Slack Connect & Shared Channels Privacy Issues

Summary‍

Slack Connect is allowing multiple organizations work more synchronously. This is especially true within Finance, insurance and healthcare organizations. However, the side effect of this higher interaction is the risk of unnecessarily exposing sensitive HIPAA, PII/ PHI with external parties over Slack. In this article we delve into the following:

1. What is Slack Connect ?
2. Difference between Slack Connect & Shared Channels
3. Who is a ‘host’?
4. What kinds of data fall under various compliance, privacy and security jurisdictions?
5. Who is the Data Owner in Slack Connect?
6. How to protect sensitive data within Slack Connect or Shared Channels?

What is Slack Connect?

Slack Connect enables Slack users to connect with up to 20 organizations. Slack Connect allows you to create a channel and allow another organization to collaborate with you. Both parties stay in their respective Slack workspaces and communicate without having to switch between multiple workspaces.

What is the Difference between Slack Connect & Shared Channels?

Slack Shared Channels allows 1 and only 1 organization to become part of your channel. Slack Connect essentially expands this use case to allow for multiple organizations to join a single channel. 

Who is a host in a Slack Shared or Connect?

The concept of a ‘host’ stays the same where there is always only 1 host per channel both for Shared and Connect.

What kind of data types are considered sensitive within Slack?

• Any data that is considered Personal Identifiable Information (PII/PHI) by SOC2, FINRA, ISO, Health Insurance Portability and Accountability Act (HIPAA) or other regulatory frameworks can be considered ‘sensitive’.  
• Customer identifiable information that can link a customer based on 1 or more data points also falls under the same category. 
• Global privacy regulations generally use a combination or a super set of the above to create its own definition of sensitive data items.

Who is the Data Owner in Slack Connect?

Data ownership defines who is responsible for data based on most regulatory frameworks. As a Slack host for a Slack Shared or Connect channel, you are responsible to ensure proper handling of sensitive data by all the participants. 

There can be elaborate data management policies that can be written in a document and signed by all participants but generally that does not work in real life. The high-velocity communication that Slack encourages by members makes it very cumbersome to apply best practices without adding friction.

‍How to protect sensitive data within Slack Connect or Shared Channels?

A compelling solution to protect sensitive data within Slack Connect without creating undue friction for users is to use Polymer DLP.

Polymer DLP allows you to stay in Slack shared channels and seamlessly share sensitive data with any or all participants. Anything considered ‘sensitive’ by the host of the channel will be automatically redacted while leaving the rest of the document intact. A good example of this is to imagine sharing the Muller Report where the ‘confidential’ information within the document is redacted based on organization level policies. If any of the participants or members require access to this secure content, a button within the message can be clicked to dynamically unlock sensitive data elements for the authorized user only.

To get started, install the Polymer DLP app for Slack here. Your basic version is free and can get your organization’s Slack channels to be HIPAA, PII, PHI, SOC2 or GDPR compliance in a minute. The paid plans allow for full flexibility in only paying for elements found without having to sign up for expensive long term contracts.

Conclusion

Slack connect is a true game changer in inter-company collaboration. Seamless data sharing and information flow reduces friction between organizations in getting the work done especially in a post-covid remote-first work environment.

Addressing security, compliance and privacy over shared channels or Slack Connect is of paramount importance especially for companies that could have customer, banking, health or insurance information trafficking across their Slack platforms.  Click below to get started:

https://www.polymerhq.io/apps/slack

Polymer protects against data loss (DLP) on modern collaboration tools like Slack, Dropbox, Zoom, Github and more with alerting & real-time redaction of sensitive and regulated information such as PII, PHI, financial and security data.

Yasir Ali | yali@polymerhq.io | www.polymerhq.io |https://blog.polymerhq.io/