[co-author: Jessica Southwick]*
This article was published in Law360 on September 6, 2018. © Copyright 2018, Portfolio Media, Inc., publisher of Law360. It is republished here with permission.
In December 2017, the Sunshine Project sued Missouri Governor Eric Greitens, alleging violations of the Missouri Open Records and Open Meetings Law because he and his staff used Confide, an “ephemeral” messaging app that automatically deletes text messages after they have been viewed.1 Several organizations have sued President Donald Trump and his executive office, alleging their use of ephemeral communication apps, such as Signal and Confide, violated the Presidential Records Act.2 Further, companies’ growing use of ephemeral communications tools is complicating U.S. Department of Justice investigations of corporate wrongdoing when it comes to uncovering bribery schemes. Last year, the DOJ announced that, in order to receive full credit for self-reporting bribery violations under the new Foreign Corrupt Practices Act Enforcement Policy, companies must prohibit “the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.”3
The ripples from ephemeral communication tools may extend into civil litigation too, as a company’s use of, or acquiescence of employees’ use of, these tools is inconsistent with the company’s duty to preserve evidence. This may open the door for sanctions for spoliation under Federal Rule of Civil Procedure 37(e).
While few companies explicitly authorize the use of disappearing communication apps, large portions of their workforce are nonetheless using them. In this article, we discuss potential criminal and civil risks posed by these apps and offer the following best practices for employers:
-
Examine your document retention policy, and determine if it addresses the use of ephemeral communication. If it does not, you should seriously consider either prohibiting the use of such apps or restricting them to nonbusiness messages only.
-
In addition, corporate guidelines must provide a systematic way to police this policy through regular training sessions, quality control monitoring systems and certifications of compliance by employees.
-
If there are valid business reasons for using ephemeral communication tools, those reasons must be set forth clearly as well as the circumstances under which the tools will be appropriately used.
-
If ephemeral communication tools are permitted under designated circumstances, or if a company suspects employees may be using these apps, the company must take certain steps if it is on notice of potential litigation. Companies must turn off any automatic deletion tools or be subject to charges of spoliation.
-
Once a hold on all deletions has been issued, and the automatic deletion tool deactivated, a company should have a system to audit and confirm the deletion tool remains inactive and that no other ephemeral communication apps have been employed.
What Are Ephemeral Communications Apps?
Ephemeral communications apps, also called disappearing messaging apps, are reshaping the landscape of digital communication by enabling their users to send messages that are automatically deleted after a specified period of time. Snapchat was an early innovator, providing a platform on which users could share photos and videos for a short period of time before they would be deleted. Dozens of other apps have quickly followed. Apps like Instagram, Cyber Dust, Wickr Me, Burn Note, Confide, Telegram Messenger, TigerText, Sicher, Whisper and others all enable users to send messages, pictures and videos that self-destruct. While these apps were designed for social entertainment, enterprises and their employees have quickly realized the benefits, and app developers have responded. Wickr, for example, now offers fully encrypted enterprise-level communications that are automatically deleted after a specified period of time.
The benefits of such a system are compelling, particularly in the era of the EU’s General Data Protection Regulation and the California Consumer Privacy Act, when the need to be forgotten is strong and when data breach is a constant threat. Companies can greatly reduce the risk of data breach and enhance the security of their most valuable assets if their communications are ephemeral, particularly sensitive internal communications. Further, employees may be more comfortable raising compliance or harassment issues if they know that there will not be a permanent record.
While there is nothing illegal about an enterprise choosing to use such a system, there may be grave implications for legal document preservation. For decades, email has been the primary source of communication and collaboration in companies and thus has been vital evidence in litigation. What will happen when companies no longer retain their communications?
This is not a hypothetical question. At a recent pretrial hearing in a lawsuit between Uber and Waymo, Waymo alleged that Uber employees used Wickr to send ephemeral encrypted messages to discuss trade secrets allegedly stolen from Waymo. The judge reopened discovery and delayed the trial while the parties investigated and conducted discovery related to the allegations. The judge further suggested that he may inform the jury about Uber’s discovery conduct. The case abruptly settled after four days of trial, but the suggestion that Uber had intentionally destroyed evidence was national news.4
Similarly, a recently unsealed filing in litigation between CBS executives and the Redstone family’s National Amusements Inc., or NAI, for control of the broadcaster revealed accusations that CBS executives destroyed evidence by using TigerText, an app that can delete text messages immediately after they are read.5 While the details of the discovery remain redacted, the motion stated that CBS acknowledged that employees used the ephemeral communication app, including its legal department, but the company refused to suspend the app’s use or impound the devices used. NAI argued that CBS was obligated to preserve all evidence relevant to the dispute and intentionally failed to do so. Shortly after the filing was unsealed, CBS said in a public statement that it had adopted TigerText for cybersecurity reasons after the Sony hack and not for any nefarious reason. NAI requested that the court enter an order to prevent further spoliation. NAI has since withdrawn its motion without prejudice in exchange for commitments by CBS to image all devices and conduct forensic searches for deleted messages on previous imaging, thus removing the threat of spoliation of data.
The DOJ Policy
In November 2017, the DOJ implemented new provisions to its FCPA Corporate Enforcement Policy aimed at incentivizing self-disclosure of misconduct. These provisions allow for a presumption that the agency will decline to pursue an enforcement action when the company “voluntarily self-disclose[s] misconduct in an FCPA matter, fully cooperate[s], and timely and appropriately remediate[s], all in accordance with the standards set forth [in the U.S. Attorney’s Manual].”6 When there are aggravating circumstances that warrant a criminal resolution, such as extensive pervasiveness and high-level executive involvement in the criminal misconduct, the DOJ will recommend a 50 percent reduction in the low end of the sentencing guidelines.
“Voluntary disclosure,” under the FCPA Enforcement Policy, means that a company self-discloses before the imminent threat of disclosure by another, or threat of an investigation.7 The disclosure must be prompt, proactive and fully transparent to qualify as “voluntary.”
“Full cooperation” incorporates elements of “voluntary disclosure,” in that it also takes into account the timeliness and transparency of the disclosure. However, the disclosure must be ongoing. The company must provide updates on information gained through internal investigations of the misconduct and alert the DOJ to third-party sources of information or offenders. A company must also engage in the “[t]imely preservation, collection and disclosure of relevant documents and information relating to their provenance.”8
Finally, the company must demonstrate “timely and appropriate remediation.”9 A company does so by conducting a thorough root-cause analysis of the misconduct and by instituting a robust compliance and ethics program that is appropriate for the company’s size and resources. Remediation also includes discipline of culpable employees. Significantly, the policy requires that a company maintain “[a]ppropriate retention of business records, and prohibit[] the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.”10 Given that the main feature of an ephemeral communication app is the nonretention of communications, a company must choose between permitting its employees to use these apps or complying with the DOJ’s policy and possibly having the DOJ decline an enforcement action if misconduct is discovered and self-reported.
The DOJ’s position on ephemeral communication apps is situational. In Citizens for Responsibility and Ethics in Washington (CREW) v. Trump,11 CREW sued Trump and his executive office for alleged violations of his duty to preserve official records for historical account as required by the Presidential Records Act. CREW sought a declaratory judgment that using the apps violated the act, which obligates the president to classify and take steps to maintain presidential records. Additionally, CREW sought injunctive and mandamus relief to require the president to comply with the Presidential Records Act. The DOJ moved to dismiss on the ground that judicial review of the president’s decision under the Presidential Records Act was not available. While the court opined that using the apps “would almost certainly run afoul of the Presidential Records Act,” it granted the DOJ’s motion to dismiss, holding that the plaintiffs failed to “identify a valid cause of action to enable their case to proceed to the merits.”12
In contrast, in the Missouri challenge to the governor’s use of ephemeral communication apps, the court also noted a clear violation of the Open Records Act and permitted multiple claims set forth in the action to continue. The court wrote:
The argument that the use of the Confide app excuses compliance because nothing is retained holds less water than a policy of using disappearing ink for all official documents. While there seems to be little dispute that records were made, the issue revolves around were they records which should have been retained and/or are retained in the custody of third parties which is adequately pleaded.13
The Missouri case illustrates the unique hurdles the Confide app creates for discovery. In June, the court ordered that discovery proceed sequentially to determine whether messages sent or received through Confide can be recovered, either through Confide Inc. or Confide-affiliated third-party servers, or on cellphones that send or receive messages. The plaintiffs were directed to subpoena Confide for data, and the defendants were ordered to conduct an expert forensic examination to determine what could be recovered from a cellphone using Confide. The court stayed all other discovery until “the court can determine whether or not the messages sent or received using Confide can be recovered which may have a bearing on what records are at issue.”14 At the argument, the court reportedly questioned whether an Open Records Act violation existed if the documents no longer existed, but has not yet addressed that issue.15
These cases indicate the courts’ willingness to view the use of disappearing apps as contrary to a duty to preserve if the appropriate cause of action or mechanism is available, although recoverability of the messages may be a requisite.
Potential Exposure to Civil Sanctions for Spoliation
Federal Rule of Civil Procedure 37(e) provides for sanctions in the event that a party fails to preserve relevant data. Based on the Uber court’s discussion of the potential implications of a company’s using ephemeral communications, as well as analogous case law, it appears that a company that encourages or permits its employees to use ephemeral communications apps runs the risk that a court will find the company failed to preserve relevant data. If the loss is deemed to have been intentional and material, the most severe sanctions pursuant to Rule 37(e)(2) are possible, including adverse inference instructions or termination of the action.
It does not appear that any court has imposed sanctions as a result of ephemeral communications-related spoliation. However, cases involving data-wiping programs like CCleaner, which securely erases data, provide an instructive analogy. In Klipsch v. ePRO e-commerce, where Klipsch alleged that ePRO sold counterfeit Klipsch products, the Second Circuit reviewed the trial court’s imposition of discovery sanctions for intentional destruction of relevant data.16 Klipsch’s electronically stored information, or ESI, consultant found that ePRO custodians manually deleted files and emails using data-wiping software before the court-ordered forensic examination. The court found that ePRO intentionally spoliated relevant ESI, awarded costs associated with bringing the motion, and imposed a $5 million restraint on ePRO’s assets. The Second Circuit affirmed, finding that the amount of sanctions awarded were not impermissibly punitive or disproportional.
Similarly the court in Lexpath Technologies Holdings Inc. v. Welch addressed the allegation that a former employee intentionally deleted files.17 The plaintiff’s consultant testified that Welch ran CCleaner on the laptop, rendering more than 53,000 files unrecoverable, before removing the program from the laptop. Despite Welch’s argument that the program had a legitimate information technology use, the court found that Welch intentionally deleted relevant files once litigation was reasonably foreseeable. Pursuant to Federal Rule of Civil Procedure 37(e), the court determined that the appropriate sanction would be to instruct the jury that it may presume the information was unfavorable to Welch.
The legal implications of ephemeral communication tools are surfacing in various types of litigation and investigations. As the use of these apps increases, a company must constantly evaluate how to reconcile the use of, or acquiescence of employees’ use of, these tools with the company’s duty to preserve evidence. While the courts are just now analyzing the legal implications of these tools, companies should consider following best practices highlighted above.
Endnotes
1 Sansone v. Greitens, No. 17AC-CC00635 (Circuit Court Cole County, MO).
2 Citizens for Responsibility & Ethics in Wash. v. Trump, No. 17-cv-1228 (D.D.C. March 20, 2018).
3 Dep’t of Justice, U.S. Attorney’s Manual § 9-47.120(3)(c) (Nov. 2017), https://www.justice.gov/usam/usam-9-47000-foreign-corrupt-practices-act-1977.
4 See, e.g., Aarian Marshall, The Uber-Waymo Lawsuit Gets A New Star — And Takes a Wild Turn, Wired (Nov. 30, 2017), https://www.wired.com/story/uber-waymo-richard-jacobs-lawsuit/.
5 CBS Corp. v. Nat’l Amusements Inc., 2018 Del. Ch. LEXIS 157.
6 U.S. Attorney’s Manual, supra note 3, § 9-47.120(1) .
7 Id. at § 9-47.120(3)(a).
8 Id. at § 9-47.120(3)(b).
9 Id. at § 9-47.120(3)(c).
10 Id. at § 9-47.120(3)(c).
11 Citizens for Responsibility & Ethics in Wash. v. Trump, 302 F. Supp. 3d 1127, (D.D.C. March 20, 2018).
12 Id. at 1129.
13 Sansone v. Greitens, No. 17AC-CC0063 (Cole Co., 19th Judicial Circuit, Order dated April 30, 2018).
14 Sansone, (Order dated June 29, 2018).
15 Jasmine Ramirez, Court in Confide Case Says Plaintiff Must Prove Records of Messages, ABC 17 News (June 19, 2018), https://www.abc17news.com/news/judge-in-confide-case-says-plaintiff-must-provide-records-of-messages/755504636.
16 880 F.3d 620 (2d Cir. 2018).
17 2016 WL 4544344 (D.N.J. Aug. 30, 2016).
*associate in the Health Sciences Department.
