The Compliance Risks Facing Companies That Use Chat Apps

By William Semins, Daniel Miller and Hugh McKeegan
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Competition newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!



Law360 (June 16, 2020, 4:38 PM EDT) --
William Semins
William Semins
Daniel Miller
Daniel Miller
Hugh McKeegan
Hugh McKeegan
With the onset of the COVID-19 pandemic, many companies dramatically expanded remote work practices in response to stay-at-home orders.

This rapid shift in operations accelerated adoption of new software solutions, including videoconference tools (such as Zoom, Cisco Webex and Google Meet), enterprise collaboration tools (such as Microsoft Teams, Slack, and Workplace from Facebook), and ephemeral messaging applications (such as Snapchat, WhatsApp, Telegram and Signal).[1]

Further, lessons learned during the pandemic about a company's ability to continue operations remotely will likely lead many businesses to reevaluate their past practices, needs and costs (such as physical office space), with some implementing expanded remote work practices even after the current crisis passes.

This transition to expanded remote working, paired with the ubiquity of "bring your own device" work culture, in addition to added security risks,[2] may also lead to increased liability or scrutiny, especially as this technology (including ephemeral messaging applications) may be used to facilitate unlawful or inappropriate conduct (such as receiving and trading on insider tips,[3] rate rigging,[4] employment discrimination,[5] or spoliation of evidence[6]) and the means to cover it up.[7]

Indeed, while developers tout ephemeral messages as the functional equivalent of off-the-record phone calls, courts and law enforcement often do not share this view. Instead, they often adopt the position that, like email, ephemeral messages are business records that, depending on content, should be subject to retention and preservation requirements.[8]

Thus, it is now more important than ever for companies to implement data retention policies that address ephemeral messaging platforms, their functionalities, their approved uses and their attendant risks.

Overview of Ephemeral Messaging Applications

First popularized in social media applications such as Snapchat and WhatsApp, ephemeral messaging applications (or ephemeral messaging features) are now widely available on a host of platforms, including enterprise software such as Slack or DingTalk. Although each application is slightly different, they all incorporate some type of trigger that automatically deletes messages shortly after viewing and prevents users from editing, copying, forwarding or printing the messages.

Ephemeral messages, in effect, create the digital facsimile of an in-person meeting or a telephone call by deleting or otherwise destroying a message shortly after it has been read or opened by its recipient(s). Many of these applications — in addition to being ephemeral in nature — are end-to-end encrypted. Further, the applications are often peer-to-peer, which eliminates servers in between the sender and recipient that could potentially be used to capture the communication. These layers of security make retrieval or reproduction of such messages nearly impossible.

The Risks of Ephemeral Messaging Applications

Ephemeral messaging applications have a number of legitimate features, among them the promise of enhanced data protection (e.g. encryption) by keeping sensitive communications out of the hands of competitors or hackers. In addition, when used appropriately, ephemeral messaging can offer cost savings.

By automatically disposing of messages that contain personal information and which are no longer needed for business or legal purposes, these tools can assist in achieving compliance with data privacy laws (such as the European Union's General Data Protection Regulation, which favors data minimization with regard to unnecessary personal data). Likewise, eliminating such data can reduce the risks and potential costs associated with data breaches.

That said, in choosing to adopt or allow the use of ephemeral messaging applications, a company should also consider certain risk points, such as the ability to conceal misconduct and, less obviously, the potential for litigation sanctions or loss of cooperation or remediation credit stemming from a failure to retain necessary data appropriately.

In the context of litigation, ephemeral messaging can complicate a company's ability to comply with discovery requests, especially if such messaging applications continue to be used to discuss relevant topics after a litigation hold is issued and the company fails to take steps to limit (or even promotes) such use.

In that situation, discovery sanctions could be imposed under a theory that the company was willfully blind to,[9] or actively engaged in,[10] the destruction of records and evidence by allowing messages to be deleted wholesale in near real time. Indeed, although severe sanctions require finding an intent to deprive another party of the information in the litigation, courts have indicated a willingness to infer such intent based on a party's use of specific messaging tools and retention practices.[11]

Recently, the U.S. District Court for the Northern District of California in WeRide Corp. v. Kun Huang imposed drastic "terminating sanctions" (i.e., the court struck defendants' answers to the complaint and entered a default against them) on defendants for rampant spoliation, which, in addition to a data retention policy that only preserved email for 90 days and the deletion of key email accounts, included its employees' use of DingTalk's ephemeral messaging features after litigation had commenced.[12]

Although the sanctions in WeRide were especially severe due to the egregiousness and willfulness of the defendants' conduct, it is reasonable to expect that lesser sanctions for a company's failure to regulate the use of ephemeral messaging tools adequately may be on the horizon.

Even if sanctions are not imposed, the loss of important data resulting from the use ephemeral messaging could handicap a company's ability to successfully pursue its claims or defend itself in litigation. For example, although stopping short of issuing sanctions, in 2018 the Northern District of California in Waymo v. Uber ruled that Waymo would be allowed to introduce evidence about Uber's use of ephemeral messaging to explain gaps in Waymo's proof, but that such evidence should not be used to invite improper speculation or detract from the merits of the case.[13]

Use of ephemeral messaging could also create similar issues in the context of investigations of corporate misconduct, including situations where a company is seeking to obtain cooperation or remediation credit by self-disclosing and fully responding to and remediating allegations of misconduct, but where key data has been lost.

Indeed, the 2019 update to the U.S. Department of Justice's Foreign Corrupt Practices Act Corporate Enforcement Policy requires "[d]isclosure on a timely basis of all facts relevant to the wrongdoing at issue" and "[t]imely preservation, collection, and disclosure of relevant documents and information relating to their provenance" to obtain full cooperation credit.[14] Likewise, the 2019 FCPA policy ties a company's ability to receive full remediation credit in part to the adequacy of its policies and procedures related to the use of ephemeral messaging applications.[15]

Specifically, the FCPA policy requires that companies "prohibit[] the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of … ephemeral messaging platforms."[16] Although the 2019 policy seems to have softened the DOJ's prior stance on ephemeral messaging,[17] prosecutors and regulators appear to expect companies to implement policies and controls to manage use of ephemeral messaging applications.[18]

Indeed, the DOJ's update this month to its Evaluation of Corporate Compliance Programs places an emphasis on data analytics and whether "compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions."[19] The DOJ's assessment of the adequacy and effectiveness of compliance programs going forward will also assess whether "any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments."[20]

Recent comments from senior federal law enforcement officials at a virtual town hall hosted by the American Conference Institute further support this view. Robert Zink, chief of the DOJ's Fraud Section, commented that the DOJ expects companies to undertake some diligence to capture and retain ephemeral communications.

Likewise, Daniel Kahn, senior deputy chief of the DOJ's Fraud Section, indicated that the COVID-19 crisis is no excuse to not comply with requests for documents and information. If a company cannot comply with such requests, authorities will need to understand the reasoning behind the company's policies and practices that make compliance impossible, including good faith efforts to overcome obstacles to data preservation and collection.

Thus, the risk of sanctions or potential loss of cooperation or remediation credit underscores the need for a company to have clear policies and procedures for dealing with the use of ephemeral messaging applications and enterprise collaboration tools that incorporate chat functions that approximate ephemeral messaging. In light of the DOJ's June 2 update to its Evaluation of Corporate Compliance Programs,[21] such policies should, for instance, proscribe certain uses, set commercially reasonable and manageable limits on retention of messages, and provide for periodic testing to ensure that proscribed uses are not occurring.

If a company adopts a short retention period for certain platforms (to the extent possible to control) or adopts an ephemeral messaging tool, a thoughtful, advance business justification statement is advisable because it would (1) show how the company weighed the risks when setting its policy and (2) serve as a record that could later be used to explain why the company took this approach.

Designing an Effective Data Retention Policy for Ephemeral Messaging Applications

Records management and information governance best practices provide, and court opinion and government agency guidance strongly suggest, that companies should develop policies to manage their data and records in compliance with relevant legally mandated retention requirements, which are usually based on a record's content, rather than its format. In that regard, ephemeral messages are no different and companies should evaluate the appropriateness of ephemeral messaging in light of these broader records management considerations.

Ultimately, where the use of ephemeral messaging is found to be appropriate, the use of such applications — and the mitigation of associated risks — are internal controls issues that should be carefully addressed by legal counsel and compliance departments before any litigation or investigation occurs. An effective data retention policy can help protect a company from liability arising out of litigation or an investigation by retaining and preserving necessary data and providing for the defensible disposal of unnecessary and extraneous data. 

First, a retention policy that addresses effectively ephemeral messaging should be based on a comprehensive understanding of the applications at issue and functionalities. Key points central to this understanding include how and where data is stored, the length of time for which the data is stored, and whether any aspects of the data can be retrieved or reconstructed following deletion. Another vital point to understand is the process by which any data maintained by the tool could be preserved, collected, searched, de-duplicated, reviewed and produced in the event of a relevant litigation or investigation.

Next, an effective data retention policy for ephemeral messaging applications should consider and address certain key points, such as: (1) data that cannot be transmitted and subject matter that cannot be discussed while using the application, (2) situations in which use of the application must be suspended, (3) the individuals granted rights to use the application, and (4) training to be completed before such use can begin.

As part of their broader records management and information governance policies, companies should identify applicable laws mandating storage of certain types of information for a defined length of time and then explicitly specify that ephemeral messaging applications must not be used for such information.[22] Additionally, companies can potentially avoid losing credit with law enforcement if their records management policies incorporate appropriate, risk-based guidance and controls on the use of ephemeral messaging applications.

Finally, companies may want to keep some types of communications and documents for a longer period to prevent the loss of valuable corporate knowledge or a record of certain decisions, which might otherwise be difficult or inefficient to document again in other formats. 

Companies must also take care to suspend uses of ephemeral messaging in any context where the communications could serve as evidence that must be preserved. The duty to preserve evidence arises when a party reasonably should know that evidence might be relevant to anticipated litigation.[23] This duty can arise before a lawsuit is even filed and requires a party to act affirmatively to prevent the destruction of evidence.[24] 

A litigation hold is an effective step to demonstrate such affirmative action. In the context of ephemeral messaging applications, however, a standard litigation hold notice on its own may not be sufficient, and companies should consider requiring employees affected by the hold to cease using the application altogether, followed by periodic spot-checking and documentation to ensure compliance.

Companies should define with specificity who is permitted — and how they are permitted — to use ephemeral messaging applications, with such determinations based on a risk assessment that considers factors such as job function and need, access to proprietary information and trade secrets, or relevant position or title.

It may also be appropriate to restrict use of the application only to people within the company rather than allowing them to communicate with individuals outside of the company. It may not be appropriate, for example, for a salesperson who does business with politically exposed persons in foreign countries to use the application because such use may constitute a corruption red flag or risk factor in the context of a future inquiry or internal investigation.

Similarly, it may also be appropriate to restrict use of the application to internal communications only among select personnel within the company, rather than permitting ephemeral messaging with individuals outside of the company, due to heightened risks related to insider trading, price fixing, or other conspiratorial or cartel offenses.

Finally, training on the relevant data retention policy and ephemeral messaging software is essential. Employees using the software should understand when it is appropriate to use an ephemeral messaging application in light of routine record retention concerns and litigation holds.

Information technology staff should also understand the application, who is allowed to install and use the application, how monitoring (if any) may be conducted, and how to suspend the application for litigation holds. Such staff must also stay informed about software updates and changes that can affect how these tools operate, how they maintain data, and how their functionalities and controls work.

Conclusion

As with the introduction and widespread adoption of new technologies in the past (e.g., email), the growing use of ephemeral messaging tools presents new benefits and risks to business. The use of applications capable of ephemeral messaging is likely to grow in the wake of the COVID-19 pandemic as in-person work practices evolve further toward broader reliance on new digital modes of interaction. Companies should carefully consider how best to implement and regulate the use of tools like ephemeral messaging — through adequate, risk-based policies and procedures, training, and monitoring — to avoid exposing themselves to undue risk.



William D. Semins and Daniel R. Miller are partners, and Hugh T. McKeegan is an associate, at K&L Gates LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.


[1] See Amanda R. Cashman et al., COVID-19: There's No Place Like Home: What GCs Need You to Remember While Working Remotely, Mar. 25, 2020, http://www.klgates.com/covid-19-theres-no-place-like-home-best-practices-while-working-remotely-03-23-2020/.

[2] See Tara C. Clancy and Joseph D. McClendon, COVID-19: System Security With a Remote Workforce, Mar. 26, 2020, http://www.klgates.com/covid-19-system-security-with-a-remote-workforce-03-26-2020/.

[3] See, e.g., Jennifer Van Grove, CNBC's Jim Cramer implies Snapchat is used for insider trading, CNET, July 13, 2013, https://www.cnet.com/news/cnbcs-jim-cramer-implies-snapchat-is-used-for-insider-trading/.

[4] See U.S. Dep't of Justice, Five Major Banks Agree to Parent-Level Guilty Pleas (May 20, 2015), https://www.justice.gov/opa/pr/five-major-banks-agree-parent-level-guilty-pleas. Five banks agreed to pay more than $2.5 billion in criminal fines for manipulating the London Interbank Offered Rate. According to the plea agreement, traders at these banks "used an exclusive electronic chat room and coded language to manipulate benchmark exchange rates." See also Ben Protess et al., U.S. Investigates Currency Trades by Major Banks, N.Y. Times, Nov. 14, 2013, http://dealbook.nytimes.com/2013/11/14/u-s-investigates-currency-trades-by-major-banks/?_r=1.

[5] Zubulake v. UBS Warburg, LLC , 229 F.R.D. 422 (S.D.N.Y. 2004); Pension Committee of the Univ. of Montreal Pension Plan, et al., v. Banc of America Securities, LLC, et al., 685 F. Supp. 2d 456 (S.D.N.Y. 2010).

[6] See, e.g., WeRide v. Kun Huang , No. 5:18-cv-07233-EJD, 2020 WL 1967209 (N.D. Cal., April 24, 2020) (imposing "terminating sanctions," in part, for employee use of ephemeral messaging after litigation began); Herzig v. Arkansas Foundation for Medical Care, Inc. , No. 2:18-CV-02101, 2019 WL 2870106 (W.D. Ark., July 3, 2019) (finding plaintiffs' use of ephemeral messaging after litigation began to be "intentional, bad-faith spoliation of evidence" and granting defendant's motion for summary judgment).

[7] To be sure, while cases like Zubalake and Pension Committee (involving deleted e-mails and other electronic documents) long predate the broad adoption of ephemeral messaging tools, these cases indicate how ephemeral messaging could be misused to effect spoliation of evidence, which could lead to litigation sanctions and other penalties for failing to adequately preserve communications.

[8] See, e.g., Nate Lankford and Dawn E. Murphy-Johnson, DOJ refines stance on ephemeral messaging apps, FCPA Blog (March 18, 2019, 12:18 p.m.), https://fcpablog.com/2019/03/18/doj-refines-stance-on-ephemeral-messaging-apps/.

[9] See Brookshire Bros., Ltd. v. Aldridge , 438 S.W.3d 9, 24 (Tex. 2014) (defining "intentional spoliation" to "include[] the concept of 'willful blindness,' which encompasses the scenario in which a party does not directly destroy evidence … but nonetheless 'allows for its destruction.'"). 

[10] See WeRide, 2020 WL 1967209 ("terminating sanctions" for apparent willful destruction of evidence, including ongoing use of 90-day automatic e-mail deletion and ephemeral messaging after litigation commenced).

[11] See, e.g., WeRide, 2020 WL 1967209; Herzig, 2019 WL 2870106. See also Alabama Aircraft Industries, Inc., 319 F.R.D. 730, 746–47 (N.D. Al. 2017) (granting adverse inference where "unexplained, blatantly irresponsible behavior" led to loss of ESI); Decker v. Target Corp. , No. 1:16-cv-00171-JNP=BCW, 2018 WL 4921534 (D. Utah Oct. 10, 2018) (granting adverse inference where store employees failed to preserve relevant video-surveillance footage).

[12] See WeRide v. Kun Huang , No. 5:18-cv-07233-EJD, 2020 WL 1967209 (N.D. Cal., April 24, 2020); see also Herzig, 2019 WL 2870106, supra.

[13] Waymo LLC v. Uber Techs, Inc. , No C17-00939 WHA, 2018 WL 646701, at *3 (N.D. Cal. 2018) ("Of course, evidence of Uber's litigation misconduct or other bad behavior may be relevant and admissible insofar as it reasonably bears on actual claims and defenses in this case.  For example, facts like Uber's use of ephemeral messaging may be used to explain gaps in Waymo's proof that Uber misappropriated trade secrets.").

[14] See FCPA Corporate Enforcement Policy, U.S. Dep't of Justice, https://www.justice.gov/criminal-fraud/file/838416/download. See also, Brian F. Saulnier et al., DOJ Revises Corporate Compliance Guidance Calling Attention to Three Areas Where Most Companies Fall Short: Risk Assessments, Compliance Culture, and Continuous Compliance Program Improvement, May 16, 2019, http://www.klgates.com/doj-revises-corporate-compliance-guidance-calling-attention-to-three-areas-where-most-companies-fall-short-risk-assessments-compliance-culture-and-continuous-compliance-program-improvement-05-16-2019/.

[15] Id.

[16] Id.

[17] The 2017 update to the policy declared that corporations would not receive a "presumption of declination" for government cooperation unless the corporation prohibits "employees from using software that generates but does not appropriately retain business records or communications."

[18] Highlighting the need for attention to when use of ephemeral messaging applications are compliant with legal requirement, the Securities and Exchange Commission has taken the position that there can be no valid business case for the use of ephemeral messaging applications under certain circumstances, such as where, under the Investment Advisors Act of 1940, registered broker-dealers and investment advisors are required to retain certain business communications. See, e.g., Observations from Investment Adviser Examinations Relating to Electronic Messaging, U.S. Securities and Exchange Commission (SEC), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Electronic%20Messaging.pdf.

[19] Evaluation of Corporate Compliance Programs (Updated June 2020), U.S. Dep't of Justice, https://www.justice.gov/criminal-fraud/page/file/937501/download.

[20] Id.

[21] See id. Although not addressing ephemeral messaging or chat apps directly, DOJ's evaluation of a corporate compliance program emphasizes taking a dynamic, risk-based approach to the compliance function. Accordingly, companies should seek to apply these principles to their policies and procedures relating to ephemeral messaging and chat apps.  

[22] For example, Rule 17a-4 of the Securities and Exchange Act specifies that communications relating to a broker-dealer's business must be retained for three years. See SEC Interpretation: Electronic Storage of Broker-Dealer Records, SEC, (May 7, 2003), https://www.sec.gov/rules/interp/34-47806.htm.

[23] Kronisch v. United States , 150 F.3d 112, 126 (2nd Cir. 1998).

[24] Micron Tech., Inc. v. Rambus Inc. , 645 F.3d 1311, 1320-321 (Fed. Cir. 2011) ("When litigation is 'reasonably foreseeable' is a flexible fact-specific standard that allows a district court to exercise the discretion necessary to confront the myriad factual situations inherent in the spoliation inquiry.")

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!