Enforcement appears as messages disappear: The perils of personal and ephemeral messaging

Eversheds Sutherland (US) LLP

On December 17, 2021, a financial institution agreed to pay $200 million in fines to the Securities and Exchange Commission and Commodities Futures Trading Commission for allowing employees to discuss business on their personal devices without preserving those communications. The financial institution was charged with failing to appropriately retain and implement controls on the use of personal communications and messaging platforms in violation of the recordkeeping and supervision requirements of the Securities Exchange Act and Commodity Exchange Act, and related rules and regulations.

Companies should take this enforcement action as an opportunity to assess whether and how their corporate compliance programs ensure appropriate retention of personal communications and ephemeral messaging.

Work from home arrangements have skyrocketed during the pandemic and likely are here to stay. Employee use of personal devices and messaging applications to conduct or discuss business is common—but it can be difficult for companies to preserve employees’ personal emails and messages sent via text, WhatsApp, and other third party messaging platforms. Moreover, some third party messaging platforms, including WhatsApp, permit “ephemeral” messaging, automatically deleting messages after a certain period has passed.1 Ephemeral messaging can prevent companies from retroactively collecting messages if they receive a subpoena or are cooperating in a government investigation.

Having “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms” in place becomes particularly important if a company uncovers misconduct. The Foreign Corrupt Practices Act Corporate Enforcement Policy (CEP),2 which now extends to all white-collar matters handled by the US Department of Justice’s Criminal Division, provides guidance on actions companies can take to mitigate criminal penalties if they discover misconduct. The CEP further notes that there is a presumption that a company will receive a declination3 if, absent aggravating circumstances,4 it (1) voluntarily self-discloses the misconduct, (2) fully cooperates, and (3) timely and appropriately remediates.

Under the CEP, “timely and appropriate remediation” by the company must include “appropriate retention of business records, and prohibiting the improper destruction or deletion of business records.” As part of this element, the initial version of the CEP, issued in November 2017, required companies to prohibit the use of “software that generates but does not appropriately retain business records or communications.” This effectively operated as a blanket ban on use of ephemeral messaging applications, as retention of these communications was difficult—if not impossible.

In March 2019, the CEP was revised to include softer language, allowing companies to qualify for full remediation credit if they have implemented “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” In other words, a company seeking to qualify for a declination or fine reduction on the basis of timely and appropriate remediation may still qualify if it allows personal communications and ephemeral messaging, so long as the company’s corporate compliance program has been designed to address and mitigate the risks associated with their use.

Implementing guidance and controls for personal communications and ephemeral messaging platforms also could be key to convincing the government that the company has “fully cooperated.” In evaluating whether a company has fully cooperated in an investigation, prosecutors will consider whether there was “timely preservation, collection, and disclosure of relevant documents and information.” Companies that are unable to produce requested information, causing a delay in the investigation or expenditure of additional resources, are unlikely to qualify for full cooperation credit, thereby disqualifying them from a declination or fine reduction.

As permanent work from home arrangements rise in popularity, the continued use of personal devices and third party messaging applications is inevitable. These settlements should remind companies to ensure their compliance programs include guidance and controls for retaining business records and communications—including text messages, personal emails, and communications on messaging platforms.

Complete bans on the use of personal devices or third party messaging applications are unlikely to be enforceable (or practical). There are certain steps, however, that companies can take to develop and implement appropriate guidance and controls, including the following:

  • Companies should consider implementing enterprise versions of messaging platforms (i.e., versions specifically designed for business use). Enterprise versions may allow companies to customize features, such as security and data retention settings, for users within the organization and may assist companies in maintaining control over communications.
  • Companies should implement policies and guidance detailing prohibitions and/or limitations on using personal devices and messaging platforms.
  • Once a company has solidified its stance on use of personal devices and messaging platforms, the company should clearly communicate expectations to employees (e.g., by incorporating prohibitions and limitations into trainings).

Companies that operate in states that have statutorily established privacy rights for employees using personal digital assistants should carefully navigate potential competing public policy issues when designing and implementing guidance and controls related to personal communications.


1 In 2020, WhatsApp launched a feature called “Disappearing Messages,” that allows users to automatically delete messages after seven days. The feature also deletes messages from the other party’s phone. In December 2021, WhatsApp updated options to allow automatic deletion as soon as 24 hours after messages are sent. By default, the feature is turned off, but all users can enable it.

2 FCPA Corporate Enforcement Policy, US Department of Justice, available at https://us.eversheds-sutherland.com/portalresource/cep-revised_01.pdf.

3 A declination is a case that would have been prosecuted or criminally resolved except for the company’s voluntary disclosure, full cooperation, remediation, and payment of disgorgement, forfeiture, and/or restitution.

4 Examples of aggravating factors that may warrant a criminal resolution include involvement by executive management of the company in the misconduct, pervasiveness of the misconduct, and significant profit to the company from the misconduct.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP
Contact
more
less

Eversheds Sutherland (US) LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide