Compliance considerations for ephemeral messaging
Ever since the DOJ updated its Evaluation of Corporate Compliance Programs guidance in March of 2023, ephemeral messaging has become a potent concern for compliance officers, corporate leadership and boards of directors. New sections within the guidance focus squarely on the topic.
It’s no wonder the DOJ is concerned with this issue. The trove of information and potential evidence being deleted can cause serious problems in corporate prosecutions. However, trying to manage ephemeral messaging across corporations can lead to enormous headaches.
What are ephemeral messaging apps?
Ephemeral messaging apps (EMAs), also known as self-destructing messaging, are a type of messaging software that automatically erases conversation history between users. They offer users the ability to send self-destructing messages that automatically disappear from recipients’ conversation histories.
Messages are permanently deleted and can no longer be accessed, read, or otherwise preserved, screenshot, or shared by the sender or the recipient. In some messaging applications, particularly those integrated with social media platforms (such as Facebook Messenger, Instagram, WhatsApp, and WeChat), individual users can opt into functionality that makes their messages automatically disappear after a set period or after the message is read.
These applications are rapidly proliferating and are helping to reshape the landscape of digital communications. Users love them and are flocking to them in droves. By design, both the consumer and business versions of EMAs generally provide (among many other features) end-to-end encryption, screenshot protection and automatic content deletion from all devices.
Challenges for companies
There are some implications for enterprises as they attempt to balance the use of these applications by their staff and the need to appropriately preserve business records to meet applicable regulatory requirements.
Companies would serve themselves and their stakeholders well by making inquiries into how their employees and customers communicate. They can use this information to develop records retention and communications capabilities that take those realities into account to facilitate compliance.
Regulatory responses to EMAs
The SEC, DOJ and other agencies have all made it clear in the past that whatever form business communications take, companies have an obligation to monitor and preserve them.
In 2017, as ephemeral messaging applications grew in popularity, the DOJ revised its Foreign Corrupt Practices Act (“FCPA”) Corporate Enforcement Policy so that companies seeking “full credit for timely and appropriate remediation” would need to “prohibit employees from using software that generates but does not appropriately retain business records or communications.”
The DOJ’s 2019 revisions to its Justice Manual indicated that companies should “implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms.”
In March 2023, the Assistant Attorney General issued new guidance regarding DOJ’s Corporate Enforcement Policy, as set forth in Evaluation of Corporate Compliance Programs (ECCP). This guidance outlined how the DOJ will consider a corporation’s approach to the use of personal devices, as well as various communications platforms and messaging applications. It also highlighted the importance of monitoring and managing the use of personal devices, and associated messaging applications, by their staff:
“Under the revised ECCP, we will consider how policies governing these messaging applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate, business-related electronic data and communications can be preserved and accessed. Our prosecutors will also consider how companies communicate the policies to employees, and whether they enforce them on a consistent basis.”
Under this new guidance, employee use of ephemeral messaging for business purposes is not an absolute bar to declination. But the spirit of the policy remains that companies should counsel their employees to avoid use of ephemeral messaging in the business context, and that business discussions should fundamentally occur via traditional platforms that archive communications for compliance purposes in accessible and searchable formats.
Questions for corporate compliance officers
There are several questions that corporate compliance teams should be asking when assessing their current risk posture regarding employee use of these applications — the first of which should be whether any existing policies and procedures address the use of these applications. Companies that have existing Bring Your Own Device (BYOD) and records management policies in place should review those to ensure that the use of EMAs is clearly documented.
Another key question is whether there is any existing corporate IT infrastructure in place to provide similar capabilities, with the appropriate surveillance capabilities that would be required to respond to regulatory or litigation requests for communications.
Corporate applications like Microsoft Teams and Cisco Jabber are examples of technologies that provide the necessary audit trails and ability to monitor the communications traffic. If applications like these are available, does the company communicate both the policy content and the need to leverage the corporate communications infrastructure, rather than those that are generally available to the employees but not authorized by the company?
Best practices for policies and procedures
To best ensure that a company has minimal risk regarding ephemeral communications, the best practice is for a company to have clear guidance and technologies in place that:
- Clearly define acceptable business communications in policies and procedures
- Ensure that the policy and associated procedures are understood by employees
- Provide authorized and supported capabilities that will allow employees to effectively conduct business communications with external parties
- Prohibit employees from using unauthorized EMAs to conduct such communications
- Have IT capabilities in place that ensure all business-related conversations are retained in a secure and retrievable format and for the required timeframe (and then securely deleted when the retention period has elapsed, with a defined process to manage exceptions for legal holds) in the event of a regulatory inquiry or litigation
Corporations with robust compliance programs should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, provide clear training to employees about such policies, and enforce such policies when violations are identified. These policies and procedures should be put in place now, not when the DOJ is at the door.
Want to regain control of your policies? Visit our Diligent Policy Management page to learn more about simplified policy management.
