Proceed With Caution: Understanding 2023 DOJ Guidance on Ephemeral Messaging
- 4 Mins
The corporate world has once again been forced to adapt as communication trends change. When ephemeral messaging first gained popularity, it was merely a fun way to send disappearing pictures or messages to friends over apps like Snapchat. Using tools with these capabilities for business communications was unthinkable. Views have shifted as more deploy platforms such as WeChat or WhatsApp for business. This has forced organisations to ponder embracing this new technology, reconsider policies, and explore potential workplace benefits. It is crucial to follow emerging guidance in this area to stay compliant.
Prior Guidance – Sedona
Ephemeral messaging is still a developing topic when it comes to business functions. The Sedona Conference weighed in on the benefits in a 2021 commentary to help regulators, the courts, and organisations navigate ephemeral messaging in business. The conclusion was that it is an acceptable tool but requires caution. For example, it could help with privacy initiatives by safeguarding sensitive data and communications or be useful in a limited fashion with retention management and data minimisation.
However, organisations must understand that these tools can bring more risk to the table and therefore should not be used for everyday communications or be central to goal achievement. Using these platforms introduces more risk to govern, such as the failure to preserve information relevant to litigation or an investigation. Information governance updates will also be necessary to notify employees of what data is allowed to be transmitted over these apps.
Several agencies have also expressed that the ability to facilitate criminal activity like fraud or hide relevant information to a case is a serious concern. For years, email has been the preferred method in business. With the rise in chat adoption, the scale of chat usage is now higher than email in most instances. This generally refers to apps like Teams, but some are adding ephemeral messaging platforms to the list of approved communication channels. In this setting, the reduced formality heightens the concern of fraudulent or malicious actions occurring in the workplace.
As such, organisations using ephemeral messaging need to be conscious of how the apps are programmed to delete, what data gets stored, and the types of communications that employees are engaging in on various platforms.
Prior Guidance – The Courts
Ephemeral messaging has started to come up in the courts which will help best practices develop further. For example, judges have concluded that once litigation is on the horizon parties should cease communication over ephemeral messaging platforms. This hinges on when the duty to preserve arises, even if that duty is triggered well before filing suit. In Fast v. GoDaddy.com LLC, No. CV-20-01448-PHX-DGC (D. Ariz. Feb. 3, 2022), the court deemed gathering of information and retaining counsel for severance negotiations two years prior to filing suit still triggered the duty to preserve and avoid communications over ephemeral messaging applications.
Organisations should continue to monitor court decisions and utilize these tools in a limited capacity. What is acceptable will look different for everyone and require strategic deployment and clear communications to the entire enterprise about if, when, and how this technology is acceptable in the workplace. The U.S. Department of Justice (DOJ) offered some insight earlier this year that could jumpstart more dialogue on the benefits, risks, and best practices related to ephemeral messaging.
Recent DOJ Guidance
The DOJ initially supported a prohibition on ephemeral messaging. Since 2019, the agency has taken a lighter stance indicating that organisations should place appropriate guidance and controls on personal devices and ephemeral messaging in the workplace. All efforts taken to preserve data would be instructive, even when ephemeral messaging platforms were involved. Over the past four years, the DOJ had not provided firm guidance on what this means, which has left organisations unsure of how to remain compliant.
In March, the DOJ finally released long-awaited parameters on how it would evaluate corporate compliance. Key areas highlighted were ephemeral messaging, personal devices, and communication platforms in the workplace.
Here are important takeaways from the updates to the DOJ Criminal Division’s Evaluation of Corporate Compliance Programmes.
- The DOJ outwardly recognised that it needs to adapt to modern communication preferences and understands that all types of platforms can help organisations grow and communicate more effectively. This includes the use of ephemeral messaging platforms.
- While there are proscribed factors to steer evaluation, the review should be unique to each organisation. This provides flexibility to consider business needs, risk appetite, and prior mitigation efforts.
- Prosecutors now have three categories to use for identifying, reporting, investigating, and remediating misconduct and noncompliance with the law. This includes reviewing an organisation’s electronic communication channels, policy environment, and risk management.
- When evaluating the use of electronic communication channels, examples of what the DOJ will consider include the types of platforms used, what they are used for, limitation imposed on messaging applications and personal devices, efforts deployed to preserve information over each channel, and deletion settings.
- When evaluating the policy environment, examples of what the DOJ will consider include preservation policies, security controls, monitoring efforts, personal device policies, messaging application policies, and governing laws applicable to the conduct at issue.
- When evaluating risk management, examples of what the DOJ will consider include an organisation’s disciplinary procedures for employee non-compliance, past instances of handing employee non-compliance, and how policies interact with the particular organisation’s risk appetite.
While the new DOJ guidance provides flexibility for organisations to use ephemeral messaging platforms if they deem it beneficial, it is crucial to keep in mind that communication over such channels may still be subject to disclosure in the event of an investigation. Now that a few months have passed, organisations should be familiar with these updates and continue to assess controls to data retention and preservation.
Based on the guidance to date, what can be done to limit potential fallout? Organisations must think strategically about which communication channels are necessary to conduct business. If ephemeral messaging or personal device usage are on the table, determine which limitations to set in order to alleviate preservation concerns. Have policies in place that are updated as needs change, monitor employee compliance, provide regular trainings, and follow through with consequences in the event of noncompliant behaviour. Explore partnerships with providers that can help create robust compliance programs and deploy data-driven assessments to ensure everything is operating as desired. Above all, continue to monitor guidance and enforcement trends from the DOJ, courts, and other agencies as this area of law continues to develop.
The contents of this article are intended to convey general information only and not to provide legal advice or opinions.