Honestly, I have been avoiding this topic since it presents a real morass of risks and potential traps for the unwary company and Chief Compliance and Chief Legal Officers.
When I first examined the issue, I understood DOJ’s frustration. If bad actors can escape detection and subsequent punishment (internal or external) by using ephemeral messaging applications to delete illegal or improper communications, companies should simply ban the use of such electronic communications channels. Let’s be frank, that was DOJ’s real position before it bent under pressure. But I do not think that DOJ’s March 2023 update guidance on this topic reflects a real change of heart. Indeed, the very use of of ephemeral messaging may lead to the appearance of impropriety – the perception that the technology is being used for nefarious purposes or to hide evidence of wrongdoing.
Companies may choose to allow the use of ephemeral messaging applications, but they must understand the attendant risks and tailor appropriate controls, policies, and procedures to avoid potential damage.
So, let’s take a moment to examine the relevant considerations and outline a step-by-step approach to this important area. Companies have a vested interest in preserving internal communications for a variety of reasons — to document deals, hold actors accountable, and to protect the organization from potential private and government claims or investigations, reduce the risk of spoliation sanctions, and to receive cooperation credit or leniency in the event employees have engaged in wrongdoing that may have serious direct or collateral consequences to the company and the individuals involved.
First, what precisely does “ephemeral messaging” cover?
Initially, ephemeral messaging was simply a way to send disappearing pictures or messages over applications like Snapchat. But this initial use has since expanded to other applications like WeChat or WhatsApp for businesses. Depending on the specific settings applied to these applications, messages can automatically disappear forever and be sent via encrypted technology thereby reducing the ability of hackers to access such communications.
Just to complicate the issue, ephemeral messaging can include a “quasi” approach that permits some deletion of messages depending on specific settings. Such modifications to a messaging system may impact the encrypted protections of communications as well. And, of course, even ephemeral massages may become permanent if a recipient is able to preserve the message in some way, with or without the sender’s knowledge or permission.
Second, what specific benefits does use of “ephemeral messaging” provide?
In response to data privacy and security concerns, it is evident that these technologies do have certain benefits. DOJ and policy advocates, such as The Sedona Conference, have acknowledged that ephemeral messaging benefits include:
- Reduction of data storage and records preservation costs, along with reduced e-discovery burdens and cost;
- Encryption and automatic deletion reduces exposure to potential data breaches and resulting damages and collateral consequences;
- Automatic deletion can reduce potential access by hackers to company data.
These benefits are nothing to ignore. There are lot of internal communications that are of little to no importance — e.g. a reminder to attend a retirement party, and ministerial messages that have no real relevance to any ongoing business activities. Chat histories can clog up a company’s communications data and there may be benefits to isolating such communications for immediate or rapid destruction.
The reduction of data storage and preservation costs can be significant as well, when you consider the rising amount of data preserved and the attendant costs. Companies that are under government investigation or involved in litigation can incur significant e-discovery costs. By reducing some of the extraneous data, the costs of e-discovery can be reduced. The cost to review 1 GB of data costs approximately $18,000 on average. An effective data deletion and management strategy can reduce future e-discovery costs.
Further, by offering its own ephemeral messaging service, a business can reduce the risks that employees may use personal devices with such applications outside the company’s electronics communications system. Millennials and Gen-z employees are comfortable with such messaging applications and comfortable using them; indeed in many ways they have simply replaced the telephone call of my generation. If your employees are comfortable using these applications, keeping such communications within the business complement of communications channels might promote employee use of a business system that is stable, secure, and subject to business controls.
Companies that employ ephemeral messaging systems may reduce their exposure from a potential data breach. If the personal identifying information is not stored on devices, the severity and consequences of a hack may be reduced. In addition, ephemeral messaging systems operate with end-to-end encryption thereby reducing that hackers could access messages in transit.
Companies may also use ephemeral messaging systems as a way to prioritize internal communications and focus on retaining communications that are more “important” or relevant to the business. In addition, many ephemeral messaging systems allow an IT department to store all of the communications in a fire-walled location while employee devices have no record of such communications.
Third, what legal risks does use of “ephemeral messaging” applications create?
There are a number of legal risks created by use of ephemeral messaging technologies.
From a governance and compliance risk management perspective, a company’s internal investigation function, i.e. its ability to police itself and detect and prevent misconduct, may suffer from the loss of critical communications data. It is easy to imagine that bad actors executing a bribery scheme may deliberately choose to use ephemeral messaging as a way to plan and execute an illegal scheme to avoid potential detection.
Chief compliance and legal officers have to acknowledge that many companies already have suffered from this blinding effect by employees who use WhatsApp and the lack of access to relevant data that resides solely on an employee’s phone. The company’s access to such data may be complicated by the absence of an Acceptable Use or stated policy covering Bring Your Own Device to Work Policy or applicable data privacy protection laws and regulations in the country in which the employee or the company operates.
DOJ’s initial concerns that lead it to ban the use of ephemeral technologies in 2019 was the direct result of company reporting to DOJ that it did not have access to all of its employees communications data. This omission and corporate blinding to important communications data is a significant risk for every company’s corporate governance and compliance program. An essential part of every company’s corporate compliance program is its internal investigation capabilities and its ability to unearth potential misconduct that may threaten the organization and its culture.
Beyond this overarching and significant concern, companies that authorize ephemeral messaging face several significant legal risks from failing to preserve communications data that may be required to comply with a legal subpoena and a legal duty to preserve data when litigation is “reasonably anticipated.”
If the government issues a grand jury subpoena as part of a criminal investigation, and the company fails to preserve data generated by use of an ephemeral messaging system, a company could be held liable for failing to preserve data relevant to the criminal investigation. Such consequences can be significant, resulting in an independent liability for obstruction of justice.
Companies may face legal liability in civil litigation and responses to government regulators. As an example, in the recent Google multi-district litigation case In re Google Play Store Antitrust Litigation, U.S. District Court, Northern District of California, No. 3:21-md-02981-JD, the District Judge James Donato sanctioned Google for failing to preserve employee “chat” evidence relevant to the antitrust litigation. Specifically, Judge Donato ruled that Google “fell strikingly short” in its duties to preserve records in the case.
In another case, Federal Trade Commission v. Noland, et al., Case No. CV-20-00047-PHX-DWL (D. Ariz. 2021), the District Court sanctioned the defendants for using ephemeral messaging after learning that they were the targets of a government investigation.
In yet another case, Fast v. GoDaddy.com LLC, No. CV-20-01448-PHX-DGC (D. Ariz. Feb. 3, 2022), the District Court deemed gathering of information and retaining counsel for severance negotiations two years prior to filing suit still triggered the duty to preserve and avoid communications over ephemeral messaging applications.
If you are a regulated entity, the potential legal risks from use of ephemeral messaging can be compounded. For example, in 2018, the Securities and Exchange Commission issued guidance prohibiting business from use of communications applications that permit automatic destruction of messages.
Since issuing that guidance, the SEC has racked up millions of dollars in fines and penalties against a laundry list of significant actors in the industry.
