In recent months, U.S. regulators and enforcement authorities alike have signaled through enforcement actions and pronouncements that they are paying closer attention to companies’ oversight practices regarding employees’ permitted use of third-party messaging applications, including ephemeral messaging.

Ephemeral messaging has increasingly become a bane to legal and compliance teams, because by the very nature of its functionality, chat messages expire after a short period of time or can be self-destructed immediately by the individual users, after which time such communications are deleted permanently.

“Clearly, it’s very problematic if companies are allowing employees to use them for business communications, because then you don’t have any record retained either for litigation holds or any type of regulatory oversight,” said April Goff, a partner at Perkins Coie.

Despite the challenges posed by ephemeral messaging, the U.S. Securities and Exchange Commission and the Department of Justice have warned companies they must make efforts to preserve such communications, nonetheless.

In public remarks, Assistant Attorney General Kenneth Polite said companies should be prepared to demonstrate to prosecutors their “preservation and deletion settings” regarding business-related electronic data and communications, as well as its policies around any bring-your-own-device (BYOD) program the company might have in place.

“If people are using these tools to communicate on behalf of your business, and you don’t have the ability to preserve or produce a historical record of what was discussed, you’re limiting your defense if something goes wrong,” said Robert Cruz, vice president of information governance at Smarsh.

Indeed, Polite warned that prosecutors will not accept at face value a company’s failure to produce such communications. “A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability. So, when crisis hits, let this be top of mind,” he said.

BYOD Policy

Given the increasing regulatory attention being placed on oversight practices of ephemeral messaging for business purposes, those in heavily regulated industries “should first consider their information-governance policies and protocols with regards to data retention and deletion,” said Al Park, senior managing director at FTI Technology.

Goff similarly stressed that an acceptable use policy is a company’s first level of defense, and the primary way of managing the challenges posed by ephemeral messaging. However, just having an ephemeral messaging policy on its own is not enough, she said. “It has to be practical, enforced, and have some teeth behind it.”

Polite stressed this point further in his remarks: “Our prosecutors will also consider how companies communicate the policies to employees, and whether they enforce them on a consistent basis.”

Technology Considerations

BYOD policies should be complemented by robust data preservation controls—for example, “data archiving and storage settings that cannot be altered by the employee or the end user,” Park said. “If organizations have implemented centrally administrated messaging applications such as Slack or Microsoft Teams, those platforms offer built-in governance and compliance controls that can be aligned to specific data retention parameters.”

Furthermore, Park added, companies should make clear through a BYOD program that they have the right “to enforce the use of company-wide messaging applications over which IT and legal have administrative control for the purposes of communications monitoring and data preservation.”

The following are some additional measures to consider:

Choose the right tool. From an investigative and e-discovery standpoint, capturing and storing data is easier said than done, as each of these various applications provide a different set of information-sharing features and different ways for users to interact with one another, creating oceans of unstructured data—social media posts, documents, videos, audio files, and more.

“You need a system that enables the business to preserve all the unique metadata elements,” Cruz added. “Other third-party messaging applications—WhatsApp, WeChat, Telegram, Signal, and Discord, for example—all include a unique set of features, methods of access, and a variety of technologies to encrypt data.”

For these types of technologies, there are third-party tools that enable businesses to capture communications and data for preservation purposes. “Many ephemeral messaging platforms allow users to disable the auto-delete function within the application,” Park said. This, too, can be enforced by a BYOD policy.

Similarly, when messages are encrypted, a BYOD policy can require that employees provide the organization with their encryption keys, “so those messages can be recovered and accessed if the need arises for compliance or legal purposes,” Park added.

But, again, each organization must first decide what data it needs to capture in order to meet its regulatory or compliance obligations, after which time it can then figure out what technology has the capabilities to “talk to” the company’s API software in order to provide a complete and accurate record of business communications, Cruz said. “Question number one is, ‘Are you comfortable as a business that if you let your employees use a [third-party messaging application] that you have the appropriate technologies to know how it is being used?” he said.

Make sense of the data. Ultimately, during an internal investigation or e-discovery, it’s critical to understand the context of the conversation. The key question there is, “What activity took place on that platform?” Cruz said.

“It’s important to segment and render these messages in a meaningful way, so they can be reviewed in context,” said Tim Anderson, senior managing director at FTI Technology. “Our teams use contextual and density analysis to group related and relevant chat messages together into a single view so that they can be understood in the broader context of a conversation, but not muddled with irrelevant noise. Similarly, we are working to standardize the rendering of emojis and reactions across platforms so they can be searched and analyzed for additional context and nuance in conversations of interest.”

A cross-platform analysis can also be conducted “to maximize efficiency in gaining insight from the available data and connect the dots between messages and users that have hopped across multiple channels,” Anderson added. Granular historical user activity can also be leveraged “to understand when participants joined, left, posted or reacted to messages, all of which can be used to enrich the known facts of a matter.”

Considering enlisting a digital forensic expert. Particularly during a corruption investigation, the company may want to enlist the help of a digital forensics expert with the expertise to know where to look for pertinent data, what to look for, and how to retrieve it. “There are some digital forensics methods that make it possible to recover deleted data in some instances,” Anderson said.

“In other cases, digital forensics experts can, at times, find evidence of deleted messages, use of prohibited applications or channel-hopping, which helps tell a story about a user’s activity, or offer new clues to follow, even when data has been deleted,” Anderson added.

If a company chooses to work with a digital forensic expert, however, Goff stressed the importance of having a non-disclosure agreement or contractual procedures in place as it relates to the disclosure of any sensitive or confidential information.

BYOD Program Elements

The DoJ’s newly revised “Evaluation of Corporate Compliance Programs” (ECCP), issued in March 2023, provides further guidance for companies on how prosecutors will evaluate a BYOD program. The ECCP directs prosecutors to consider the following specific questions—which means companies should be thinking about such questions too:

• What relevant code of conduct, privacy, security, and employment laws or policies govern the organization’s ability to ensure security or monitor/access business-related communications?
• What are the company’s BYOD policies governing preservation of and access to corporate data and communications stored on personal devices, including data contained within messaging platforms, and what is the rationale behind those policies?
• Do the organization’s policies permit the company to review business communications on BYOD and/or messaging applications?
• How does the company apply and enforce data retention and business conduct policies concerning personal devices and messaging applications?
• If employees are required by policy to transfer messages, data, and other communication from their personal devices or messaging applications onto the company’s record-keeping system to preserve and retain them, how is it enforced?

Goff advised working with the IT or procurement team before permitting the use of any messaging application. A BYOD program also needs a cross-functional team behind it—human resources, legal, compliance, and technology need to work hand-in-hand, she said.

“We encourage clients to limit the type of applications until they are fully vetted to ensure they have the capability to work with the company’s API or to retain information as needed for document retention litigation purposes or with respect to regulatory oversight,” Goff added. “And, again, it still needs to be consistent with the company’s acceptable use policy.”