Here Today, Gone Today: Managing Third-Party Messaging Apps in a New Regulatory Environment

When the Federal Rules of Civil Procedure were amended in December of 2006 to include “electronically-stored information” as an information category subject to discovery, even the most visionary eDiscovery practitioners could not have anticipated what this would mean in the years to come.

Although the tech-savvy among them may have anticipated the future challenge of increasing data volumes, who could have foreseen the impact of the Cloud and the exponential growth of data types and communication applications? No one in 2006 could have anticipated the explosion of third-party messaging apps (think WhatsApp, Signal, Snapchat, Telegram, WeChat, etc.) proliferated by a worldwide pandemic. Some of these applications allow users to send encrypted messages or ephemeral messages (messages that disappear after sending) and usually exist outside of native Apple or Android apps. Therefore, they raise uniquely challenging data governance and eDiscovery issues.

Unfortunately, for a variety of reasons, organizations have had trouble implementing compliance policies that directly address those downstream eDiscovery and data governance implications. Mobile device policies tend to focus heavily on security considerations, with little attention given to how corporate communications can be preserved, collected, and/or produced should the need arise.

Information use policies that require employees to use certain systems for work-related communications and collaboration do not always account for the realities of the business. Additional complexities include the proliferation of chat applications in the market, practical challenges collecting mobile device data (including forensic imaging in some cases), the co-mingling of personal and work data, and privacy implications.

But while organizations have struggled to implement policies that address the full breadth of these challenges, eDiscovery obligations remain constant. Given the rise in the use of third-party applications for work communications (in some cases to potentially evade recordkeeping policies for more traditional tools like email), government agencies and regulators have increased scrutiny of how these systems are being used and managed. In doing so, they increasingly consider company policies that manage records and whether adequate controls are in place to ensure compliance.

Both in-house and outside counsel have a responsibility to their clients to stay abreast of this increased scrutiny in order to advise them. In light of this responsibility, we are providing an overview of recent regulatory changes, as well as best practices for companies to survive within this new regulatory era.

Focus on messaging apps by government agencies and regulators

Until very recently, government agencies and regulators investigating companies have focused their attention on communications contained in traditional ”workplace” messaging applications, i.e., systems designed purely for business purposes. Regulated entities have recordkeeping requirements that mandate the retention of specific categories of records for a designated period of time, including communications, with penalties for record-keeping violations. Financial institutions have paid billions in SEC and Commodity Future Trading Commission penalties to settle related allegations. Private equity firms have been in the crosshairs as well.

In an ironic twist, the SEC itself has been under scrutiny for similar behavior as members of the House Financial Services Committee and other House panels question whether the agency has suffered similar recordkeeping lapses, illustrating how widespread these apps are and how difficult it is to curtail their use.    

The 2022 Monaco Memo and subsequent sanctions

Amidst this backdrop, the Department of Justice ("DOJ") stepped up significantly with new directives and corporate compliance guidelines for personal mobile devices and third-party chat applications. In September 2022, Deputy Attorney General Lisa Monaco issued a memo to the DOJ Criminal Division to provide "best corporate practices regarding use of personal devices and third-party messaging platforms" in what has become known as the "Monaco Memo." Monaco stated, "[t]he ubiquity of personal smartphones, tablets, laptops, and other devices poses significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation. The rise in use of third-party messaging platforms, including the use of ephemeral and encrypted messaging applications, poses a similar challenge."

2023 DOJ best practice guidelines and DOJ sanctions  

In February of 2023, the DOJ filed a memorandum in support of sanctions against a large technology company for alleged "intentional and repeated destruction of company chat logs" that the U.S. government sought to use in an antitrust case against the company. The DOJ filing indicated that the company set chats to delete after 24 hours. The Federal Rules of Civil Procedure required the company to suspend its standard retention upon notice of the government's legal action in 2019, which it did not do until it received notice of the 2023 motion for sanctions.

In March of 2023, after those sanctions, the DOJ updated its Evaluation of Corporate Compliance Programs ("ECCP") to emphasize the importance of preserving business communications on personal devices, various communications platforms, and messaging applications, including those offering ephemeral messaging. In subsequent remarks announcing the 2023 ECCP best-practice guidelines, Assistant Attorney General Kenneth A. Polite, Jr. pointedly noted that when companies fail to produce communications for DOJ investigations, "a company's answers—or lack of answers—may very well affect the offer it receives to resolve criminal liability. So when crisis hits, let this be top of mind."

The 2023 DOJ guidelines state that prosecutors will consider three factors when evaluating the adequacy of corporate policies governing the use of personal devices, communication platforms, and messaging applications:

1.    Existing communication channels
2.   Policies governing the existing communication channels
3.   Whether the corporation is adequately communicating and consistently enforcing the policies

These new DOJ guidelines significantly expand the scope of an organization's duty to preserve corporate communications. They create a new preservation duty targeted at business-wide compliance operations. Where internal legal departments may have struggled in the past to implement culture-changing mobile device policies, compliance teams may succeed in garnering the requisite executive buy-in.

A path forward for organizations

As law enforcement agencies and regulators continue to take a more rigorous stance towards messaging applications, companies will need to explore more expansive policies to comply with various obligations to retain and preserve data. But it’s a sticky problem for both sides to address, given the different capabilities of each system, incompatibility of certain tools with regulatory recordkeeping requirements, and the hard realities of today’s workplace.

For some organizations, the risks of using certain third-party applications (including the inability of the organization to comply with certain regulatory requirements) simply does not outweigh the benefit to the business, and in these circumstances, companies might choose to not permit them. There may be legitimate business reasons for employees to use these apps—they are readily available, convenient, and provide certain security and data reduction benefits. However, organizations will need to weigh whether those benefits are worth the risk of possibly losing relevant data or enabling potentially nefarious behavior.

Policies, procedures, and information governance—again  

“Guidance” and “controls” are the operative words here. For most businesses—and certainly for those in regulated industries or frequently subject to litigation—information governance and compliance functions only increase in importance as the datasphere continues to become more complex.

Guidance: To reduce exposure and risk, businesses first need to consider the requirements they are subject to and clearly define their stance on the use of ephemeral data apps. It helps to have in place a solid information governance framework, with applicable written policies and procedures that reflect that stance.  

As with all data-related responsibilities, employees should be provided explicit guidance regarding personal devices and messaging tools during onboarding with continual reinforcement during routine training on policies and procedures that should be a part of any robust compliance program. Evidence of rigor in communicating to employees the appropriate use of these messaging platforms vis à vis data retention obligations can only be a benefit in case of an investigation or litigation.

Controls: In addition, appropriate controls should be in place to monitor compliance and ensure required preservation, with effective means to handle non-compliance. If personal devices are approved for use, they should be subject to mobile device management (MDM), as well as policies and procedures that address their use to help ensure data safety and security.

Realistically, whether or not a company allows the use of third-party apps doesn’t mean employees are sticking with the plan. It is the responsibility of the business to know what their employees are doing. Periodic testing and auditing of messaging applications is well-advised, and any employee misconduct in violation of company policies related to ephemeral messaging should be addressed and documented. Voluntarily self-disclosed misconduct can go a long way in mitigating potential damage and fines.

Due consideration should also be given to whether there is the necessary IT infrastructure, resources, and budget to undertake surveillance of employee behavior and to respond to regulatory or legal requests for information, including proper implementation of a legal hold. If ephemeral messaging is allowed, can it be disabled in the event of potential litigation so that potentially relevant material is preserved? If not, there could be a problem.

Conclusion

The datasphere is only going to become increasingly complex as more data-creation (and deletion) tools emerge. With regulatory recordkeeping and data retention mandates likely to remain in place, government agencies will continue to scrutinize third-party messaging applications.

A robust information governance approach, as usual, is key. Companies with a defensible and effective electronic records retention policy that covers the legitimate use of messaging apps—with employees that are trained in related policies and procedures and how best to use them—will have the best chance of avoiding trouble and/or defending themselves against potential wrongdoing.