directory for a comprehensive list of approved Security & Compliance vendors.
    • Real-time data ingestion: Because Slack users can edit and delete messages at will, an effective eDiscovery vendor must use real-time data ingestion to capture a complete record of all messages sent within the workspace. A delay of even a few minutes is more than enough time for a malicious actor to exfiltrate a file or send a harassing message and delete the evidence.
    • Federated search capabilities: The huge scale of Slack datasets makes eDiscovery a challenge for any investigator. The ability to search and refine results by multiple parameters, such as keyword, regular expression (regex), timeframe, message type, and custodian, simplifies eDiscovery by reducing false positive results.
    • Bidirectional data retention: The ability to preserve Slack data in place, or remove unauthorized content automatically, is essential to securing the digital workplace. Look for vendors that can impose bidirectional data retention policies on both the data they hold and its original counterpart in Slack to prevent data loss during the eDiscovery process.
    • Data security and compliance: The data collected during eDiscovery must be legally defensible. Therefore, the vendor must adhere to stringent security measures and comply with legal and regulatory requirements to protect sensitive information.

    How Aware supports eDiscovery in Slack

    Aware data platform for employee listening makes complex Slack datasets fully accessible to forensic search and investigation through an immutable archive accessed by AI-powered federated search capabilities. Using Aware, organizations can uncover a complete record of fully contextualized Slack conversations, including edits and deletions, in response to legal, compliance, and regulatory demand.

    Sophisticated filtering minimizes false positives and reduces time to discovery for faster, more cost-effective internal investigations. In addition, Aware can implement at-a-click bidirectional data holds, securing all relevant content and context during early case assessment (ECA) and beyond.

    Aware provides business leaders with a complete, holistic overview of collaboration datasets, and works seamlessly with Slack, plus Teams, Zoom, Webex, and more to enhance security and mitigate risks across the digital workplace. As a trusted security and compliance vendor for both Slack and GovSlack, the secure digital HQ for government work, Aware provides the world’s leading companies with the capabilities they need to perform eDiscovery securely and effectively in Slack.

    Final thoughts

    eDiscovery in Slack is a vital process that empowers organizations to meet legal and compliance obligations. By leveraging Slack's built-in features and partnering with a reliable eDiscovery vendor like Aware, businesses can efficiently navigate the challenges associated with data retrieval, ensuring a secure and compliant workplace environment.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top