Use of Electronic Messaging by Employees
16th April 2019 3510 - Blog Posts
Helping you to reduce risk and stay compliant is always our first priority. The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations’* (OCIE) has released an examination on the use of electronic messaging by approved persons and employees. Acknowledging the potential risks of using personally owned devices that may be used for business purposes is important.
With increased regulatory requirements there is recognition of potential risks posed by electronic communication and data sharing. In line with industry best practice, we believe it is prudent to remind individuals of potential implications with respect to the use of electronic messaging by their employees.
When using personal devices for business purposes, firms should acknowledge that the electronic communication does present challenges in security and more recently in the potential for fraudulent actions using personal information for illegal purposes. Under GDPR, which came into effect in May 2018, firms cannot use the data it holds in relation to customers for other purposes that aren’t compatible with the original principle of collection. Therefore, firms have to consider the risks and legal requirements involved with the use of personal devices such as laptops, phones and tablets to conduct business.
The implications of using personal devices to communicate with clients are crucial. Electronic messages are hard to stop once they have been sent and can easily be copied, resent or forwarded. With sophisticated cyber attacks occurring on networks, sending a business related message from a personal device can involve a huge risk because personal information could get into the wrong hands and adversely impact the business. Using a mobile device for work related tasks, unavoidably allows applications to access the available data and collect user information. Also, integrating professional data on a personal device can make the business fully vulnerable because devices can be easily lost or stolen.
Your firm should be aware of the following:
- Employers will assume legal, security, reputational and other business related risks when they permit employees to use their device for work-related purposes.
- Only permit forms of electronic communication for business purposes if the message can be monitored and retained in compliance with record keeping requirements.
- Prohibit the use of “apps or other technology” that give employees the ability to communicate anonymously, and automatically destroys messages or prevent third-parties from properly monitoring and review such communication.
We encourage firms to review the risks, practices and procedures regarding electronic messaging and to reflect on any improvements that might help you stay compliant.