Are Your Slack Messages a Liability? Legal Discovery in the Age of Internal Chat Tools

Ramyar Daneshgar

Ramyar Daneshgar

4 min read

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Looking for a security engineer? Visit SecurityEngineer.com

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Introduction

Internal messaging platforms such as Slack and Microsoft Teams have enabled organizational communication. However, this convenience comes with substantial legal exposure. Informal messages are increasingly central to investigations, litigation, and regulatory enforcement actions.

Slack messages are considered discoverable electronically stored information (ESI). Courts, regulators, and litigants are treating these messages as they would emails, documents, or text messages. As a result, legal and compliance professionals must assess how internal chat tools are governed.

1. Slack Is Discoverable Under Federal and State Law

Under the Federal Rules of Civil Procedure, particularly Rule 34, any party in a civil lawsuit can request the production of ESI - including Slack messages - if it is relevant to any party’s claim or defense. The same principle is mirrored in many state procedural codes.

In Red Wolf Energy Trading, LLC v. Bia Capital Management, LLC, No. 19-10119-ADB (D. Mass. May 25, 2022), the court sanctioned the defendant for failing to preserve Slack communications after a litigation hold was issued. The defendant claimed Slack was not in regular use and did not preserve messages until long after the duty to preserve had arisen. The court found this behavior to be a failure to take reasonable steps to preserve discoverable information and issued evidentiary sanctions under Rule 37(e)(1).

The ruling makes clear: once a party reasonably anticipates litigation, it must take affirmative steps to preserve Slack data.

Employees often treat Slack like hallway conversation—informal, fast, and unfiltered. However, these records are timestamped, searchable, and, in litigation, subject to interpretation without context.

Slack threads have been used in:

  • Employment discrimination claims to demonstrate hostile work environments
  • Trade secret disputes to show intent to misappropriate or conceal proprietary data
  • Securities fraud cases to establish internal knowledge of regulatory violations
  • Contract disputes to show that parties had contemporaneous awareness of risks

In one employment litigation matter, Wang v. Hearst Corp., No. 21-cv-03734 (S.D.N.Y.), internal Slack messages were submitted to support a claim that the company had retaliated against a whistleblower. The plaintiffs argued that informal internal discussions confirmed that executives had awareness of the protected activity and still moved forward with termination.

Slack does not insulate parties from liability simply because the messages were written in a casual tone or were never intended to serve as a permanent record.

3. Misconfigured Retention Settings Increase Risk

Slack provides control over message retention and deletion. However, this flexibility can create legal and regulatory risk if not managed properly.

Slack Enterprise Grid and Business+ plans allow workspace administrators to:

  • Set message and file retention policies globally or per channel
  • Control whether users can edit or delete messages
  • Set policies for direct messages and private channels
  • Export data via Slack’s Discovery API or through third-party eDiscovery integrations

Problems arise when:

  • Retention settings are too short (for example, 7 or 30 days) and result in deletion of relevant messages
  • Organizations fail to implement legal holds when litigation is reasonably anticipated
  • No audit log or export history exists to show what was deleted and when

In Nicholas v. Noom, Inc., No. 20-cv-3677 (S.D.N.Y. 2021), the court held that Noom’s Slack retention policy, which deleted most messages after a short period, was not inherently improper. However, the burden fell on Noom to demonstrate that no relevant information was lost. The court warned that short retention periods must be paired with documented policies and the ability to preserve data upon notice of litigation.

4. Regulatory Expectations Have Changed

Internal communications, including Slack and Microsoft Teams, are increasingly the subject of regulatory inquiries.

In September 2022, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) fined 16 financial institutions over $1.8 billion for widespread failures to retain and monitor employee communications conducted via unauthorized platforms, including personal WhatsApp and Slack accounts. Firms such as JPMorgan, Goldman Sachs, and Morgan Stanley were penalized for failing to ensure that off-channel messaging was captured in accordance with recordkeeping requirements.

Similarly, in FTC v. BetterHelp, Inc., the Federal Trade Commission scrutinized internal communications, including Slack data, to establish that senior executives were aware of the company's data-sharing practices with advertising platforms despite public statements suggesting otherwise. The case settled in 2023 for $7.8 million in redress and injunctive relief, with internal chat logs playing a significant role in the investigation.

This trend underscores that regulatory bodies now expect internal messaging data to be governed, retained, and searchable during enforcement actions.

To mitigate discovery and enforcement risks, legal and security teams should develop a robust Slack governance program. Key practices include:

Policy Design and Documentation

  • Define acceptable use of Slack, including guidance on sensitive topics
  • Document retention policies, deletion schedules, and any exceptions
  • Ensure Slack is connected to your organization’s litigation hold system
  • Use enterprise tools (Onna, Logikcull, Relativity) to index and export Slack messages

Employee Education

  • Train employees to treat Slack with the same formality as email
  • Include Slack compliance in new hire onboarding and annual trainings

Administrative Controls

  • Enable logging and audit trails for message edits and deletions
  • Configure retention based on regulatory needs and anticipated litigation risk

Periodic Audits

  • Conduct internal reviews of retention settings and access controls
  • Audit high-risk channels for compliance violations or improper data sharing

Conclusion

Slack has become a core business platform - but it is also a legal record. Failure to manage Slack communications as discoverable ESI exposes organizations to serious litigation and regulatory consequences. Legal, compliance, and cybersecurity teams must align their policies, tools, and training to ensure that internal messaging platforms are properly governed.

CybersecurityAttorney+ gives privacy professionals the insights, case law, and audit tools they need to stay ahead of CPRAGDPR, and FTC crackdowns.

Inside, you’ll get:

  • Deep-dive breach case studies with legal + technical analysis
  • Proven strategies to stay ahead of CCPACPRAGDPR, and global regulators
  • Frameworks and tools trusted by top cybersecurity and privacy law professionals
  • Exclusive enforcement alerts and litigation briefings you won’t find anywhere else

Don’t get caught off guard. Know what regulators are looking for.

👉 Join CybersecurityAttorney+ 

Looking for a security engineer? Visit SecurityEngineer.com

Read more

Top 5 Contract Clauses Every Cybersecurity Lawyer Should Demand in Vendor Deals

By Ramyar Daneshgar Security Engineer | USC Viterbi School of Engineering Looking for a security engineer? Visit SecurityEngineer.com Disclaimer: This article is for educational purposes only and does not constitute legal advice. Third-party vendors account for a significant share of cybersecurity incidents, regulatory enforcement actions, and breach-related litigation. As cybersecurity

By Ramyar Daneshgar