In a recent report from Thomson Reuters, legal department leaders named regulatory compliance a top strategic priority. The emphasis on compliance has increased significantly since 2019, when it was rated the fifth-most important priority on the same survey.
This shift is likely due to evolving regulations related to environmental, social and governance (ESG), data privacy and cybersecurity, and more decentralized teams in the past three years. As a result, legal teams have a broader range of information to consider, which makes compliance increasingly complex.
The 21st century update would be “data is money.” Organizations spend significant time, effort, and investment in building systems to facilitate the movement of information. That can be as complex as large-scale contract management and as simple as sending a Slack message to your coworker.
The collective of each ping, folder, and cloud-based system represents an organization’s data footprint. And those footprints are big. For example, the American Bar Association shared this dizzying statistic, “[o]rganizations are generating as much as 7.5 septillion [emphasis added] gigabytes of data per day… To put that in context, we create roughly the data equivalent of 50,000 years of continuous movies every few hours, all day, every day.”
The ABA shares that corporate information grows by 23% each year. Therefore, it is more important than ever to address information governance policies and practices thoroughly.
Records management? We do that.
While they seemingly perform similar functions at the surface, records management and information governance are different activities. Records management policies focus on the handling and retention of official records like contracts or personnel files that are preserved for a period of time required by laws and regulations. On the other hand, information governance covers all information created or received by the organization, whether official records or not.
You can’t ghost the Feds.
As the ABA points out, ephemeral messaging apps (EMAs) and other messaging applications (e.g., Signal, Facebook Messenger) have grown in popularity, fundamentally changing how we communicate. Organizations must have a plan and standard operating procedures for employees using these communication methods. However, while these messaging apps boast several attractive features for users when discussing sensitive information, the government isn’t as enthusiastic about the technology.
The communication app Signal has recently been at the center of this conversation during Sam Bankman-Fried’s FTX fraud case. In an effort to safeguard communications, counsel agreed to include restrictions on Bankman-Fried’s use of Signal as part of a multi-million dollar bail package.
But Bankman-Fried’s case or use of Signal isn’t the only example. The Securities and Exchange Commission and the Commodity Futures Trading Commission have levied $2 billion in fines on banks for their use of WhatsApp and Signal.
The Department of Justice reinforced the importance of preserving communications via messaging apps in recent remarks from Assistant Attorney General Kenneth Polite Jr. Polite noted that the DoJ expects that management of these communications be covered by compliance programs and that organizations should be able to preserve and produce communications from them in the case of an investigation.
The more things change…
While counsel, courts and regulatory agencies continue to refine messaging apps’ role in information governance, we can look to existing discovery practices for guidance. For example, when an organization faces the reasonable anticipation of litigation, it must place a litigation hold that overrides its typical document retention policy.
During discovery, a party can seek production of Electronically Stored Information (ESI) that is relevant to the claim, proportional to the case’s needs and reasonably usable. The “reasonably usable” aspect is the sticky wicket for messaging apps that delete or encrypt communications. According to the 7th Circuit, “ephemeral” information is included in the categories of ESI that “generally are not discoverable in most cases.” However, as we’ve seen in the FTX case and with the banks, courts can include this information in discovery if the requestor can show reasonable cause, particularly if relevant information can only be found in these communications and may not exist in more readily-available sources of communication like e-mail.
For in-house legal teams, now is a good time to check up on how your organization is communicating, how that information is maintained, and what to do in the case of a legal hold. Courts and regulatory agencies alike are focusing on these evolving methods. It’s best to understand what that means for you in the case of potential litigation.
If you have concerns about what messaging apps mean for your eDiscovery policies and processes, reach out to a trusted eDiscovery partner for assistance.