By Ryan Bosselman, Chief Operating Officer, ModeOne
The New Rules of Mobile Data Collection: Privacy, Security, and Encrypted Messages
Last year, U.S. companies faced a critical challenge as new DOJ guidelines assigned them full responsibility of corporate data stored on personal devices. The task: extracting company data from employees’ mobile phones for investigations, litigation, and compliance without overstepping privacy boundaries, creating undue operational burdens, or introducing other unnecessary risks. In 2025, refining data governance policies and extraction strategies will remain a top priority, but emerging trends are entering the chat that will reshape the way organizations approach this delicate balance––particularly the rise of encrypted messages.
Over-Collection and Overexposure: Lessons Learned
In 2024, organizations—particularly those in regulated industries or facing frequent litigation—struggled to balance collecting enough data for compliance and legal hold with the risks of over-collection. Many companies extracted more data than necessary, unintentionally sweeping up sensitive personal information such as medical records, private messages, and photos in the process. In doing so, they open themselves up to:
- Privacy and Security Problems. Such invasive data collection risks damaging employee relations, decentering privacy and fostering a “Big Brother” culture. It also exposes employees to identity theft, fraud, and emotional harm if a breach occurs.
- Legal and Reputational Risks. Accidentally disclosing unrelated sensitive information during an investigation can lead to additional lawsuits, regulatory scrutiny, or public scandal (i.e. if an executive’s messages reveal something nefarious).
- Inflated Costs. Collecting, storing, and analyzing vast amounts of unnecessary data requires expensive infrastructure and tools. It also results in operational inefficiencies, such as delays in legal investigations and disruptions to workflows when devices are confiscated.
These lessons underscore the critical need for precise, scalable data extraction strategies––a priority that will persist in the months ahead, particularly as corporate litigation increases across the board in both regulated and unregulated industries. However, new trends and regulations will add additional layers of complexity to this ongoing challenge.
2025 Challenge #1: Evolving State Privacy Regulations
For global companies, navigating the privacy risks associated with mobile data collection is set to get even more complicated. Privacy and ownership laws vary widely across jurisdictions, and corporations are required to handle mobile device data collection based on the local laws and regulations governing each individual employee to stay compliant and avoid expensive legal action.
Governments around the world are frequently introducing tougher laws to protect personal data, like the EU’s well-known GDPR. While the United States is unlikely to see national regulation in 2025, more and more states are enacting comprehensive privacy laws––following in the footsteps of California, Colorado, Utah, and Oregon. These state-level regulations are becoming more demanding, pushing for stricter timelines for data deletion, consent requirements for data storage, and clearer guidelines for data usage (among other things).
For U.S. companies, these evolving regulations heighten the need for precise data management and data collection. In 2025, businesses must adopt more refined strategies to prevent overcollection and comply with stricter privacy standards.
2025 Challenge #2: Increasing Cyber Breaches
Adding more urgency to the overcollection problem is the proliferation of data breaches––compounded by the tightening of state-level data privacy regulations. Breaches will be more frequent and more expensive in 2025, putting immense pressure on organizations to safeguard sensitive information, particularly when extracting company data from employee mobile devices.
To mitigate cyber risk, companies must establish robust security protocols and leverage tools and solutions with powerful safety features, such as industry-standard encryption, advanced access controls, and certifications like ISO27001. These measures will not only ensure adherence to stringent data privacy laws during mobile data collection for legal hold or compliance, but also foster employee trust, reinforcing a committed stance on data protection.
2025 Challenge #3: The Rise of Encrypted Messaging
On the topic of cyber breaches, in 2025, encrypted messaging platforms will dominate workplace communication, with traditional SMS/MMS text messaging falling out of favor. This shift is driven by growing concerns about data interception and hacking by foreign entities such as China, emphasized by the FBI’s recent warning to avoid unencrypted text messages. It’s also a result of the enduring encryption gaps between Apple and Android messaging.
Though Apple added ground-breaking RCS support to its latest operating system release, improving the messaging experience between Apple and Android users, cross-platform RCS messages remain vulnerable. While Apple’s iMessage and Android’s RCS provide end-to-end encryption for same-platform communications, encryption must be manually enabled by both users in Apple-Android RCS communications––an unlikely scenario at scale. Comparatively, end-to-end encryption is turned on by default for platforms like WhatsApp, Signal, and WeChat.
The mass-adoption of encrypted messaging services will create new challenges for companies in 2025, which typically rely on mobile device management (MDM) and third-party tools like Smarsh or Global Relay to monitor and archive SMS and MMS communications. These tools, however, cannot access encrypted platforms, leaving significant gaps in compliance and legal hold efforts.
To get ahead of the oncoming trend, companies must adopt scalable technologies that can capture encrypted data or establish Mobile Device Management (MDM) policies requiring employees to use approved, secure platforms for business communication––or both. Without these adjustments, organizations risk non-compliance, legal penalties, and operational blind spots in critical investigations.
Preparing for 2025: A Smarter Path Forward
In 2025, stricter state privacy laws protecting employee data, heightened cybersecurity threats, and the rise of encrypted messaging will be the cornerstone of corporate compliance efforts. To adapt to this evolving landscape, compliance officers should focus on the following strategies:
- Continue to Prioritize Targeted Data Collection
Avoid the pitfalls of over-collection by implementing targeted data collection programs that preserve only what’s necessary for legal and regulatory purposes. Streamlined collection reduces costs, minimizes risks, and helps maintain employee trust. - Standardize Messaging Platforms
Encourage employees to use only approved messaging platforms for all business communication through a clear and stringent MDM policy. Standardization reduces fragmentation and limits the use of unauthorized channels, ensuring compliance teams can monitor and archive messages quickly and effectively. - Invest in Advanced Collection Solutions
Leverage emerging technologies capable of capturing encrypted data while preserving its security and privacy. Many of these advanced tools incorporate AI to enhance precision and streamline mobile data collection processes, making compliance more efficient and further reducing risk. - Leverage Privacy as a Competitive Advantage
As individual privacy becomes a central concern in the U.S., strong data protection policies can enhance both employee relations and brand reputation. Companies should promote their commitment to privacy internally to build trust and externally to attract talent and customers.
By getting ahead of the oncoming 2025 mobile data collection challenges, organizations can stay compliant, protect their brand, and build operational resilience in an increasingly privacy-focused world.
