Employees are using communication modes other than company e-mail to communicate for business—including texts and ephemeral messaging apps like WhatsApp or Telegram— which creates challenges for companies investigating potential wrongdoing within its ranks and for government investigators conducting parallel or follow-on inquiries.
When business communications occur on platforms that companies do not control, there can sometimes be no way for them or the company or the government to access the information necessary to understand and remediate compliance failures.
And when important pieces of the factual puzzle are missing, investigators may infer that the unavailable messages contained evidence of wrongdoing. Instead of producing key, potentially exculpatory information, the company risks losing out on cooperation credit with the government or discovery sanctions for spoliation.
This problem is particularly acute when employees use ephemeral messaging apps that dispose of messages within a short time. As such apps have risen in popularity, particularly overseas, companies are grappling with how to handle their use in the workplace, and with little guidance from government agencies or courts on when such use is appropriate.
Most recently, companies were left to unravel the DOJ’s March update to its FCPA Corporate Enforcement Policy, which provided that companies can allow the use of “personal communications and ephemeral messaging platforms” and still receive full credit for remediation if “appropriate guidance and controls” are implemented. What’s “appropriate” here is anyone’s guess.
Companies are thus left to navigate a complex landscape that includes varying technological offerings, the use of a mixture of personal and business-owned devices, international cultural norms and regulatory regimes, and the inherent practical difficulties in accessing business messages on platforms not controlled by the company.
Below are some thoughts on best practices.
Choose Your App(s) Wisely
Companies should first decide which messaging app(s) are company-approved (if any) and which are not. For definitional clarity, although many platforms are lumped together as “ephemeral” messaging apps, only some—such as Snapchat, Telegram, Viber, Wickr, and Signal—include a “true” ephemerality feature that deletes a message after a set period of time.
Some of these, as well as apps like WhatsApp and WeChat, encrypt users’ messages and store them entirely on the phone (versus in the cloud) once opened by the receiving user—rendering the message unrecoverable if the user, for example, uninstalls the app or switches phones without backing up their data, or if the company is not permitted access to the device.
Not all messaging platforms are equally compliance-friendly. For example, Slack and Microsoft Teams present the fewest compliance-related headaches by providing their own compliance and e-discovery tools to archive and search messages, and because they store messages on the platforms’ servers, neither are truly “ephemeral.”
From a compliance perspective, they are sensible options for most companies seeking to use non-email communications for business.
Companies could stop here, formally adopting Slack or Teams along with a zero-tolerance policy towards ephemeral messaging apps. But for companies that wish to permit use of an ephemeral messaging app—based on a need for additional information security, or in recognition that employees will be using such apps anyway, to say nothing of ubiquitous use of SMS text messaging in business—it should explore whether the app is compatible with workarounds for message retention.
For example, Wickr promotes an enterprise-level product that allows company administrators to set the amount of time before a message is deleted from an employee’s device, while also being compatible with third-party archiving tools that upload employees’ messages to a company database. Third-parties advertise similar tools for What’s App, WeChat, and Telegram.
Of those platforms, What’s App and Wickr use arguably the most stringent encryption protocols for companies that most prize information security—for example, those operating in foreign jurisdictions with potentially compromised networks.
Implement Appropriate Policies and Training
Any company allowing the use of non-email communication methods should provide clear guidance as to what apps are appropriate to use and when. For example, the policy could state that all “business communications” must be transmitted via email or an approved messaging platform that is equipped for message retention.
Meanwhile, only “non-business communications”—such as administrative or personal messages—may be shared through channels like non-company approved messaging platforms, texts, or voicemail.
The policy should require employees who receive a business communication through an inappropriate channel to take steps to ensure that it’s properly retained, such as copying it to email. The company must also ensure that these policies are actually enforced, through formal and recurring training and periodic audits, and should discipline employees for noncompliance.
Companies that permit sending business communications through an ephemeral messaging platform without any archiving should be prepared to articulate to the government a legitimate need for doing so.
Companies should also take steps to obtain prior consent from employees to access business-related messages on their devices under appropriate circumstances and should make the retention settings for such platforms consistent with existing company document retention policies, including for litigation holds.
BYOD: A Digital Minefield
Companies that adopt a “bring your own device,” or BYOD, approach to employee devices are at a heightened risk for compliance failures involving non-e-mail business communications.
Even if a company reasonably knows that an employee has sent business communications through an unapproved app on a personal device, due to the employee’s reasonable expectation of privacy as to data resident on personal phones, the company cannot expect to retrieve such data without overcoming additional barriers.
And if the company is asking the employee to surrender the phone in response to a government inquiry, the employee may have legitimate concerns about infringement of his or her Fourth and Fifth Amendment rights. Ideally, the company will pay for and provide the employees’ phones or at least pay the costs of their data to minimize employees’ expectation of privacy as to business communications sent from their phone.
While apps and other technologies come and go, there is no immediate indication that ephemeral messaging apps will soon decline in popularity—indeed, signs point to the opposite. While courts, regulators, and law enforcement have yet to provide clear guidelines regarding their use, well-defined and implemented corporate policies governing their use in the workplace are essential to managing risk in today’s climate.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Jessica K. Nall leads Farella Braun + Martel’s White Collar Defense and Corporate Investigations practice group. She has extensive experience in conducting internal corporate investigations for entities public and private, large and small, in the technology, financial services, energy, and health care industries.
Joshua W. Malone is an associate at Farella Braun + Martel and has represented both large companies and individuals in both criminal and civil matters, from the initiation of cases through trial. His clients have spanned a wide range of organizations, in industries ranging from financial services to pharmaceuticals, with a particular focus on technology companies.