Add to the fallout from the Mueller report: questions among lawyers about whether clients should use disappearing or encrypted data, or make it accessible, maybe forever.
Special Counsel Robert Mueller III noted that subjects of the probe, including some tied to President Donald Trump’s campaign, communicated through apps that encrypt data or don’t store it long term, limiting his ability to investigate.
He hit on a quandary for attorneys working with companies: how to meet requirements for secure, encrypted data while facing demands from prosecutors and litigation opponents that this information be accessible.
When communications important to an investigation can’t be read, or have vanished, “it becomes an obstacle—in some cases a significant obstacle—to the search for facts, and for the truth,” said Ed McAndrew, a DLA Piper partner who handles cybersecurity and data protection cases.
To prosecutors—and also to regulators and opposing civil litigants—ephemeral and encrypted data “just makes it harder to prove who communicated with whom,” when, and what they said, said McAndrew, a former federal cybercrime prosecutor.
At the same time, regulatory compliance often necessitates that companies encrypt sensitive communications, said McAndrew.
Organizations are increasingly being caught in cross currents between regulatory compliance, he said, and the threat of investigators demanding that communications be preserved “until the end of time.”
Most of the time, corporations “certainly” are allowed to use ephemeral communications like instant messaging apps, and encryption tools, said Andrea D’Ambra, head of Norton Rose Fulbright’s e-discovery and information governance practice.
But they cannot use these types of apps when they can “reasonably anticipate” litigation or investigation, she said.
In those instances, D’Ambra said corporations have some choices. They can tell employees to stop using such apps, at least while discussing the matter in question. They can also start “logging it” through tools that track what was said on these apps.
Ephemeral and encrypted chats aren’t just issues for clients. E-discovery attorneys at law firms also are obliged to de-encrypt hidden chats when clients present them during the discovery process by finding encryption keys, said D’Ambra.
Popular apps like Snapchat and Wickr use messages that disappear. Facebook recently signaled it would be focusing more on ephemeral messaging.
As these apps grow more popular, enforcers are catching up, including the Justice Department.
Up until last month, the DOJ demanded that to get cooperation credit in Foreign Corrupt Practices Act cases, companies must prohibit employees from using apps that don’t properly retain messages. But the DOJ has loosened its rules, instead ordering that cooperators use “appropriate guidance and controls” regarding ephemeral messaging platforms.
Law research groups also have become intrigued by the notion of disappearing data, and how firms should be handling it.
A panel of The Sedona Conference, a think tank that deals with major issues in the legal system, is attempting to develop best practices on ephemeral data issues in cross-border legal actions and investigations. The group is looking at how “capture and preservation of ephemeral data to meet legal obligations presents unique challenges.”