Written by mark helmkamp, senior consultant at Spark Compliance
Follow mark on LinkedIn
Big news from key regulators on ephemeral messaging!
On January 26, 2024, the Justice Department’s Antitrust Division and the Federal Trade Commission (FTC) updated its guidance that reinforces a company’s preservation obligations for collaboration tools and ephemeral messaging.
The Department of Justice (DOJ) and FTC announced that they are “updating language in their standard preservation letters and specifications for all second requests, voluntary access letters and compulsory legal process, including grand jury subpoenas, to address the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace.”
Why now? According to the press release, “companies have not always properly retained these types of documents during government investigations and litigation.” This is another warning shot across the bow for all businesses. The time is now to be proactive and mitigate the risks associated with ephemeral messaging and collaboration tools in the workplace.
This announcement is a huge reinforcement of what the regulators consider a “longstanding obligation requiring companies to preserve materials during the pendency of government investigations and litigation.”
When did this start?
Just because the obligation is long-standing doesn’t mean it isn’t incredibly resonant now. What’s the history? Back in 2017, as ephemeral messaging applications grew in popularity, the DOJ revised its FCPA Corporate Enforcement Policy so that companies seeking “full credit for timely and appropriate remediation” would need to “prohibit employees from using software that generates but does not appropriately retain business records or communications.” Then there was revised DOJ guidance in 2019 and new DOJ guidance in 2023. Clearly, the regulators’ focus on ephemeral messaging is increasing with each passing year.
What is ephemeral messaging?
In short, ephemeral messaging apps allow for the automatic deletion of conversations between parties immediately or after a short amount of time. Broad consumer adoption of apps such as Snapchat, WhatsApp and Telegram over the years as well as the evolving nature of people’s communications preferences has led to the increasingly widespread use ephemeral messaging in the workplace.
The opportunities and risks for businesses
There are many reasons why companies are adopting platforms with ephemeral messaging capabilities such as Slack, Microsoft Teams and Signal, including:
Safeguarding confidential information
Lowering the costs of data storage
Reducing exposure to data breaches
Complying data minimization requirements under various data protection laws.
However, ephemeral messaging poses several risks for businesses, including:
The use – or perception of use – for impropriety
Failure to preserve data relevant to an investigation, litigation or other disputes
Scrutiny from government regulators such as the DOJ and Securities and Exchange Commission (SEC).
Considerations for Compliance Officers
Before the duty to preserve arises, Compliance Officers should be assessing and taking steps to enhance their governance on the use of ephemeral messaging tools and the corresponding proper data retention and destruction practices. A risk-based approach should include:
Integrating ephemeral messaging platforms into the company’s information governance program.
Assessing the company’s use of ephemeral messaging platforms both domestically and abroad
Assessing the compliance functionality of the ephemeral messing technology implemented
What types of data are stored?
What are the preservation limitations?
Does it have a legal hold functionality?
Adopting written policies that clearly define:
The company’s rationale for ephemeral messaging tools
Acceptable use of ephemeral messaging tools
Individual use versus enterprise use of ephemeral messaging tools
Records retention guidelines
Bring Your Own Device guidelines that address ephemeral messaging tools for personal or corporate use on personal devices
Training and awareness campaigns of the ephemeral messaging policies and SOPs that are clearly understood by employees
Continuous monitoring to ensure employees are complying with ephemeral messaging policies
Conducting periodic audits of devices.
You know the regulators are paying attention. Before they knock on the door, shouldn’t you?
PS: this post will (not) be automatically erased.