Bloomberg Law
Oct. 14, 2022, 9:00 AM

Smartphone Policing at Work Poses Risks, Fallout if Done Wrong

Kaustuv Basu
Kaustuv Basu

Unauthorized messaging by employees is a growing headache for public companies who face legal and regulatory risks if communications fall outside official channels.

Companies are struggling to stay abreast of messaging among employees equipped with pocket-sized personal computers in their smartphones. Besides having to contend with encrypted apps such as WhatsApp, they face challenges around establishing clear policies and educating their employees about potential risks.

A Department of Justice crackdown on corporate control over employees’ smartphone messages, an SEC probe into use of outside messaging by asset managers and recent settlements totaling $1.8 billion affecting 11 Wall Street banks all point to a heightened regulatory focus on unsupervised employee use of messaging apps.

“We’ve seen it with banks, but every single company has this issue,” said Ian McGinley, a former assistant U.S. attorney in the Southern District of New York. “The SEC and regulators will be looking at other industries and questioning their practices.”

It likely won’t be enough to just have policies and procedures, McGinley, now with Akin Gump, said. “We’re heading towards a regime where you need a technological solution or at least have tried one.”

Burner Phones

Policies on employee communications vary. Some companies ask employees to conduct work on official devices, while others allow personal device use but specify which apps are permissible.

Unauthorized messaging could mean that companies lose control of their data, Ryan Rohlfsen, a former DOJ prosecutor who co-chairs the global anti-corruption and international risk practice at Ropes & Gray, said.

“It’s the old-school equivalent of employees taking paper files and taking them home, and never bringing them back to the office,” Rohlfsen said.

Companies can suffer litigation setbacks if they’re unable to fully satisfy discovery demands for internal communications. A defense against certain allegations might suffer if a corporate defendant can’t access relevant messages.

“You can’t disprove them or you can’t muster a defense so to speak,” Rohlfsen. “If there was wrongdoing it is difficult to discern who was involved, the extent of it.”

Companies sometimes focus too much on individual policy violations, rather than weighing whether they need to adjust their policies and procedures, according to Veronica Martinez, a law professor at Duke University who specializes in professional and organizational ethics.

“How do we deter them from not engaging in this conduct again, that is the broader question,” Martinez said. “A lot of times when there is a compliance failure, folks narrow in on the very specific thing in front of them instead of thinking more broadly about what the more systemic issue might be.”

Company culture is an important factor, said Rodgin Cohen, a senior chair at Sullivan & Cromwell.

It “consists of trying to instill in you that the rules are the rules. And acting swiftly and decisively when there are violations,” Cohen said.

Still, there are limitations. “There are so many ways to communicate, you can’t watch them all,” Cohen said. “If two people want to break or violate a company’s mandate, each can get a burner phone and call each other on the burner phone.”

The SEC has queried money managers for information on who oversees electronic communication retention as part of their ongoing probe.

Evolving Tech

Encrypted messaging that puts communications out of reach is a tough challenge for companies more accustomed to monitoring more traditional messaging, such as unencrypted email.

“When you think about some of the more popular messaging apps like WhatsApp or Signal, they are by design meant to be encrypted, point-to-point communication,” Rohlfsen said.

If there’s no ability to monitor messages like a company would, for example, with an employee’s email, they may need to physically inspect phones Rohlfsen said. And trying to do audits by taking physical custody of a phone could be cumbersome and require more resources.

“It’s very intrusive on people. And you obviously can’t do that to every employee around the world. You have to be targeted,” Rohlfsen said.

Companies that issue phones to employees can specify that employees must hand over devices for review upon request, Rohlfsen said.

The recent SEC fines were not the first time that employers have gotten into trouble for talking about sensitive or confidential information outside a company platform, Martinez said.

“WhatsApp is the newest iteration of what has been going on for years,” she said.

To contact the reporter on this story: Kaustuv Basu in Washington at

To contact the editors responsible for this story: Keith Perine at; Jeff Harrington at