Federal Authorities Continue to Focus on Preserving Collaboration Tools and Ephemeral Messages
Federal authorities have once again emphasized the importance of preserving chats, data from collaboration tools, and so-called “ephemeral” messages relevant to investigations or litigation. On January 26, the Federal Trade Commission and the Antitrust Division of the Department of Justice announced that they are updating language in their standard preservation letters, subpoenas, and second requests to explicitly clarify that a party’s legal responsibility to preserve evidence “applies to new methods of collaboration and information sharing tools, even including tools that allow for messages to disappear via ephemeral messaging capabilities.”
“The Antitrust Division and the Federal Trade Commission expect that opposing counsel will preserve and produce any and all responsive documents, including data from ephemeral messaging applications designed to hide evidence. Failure to produce such documents may result in obstruction of justice charges,” said Manish Kumar, Deputy Assistant Attorney General of the Justice Department’s Antitrust Division.
This recent announcement is the latest in a series of agency statements that the obligation to preserve and produce evidence extends beyond traditional emails and electronic documents. Agencies — and increasingly, courts — have explained that the duty to preserve, once triggered, extends to all communications, including those on non-traditional messaging platforms like Slack, Microsoft Teams, Google Chat, Zoom, Snapchat, Signal, Telegram, WhatsApp, WeChat, Clubhouse, Wickr, etc.
This agency interest is not new. As early as 2017, the Department of Justice required cooperating parties to maintain controls over employees’ ephemeral messaging to receive cooperation credit. The DOJ Criminal Division’s current policy on Evaluating Corporate Compliance Programs instructs prosecutors to consider whether a corporation has effective policies and procedures governing the use of personal devices and messaging applications, ensuring that data is accessible and preservable to the company. In 2023, Assistant Attorney General Kenneth Polite explained that the department expects production of chat and ephemeral messaging data and will not take its absence “at face value.” A company’s ability to account for chat and personal device data “may very well affect the offer it receives to resolve criminal liability.”
The Securities and Exchange Commission has also increased its scrutiny. In an October 2021 speech, the SEC’s Division of Enforcement Director Gurbir Grewal advised companies: “You need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps.” In later remarks at SEC Speaks 2021, Director Grewal again focused on ephemeral messaging, stating that the SEC would consider “all of [its] options when” violation of record-keeping obligations and obfuscation of evidence “occurs prior to or during [its] investigations.” Indeed, the SEC and Commodity Futures Trading Commission have fined corporations over US$2 billion for failure to preserve so-called “off-channel communications.”
New Technologies
These agencies recognize the reality of how business is conducted today. Important communications are increasingly sent via modern messaging and collaboration tools rather than email. Due to generational shifts, technological innovation, and remote work, today’s business communications often occur outside the traditional Office 365 environment. Accordingly, authorities expect these important communications to be preserved and produced when relevant to an investigation or legal claim.
The DOJ and SEC have been particularly focused on “ephemeral” messaging applications, reflecting their concern that these applications are used to hide evidence. Ephemeral messaging platforms provide secure written communications that are dynamic and short-lived. Typically, these messaging platforms automatically delete or dispose of messages on both the sender’s and recipient’s devices after a short time. For example, the messaging platform Signal does not store any data. Texts sent via Signal exist on Signal’s servers only while in transit and they are end-to-end encrypted. The only way to access Signal messages on any device is for individual users to enable chat backups.
The use of Signal and other ephemeral platforms presents a challenge for a company obligated to “take reasonable steps” to preserve evidence once legal proceedings are anticipated. The good news is that some of these platforms have settings allowing them to be “semi-ephemeral,” providing the ability to backup chats and suspend autodelete functions. Once a duty to preserve is triggered, time is of the essence in locating any relevant ephemeral messaging applications in use, suspending deletions, and enabling backups. Courts are increasingly likely to find that failure to turn off an auto-delete function is sufficient to establish that preservation efforts were not reasonable.1
How Can Companies Respond?
Because communications via chat may contain potentially discoverable information, agencies are requiring companies to evaluate this data in the same way they analyze email and other documents in the context of preservation — and preferably long before any litigation. The agencies have not announced a new preservation obligation, but rather clarified an already existing duty to preserve potentially discoverable information, which simply exists in a different — albeit more challenging — form. If company counsel determines that chats (including ephemeral messaging) or collaboration tool data contain potentially discoverable information, the agencies expect that data to be preserved when faced with a government investigation or litigation.
To the extent they have not already done so, companies should consider taking the following practical steps in line with the recent agency announcement:
- Evaluate whether, and how, the business uses chat (including ephemeral) and collaboration tool data.
Companies should consider analyzing, and periodically re-evaluating, how company employees communicate in their day-to-day work, with a particular focus on the chat and collaboration data platforms they use. Counsel would be well-advised to work with in-house IT resources to thoroughly catalog and understand all chat platforms and any other sources, along with the volume of such data.
During their evaluation, company counsel may learn that some employees circumvented formal IT processes and procedures to install or use unapproved chat platforms. The authorities are looking for companies to review and revise their IT policies and procedures to specifically address permitted chat and other platforms, educate employees on proper use of permitted platforms, and periodically evaluate or audit compliance. Companies may also consider disciplinary actions for use of unauthorized platforms to steer employees away from unauthorized usage. And companies may want to proactively evaluate their BYOD policies considering the unique problems of potentially discoverable ephemeral and other data on personal devices. Finally, if necessary, IT may need to remove unpermitted chat and collaboration platforms from company-owned computer resources.
- Review licenses of platforms.
Companies should consider reviewing the licenses they have with providers of chat and collaboration tools used in the business to ensure they can be preserved. If data cannot be preserved, then licenses can be renegotiated to provide for a preservation feature if one exists before litigation or a government investigation commences. If ephemeral data cannot be preserved, then a company should consider restricting the use of the chat platform in the face of threatened litigation or government investigation.
- Update legal holds and related preservation procedures.
Given the ubiquity of chat usage for everyday company activities, companies should consider updating their litigation holds to specifically address chat, collaboration, and ephemeral messaging platforms. As with email and all other potentially discoverable data, company counsel should ensure that in-house IT personnel are well-versed in changing preservation settings on all chat platforms such that the company can disable auto-delete functions and enable backup functions when a legal hold issues. Further, it is prudent to ensure that the processes and procedures for preserving chat, collaboration, and ephemeral data are well-documented along with the company’s existing preservation procedures.
- Consider changing custodian questionnaires and interviews.
Companies should also consider including questions in their custodian questionnaires and interviews about the usage of chat, collaboration, and ephemeral message platforms on both company-owned and personal devices to ensure they affirmatively inquire about such potentially discoverable data. This would present an opportunity for custodians to identify any previously unknown sources of potentially discoverable data and may give counsel a final opportunity to address such a data source.
- Pay particular attention to the issues surrounding employees’ use of personal cell phones for work.
It is common for employees to use their personal cell phones and other electronic devices for work. Both companies and employees enjoy the flexibility and freedom that BYOD permits, but the use of personal devices for work has blurred the line between business and personal communication. The informality of communicating by personal device, especially via chat (ephemeral or otherwise), creates the impression that data from personal devices is not discoverable. But if potentially relevant, this data is indeed discoverable, and the agencies expect that a company will produce the relevant mobile data to government agencies. Further, if a company does not produce that data (because, for example, it does not have control of the device), then the agency could issue a civil investigative demand directly to the employee to obtain the device data. It is thus advisable for companies to structure their BYOD policies to ensure that business communications on personal devices are subject to the same retention rules as those on company-owned devices, inclusive of chat. They may also wish to take steps to educate employees on how BYOD policies work and why they are so crucial.
Information Governance Considerations
Considering the ever-increasing amount of data companies are creating, companies should be thoughtful in their information governance policies to ensure the retention of information necessary for the business or required by law, while also permitting disposal of unnecessary data. The recent announcement does not mean that a company must always preserve all chat, collaboration, and ephemeral data across its organization. Communications via ephemeral message are attractive to businesses for well-founded reasons, including increasing efficiencies and minimizing data, thus reducing breach exposure, addressing privacy concerns, and decreasing data available for retention and the associated burdens. Still, government agencies are aware that, more frequently than ever, potentially discoverable business information exists in ephemeral and other modern forms. Information governance policies that balance these competing interests should satisfy the authorities.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.