Unsupervised communication platforms in spotlight after US editor added to group chat of top US officials
After a news outlet in the United States claimed their editor-in-chief was accidentally added to a group chat of top US officials discussing sensitive war plans, an Australian lawyer weighed in with HRD about the implications of using unsupervised communication platforms to discuss work.
“There are two main legal risks employees can come up against. The first would be misuse of confidential information because the employer may well be holding that information on behalf of somebody else. So, the employer might not necessarily own the confidential information. It might belong to a client, customer, or supplier,” Partner at Tompkins Wake, Daniel Erickson, told HRD.
“The second one is probably privacy law breaches. The employer will hold personal information under the Privacy Act about certain individuals and if that's misused or disclosed inappropriately, there's potential breaches of the Privacy Act. Arising out of both of them is reputational damage.”
Earlier this year, US-based magazine The Atlantic broke the story – in which sensitive war plans were being discussed on the app Signal, which isn’t an approved app for sharing classified information.
In the article, the magazine’s editor-in-chief, Jeffrey Goldberg revealed US officials such as Vice President JD Vance and National Security Advisor Michael Waltz were discussing plans to bomb Houthi targets across Yemen.
"I have never seen a breach quite like this," Goldberg said in his article. "It is not uncommon for national-security officials to communicate on Signal. But the app is used primarily for meeting planning and other logistical matters - not for detailed and highly confidential discussions of a pending military action."
Ultimately, breaches such as this within an organisation would likely lead to disciplinary action, Erickson said.
“If employees aren’t following the mandated processes around using certain apps and circumstances under which information can be shared, ultimately, that can be a disciplinary issue, including potential summary dismissal if there is a deliberate breaching of company policy. The employee can be dismissed for that.”
Goldberg noted that messages in the chat group were also set to disappear at least after a week, raising the potential violation of federal law that states text messages about official acts are considered records that should be preserved.
The breach is an example of how employees may be inclined to use applications or systems that are not approved by the organisation's IT department, opening the company to cybersecurity leaks and breaches.
In fact, data from Microsoft last year revealed that 78% of users of artificial intelligence are using their own AI tools to work, with some doing so without clear guidance or clearance in place.
To ensure policies are adhered to across the board, Erickson noted that “education is key.”
“It’s so important that employees are firstly made aware of the risks – so they know what can go wrong if stuff is shared inappropriately. They might simply not know what the risk is of texting something, or using WhatsApp, or whatever they might be doing.”
“The great thing about these is the ease of use. You've got a group of people you need to communicate at once, so you set up a WhatsApp group. But I guess it comes back again to that education piece. And you know, WhatsApp is great. But, in terms of sharing stuff that might be commercially sensitive, you do want rules defining what is and isn't appropriate for that kind of information,” he added.
Meta has done just this – and has issued a stern warning over leaking company information, with leakers risking “termination”, according to a memo issued by the company’s Chief Information Security Officer, Guy Rosen.
To further remedy the situation and reduce issues like this from happening again, Erickson emphasised the importance of compliance – and making sure expectations are clearly laid out with no exception.
“There are IT safeguards in place, like monitoring devices, that are owned by the employer and that’s an option to keep people and date safe. It’s also about consequences – because both the worker and employer could be liable for damages under the Employment Relations Act. It’s $10,000 per breach.”
“The other thing to note is that this applies to everyone. It’s important to ask the question: ‘Am I being compliant?’ If not, something needs to change no matter who you are in the organisation,” he added.
