Sedona Commentary Provides Ephemeral Messaging Usage Guidelines
In January, the Sedona Conference published commentary on ephemeral messaging and is open to public input until March 28, 2021. Ephemeral messaging is a dynamic technology that allows people to send secure, end-to-end encrypted messages that auto-delete after a brief period. With the rise of ephemeral messaging applications (like WhatsApp or Clubhouse), it is important for organizations to ponder the benefits and risks in order to update employee communication policies accordingly.
Benefits and Risks
Sedona emphasized the advantages of using this technology for business functions. For example, it diminishes privacy concerns by safeguarding sensitive data and communications. It is also good for information governance, as unnecessary data can be deleted instead of retained and becoming stale or dark. Data minimization and deletion also helps with compliance under privacy laws like the General Data Protection Regulation (GDPR) and lessens the risk of exposure from data breaches.
While this technology provides several advantages, ephemeral messaging can present obstacles. Some challenges include failing to preserve data for eDiscovery, running afoul of regulatory requirements, and requiring information governance updates to notify employees of what data is allowed to be transmitted over these apps. As such, organizations using ephemeral messaging need to be conscious of how the apps are programmed to delete, what data gets stored, and the types of communications that employees are engaging in on various platforms.
Here are the five guidelines Sedona created to help organizations and their counsel make strategic decisions about using ephemeral messaging applications, along with some key takeaways from each:
Regulators and courts should recognize that ephemeral messaging may advance key business objectives. The thinking that people only use ephemeral messaging to conceal information and ensure deletion is outdated. These applications can significantly help organizations reach information governance goals like reducing unnecessary data and promoting privacy by design. Many of these applications allow users to choose a timeframe for message deletion and offer added user control. To meet data retention and deletion goals, organizations can create a detailed policy on what types of communication should be conducted with ephemeral messaging, what to delete, and what to preserve.
Organizations should take affirmative steps to manage ephemeral messaging risks. Due to the volatile nature of ephemeral messaging and potential for misuse, organizations need to proactively prepare for risks and monitor employee use of these applications. Probably the most important takeaway from this guideline is the importance of carefully choosing the type of ephemeral messaging that best aligns with business goals and will ensure protection over data that needs to be preserved. This could include choosing an application where users cannot alter the settings or placing prohibitions on ephemeral messaging usage where necessary.
Organizations should make informed choices and develop comprehensive use policies for ephemeral messaging applications. Informed decisions about this technology is crucial. Certain factors like risk appetite, global presence, and data types managed by an organization are all components of a successful decision regarding ephemeral messaging. The process should have stakeholders make the final decisions about appropriate messaging features, but also tap into other departments for input. Policies are how organizations can control, monitor, and enforce ephemeral messaging usage. These will not be one-size-fits all. One important point Sedona made is what steps to take after creating policies to ensure employees are using these applications correctly. This could include employee education, training, auditing, and data mapping exercises.
Regulators, courts, and organizations should consider practical approaches, including comity and interest balancing, to resolve cross-jurisdictional conflicts over ephemeral messaging. Dealing with cross-border legal conflicts is always tricky, and ephemeral messaging just adds another layer. One helpful tip from the guidelines can be applied to organizations with a global presence. To limit fallout, it may be best to approach ephemeral messaging usage differently, whether by placing more limitations or outright banning usage, when dealing with certain company divisions located in areas with stricter preservation obligations. This could also include only investing in ephemeral messaging applications that allow programming where data is saved instead of deleted, in certain situations.
Reasonableness and proportionality should govern discovery obligations relating to ephemeral messaging data in U.S. litigation. Following directive can really help guide eDiscovery disputes surrounding the failure to preserve data transmitted through ephemeral messaging. In the context of preservation, only good faith is required as opposed to perfection. Courts and regulators will need to avoid automatically labeling ephemeral messaging as a shady communication mechanism and recognize the ways organizations use these applications for business objectives like security and data minimization. Viewing ephemeral messaging like a telephone call, where there will generally not be a transcript of the conversation, could be a better option. However, organizations need to be ready for hesitancy by courts and regulators until this technology becomes more widely accepted.
The main point that the Sedona Conference is trying to advance is that ephemeral messaging should be an acceptable practice, but organizations need to be extra cautious in their implementation of this technology. This type of communication should not be as commonplace as sending an email or joining a Teams call. Instead, organizations should limit the role of ephemeral messaging to help achieve information governance, privacy, and compliance goals. Also, expect some pushback from courts and regulators until the benefits of this technology is more understood and accepted in the legal industry. Interested parties should watch for the final version of the Sedona Commentary after public comment ends in March to see if there are any major revisions to these guidelines.
For more information on how to handle new and emerging technologies, please download our whitepaper Five Ways to Overcome eDiscovery Challenges in a Chat-Happy World.