Ephemeral Messages Muddy the Compliance Waters for Cos.

Authored by Matthew Krengel, Luke Cadigan, Ruth Hauswirth, Andrew Goldstein, this article was originally published in Law360.

In today's fast-paced business world, the use of messaging apps has become ubiquitous, allowing for quick and efficient communication among employees, executives and directors.

However, the rise in popularity of ephemeral messaging has raised significant regulatory concerns.

Recent warnings from the U.S. Department of Justice and the U.S. Securities and Exchange Commission have highlighted the potential dangers and compliance issues associated with these communication platforms — and businesses should take note.

In today's business world, employees, executives and directors often don't think twice about what communication platform they're using — and how those choices might be viewed by regulators. 

Scenarios like these are common: From a boardroom on the 22nd floor, a CEO sends a message to a member of her board of directors regarding an upcoming product launch using Telegram Messenger, her board's preferred means of communication. At an industry conference, a vice president of sales, eager to tell a customer about newly unveiled software, fires off a text over Signal using the customer's desired means of communication, as part of a companywide effort to meet the customer where they're at.

Regulators want companies to start paying attention.

Through public statements and recent enforcement actions, the DOJ and the SEC have become increasingly vocal in warning organizations about the dangers inherent in some communication applications — in particular, ephemeral messaging platforms — and have not hesitated to act when they perceive wrongdoing, as recently evidenced in charges and penalties imposed upon financial firms HSBC Securities (USA) Inc. and Scotia Capital (USA) Inc. for failing to preserve information required of broker-dealers.

What Is Ephemeral Messaging?

Ephemeral messaging apps are communication platforms offering features that, when enabled, allow users to automatically delete messages after they have been read or after a short amount of time.

While ephemeral messaging has several real-world benefits, including privacy and security, it can be problematic for businesses that need to preserve information for regulatory compliance, litigation or legal holds, or other reasons.

Similar communication mediums and features — such as text messages, in-application chats, end-to-end encryption and direct messages in social media accounts — also raise compliance issues for companies due to their decentralized and inaccessible nature, with the messages often residing on users' devices or accounts beyond the reach of company controls.

Courts and regulatory agencies such as the DOJ have taken notice, cautioning organizations on the potential hazards of using messaging apps for business activities without sufficient policies and procedures in place to monitor compliance and preserve communications when necessary.

Warnings From Regulators

At the American Bar Association's 38th White Collar Crime National Institute in March, senior DOJ officials offered their most expansive guidance yet about the dangers of using ephemeral messaging for company communications.[1]

Officials noted that when evaluating a company's conduct, DOJ prosecutors will consider a company's use of ephemeral and encrypted applications, whether the company preserved those communications and whether those messages are accessible for the investigation, as well as company policies governing such apps. They also warned in no uncertain terms that if a company does not turn over these types of communications, "prosecutors will not accept that at face value."[2]

Where a company fails to produce such communications, prosecutors will further scrutinize the company's ability to access those communications and how they are stored, among other things. Officials made clear that "[a] company's answers — or lack of answers — may very well affect the offer it receives to resolve criminal liability."

The DOJ's most recent comments follow a memorandum from September 2022, recommending that companies institute compensation clawback measures to ensure employees adhere to corporate compliance policies, including policies governing employee use of personal devices and third-party messaging apps, such as Signal, Telegram, Confide and others.[3]

The memo noted that corporations with robust compliance programs should have these types of policies governing use of devices and messaging apps, provide training to employees on the policies and enforce the policies when violations are identified. It also cautioned that "[h]ow companies address the use of personal devices and third-party messaging platforms can impact a prosecutor's evaluation of the effectiveness of a corporation's compliance program, as well as the assessment of a corporation's cooperation during a criminal investigation."

Additional DOJ guidance provided in December 2022 zeroed in on encrypted and ephemeral messaging apps, observing that while there may be legitimate uses for those tools for company business, they can present significant challenges to a company's ability to ensure it has a well-functioning compliance program and, more importantly, the ability to access those communications when required.[4]

The DOJ's guidance on messaging apps comes against the backdrop of a renewed focus on corporate enforcement and vigilance against corporate malfeasance.

This is not the first time the DOJ has focused on use of ephemeral messaging apps.

As early as 2017, the DOJ published guidance that organizations being investigated for Foreign Corrupt Practices Act violations could obtain a cooperation credit only if they disallowed the use of ephemeral messaging by employees.[5] However, noting that many organizations use ephemeral messaging for legitimate business reasons, the DOJ later softened its stance, instead requiring organizations using ephemeral apps to have safeguards in place to ensure information is properly retained.[6]

Actions Against Broker-Dealers and Investment Advisers

In May, the SEC announced resolutions with registered broker-dealers HSBC Securities and Scotia Capital "for widespread and longstanding failures by both firms and their employees to maintain and preserve electronic communications."[7]

The failures stemmed from employees' use of what the SEC called "off-channel" communications, discussing securities matters on their personal devices using messaging applications such as Signal.

According to the SEC, a substantial majority of these communications — some from supervisors and senior executives — were neither maintained nor preserved. The SEC found that the conduct violated Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-4(b)(4) thereunder, which require broker-dealers to preserve for at least three years originals of all communications received and copies of all communications sent "relating to its business as such."[8]

As a result of the violations, the firms were ordered to pay penalties of $15 million and $7.5 million, respectively. The penalties were significantly reduced due to the firms' voluntary disclosure of violations and cooperation with the investigation.

Under similar circumstances in September 2022, the SEC and the U.S. Commodity Futures Trading Commission reached settlements totaling $1.8 billion with 15 broker-dealers and an investment adviser related to a failure to preserve electronic communications.[9]

Regulators again focused on the widespread use of off-channel messaging communications — in particular, text messages and messaging apps — that were not preserved as required of broker-dealers and investment advisers by SEC and CFTC recordkeeping regulations.

In December 2021, the SEC announced a $125 million fine against another large financial institution related to failures to preserve staff communications on personal mobile devices and messaging applications.

The SEC previously highlighted concerns related to ephemeral messaging in a risk alert issued in December 2018[10] reminding registered investment advisers of their retention obligations pursuant to SEC rules.[11] Noting an increase in the use of text messaging and chat apps to communicate, the SEC recommended that advisers review their policies and processes related to electronic messaging to ensure compliance with retention rules.

In October 2021, SEC Division of Enforcement Director Gurbir Grewal indicated that companies "need to be actively thinking about and addressing the many compliance issues raised by the increased use of personal devices, new communications channels, and other technological developments like ephemeral apps."[11]

Litigation Pitfalls

Messaging apps — particularly those with ephemeral features — and text messages also have created problems for parties in litigation, particularly in the context of preservation obligations in discovery.

In 2019's Herzig v. Arkansas Foundation for Medical Care Inc., in the U.S. District Court for the Western District Of Arkansas,[12] the defendant alleged that the plaintiffs decided to install and use the ephemeral messaging application Signal to intentionally destroy discoverable evidence, despite the fact that they were subject to legal holds. The court found that the Signal communications were most likely responsive and that the plaintiffs' decision to use Signal was done in bad faith.

Organizations that do not have controls or effective legal hold policies in place also run the risk of increased costs, as the focus of the case shifts away from the merits to expensive discovery disputes that could result in case-ending sanctions.

Because ephemeral messaging apps are so popular, it is imperative that companies have enforceable policies and controls in place to minimize legal and compliance risks from employee use of them.

Below are some actions that companies can take:

• Create and implement practical retention policies for electronic messaging applications that are authorized by the company and ensure compliance with applicable rules and regulations. This includes monitoring compliance and addressing noncompliant use of prohibited applications for business purposes. These policies also need to harmonize with the organization's acceptable use policies for technology and clearly define business communications and messaging guidelines.

• Design functional mobile device policies and administer mobile device management software to manage applications on devices used for business purposes, including personal devices that are used under a bring-your-own-device policy. Personal devices, in particular, introduce additional challenges when it comes to preservation and collection of information needed in an investigation and litigation. Even if a company does not approve use of a certain application, be wary of the popularity of such messaging applications and address usage in a policy.

• Establish proactive legal hold response procedures to prepare for potential litigation or regulatory activity.

• Develop training programs to educate employees regarding company policies and permissible communication applications, as well as prohibited applications for business purposes. Empower employees to understand their role in helping the company manage risk.

Conclusion

Given the increased attention being paid by regulators, opposing parties and judges, organizations must take great care in navigating these increasingly challenging waters with vigilance, education and well-conceived and executed policies and processes.

[1] American Bar Association 2023 White Collar Crime National Institute, March 1 – 3, 2023.

[2] Assistant Attorney General Kenneth A. Polite, Jr., Keynote at the ABA's 38th White Collar Crime National Institute, March 3, 2023; see also DOJ, Criminal Division, Evaluation of Corporate Compliance Programs, updated March 2023.

[3] DOJ memorandum, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, September 15, 2022.

[4] Acting Principal Deputy Assistant Attorney General Nicole M. Argentieri, Remarks at the 39th International Conference on the Foreign Corrupt Practices Act, December 1, 2022.

[5] DOJ, Justice Manual 9-47.120 – FCPA Corporate Enforcement Policy, December 2017.

[6] DOJ, Justice Manual 9-47.120(3)(c) – FCPA Corporate Enforcement Policy.

[7] SEC press release, SEC Charges HSBC and Scotia Capital with Widespread Recordkeeping Failures, SEC Release No. 2023-91, May 11, 2023.

[8] 15 USC § 78q(a); 17 CFR § 240.17a-4. The SEC also found that the firms had failed reasonably to supervise their employees with a view to preventing or detecting certain of their employees' aiding and abetting violations of Section 17(a) of the Exchange Act and Rule 17a-4(b)(4) thereunder in violation of Section 15(b)(4)(E) of the Exchange Act (15 USC § 78o(b)(4)(E)).

[9] SEC press release, SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures, SEC Release No. 2022-174, September 27, 2022); CFTC press release, CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods, CFTC Release No. 8599-22, September 27, 2022.

[10] SEC Office of Compliance Inspections and Examinations, Observations from Investment Adviser Examinations Relating to Electronic Messaging, December 14, 2018.

[11] Advisers Act Rule 204-2 ("Books and Records Rule") requires advisers to make and keep certain books and records relating to their investment advisory business, including typical accounting and other business records as required by the commission.

[12] See SEC Division of Enforcement Director Gurbir S. Grewal, PLI Broker/Dealer Regulation and Enforcement 2021, October 6, 2021.

[13] Herzig v. Arkansas Foundation for Medical Care, Inc. , No. 2:18-CV-02101, 2019 WL 2870106 (W.D. Ark. July 3, 2019).

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.