Messaging Apps And Government Scrutiny: What CEOs Should Know

Given the explosion in third-party messaging apps and their use for business purposes, it is unsurprising that companies’ data preservation practices are coming under increased scrutiny. Despite their convenience, privacy and security benefits, third-party apps pose particular compliance risks for companies and their employees, particularly where communications occur through encrypted or “ephemeral” messaging apps that delete messages after sending—where, by design or by user setting, messages will not be retained. Enforcement risks are most acute where such apps are suspected to have been used in furtherance of corporate misconduct—whether involving bribery, fraud, or otherwise. Senior executives have a strong interest in tracking enforcement trends—both to anticipate scrutiny of their own communications practices, and to support efforts by legal and compliance teams to develop policies that mitigate risk and account for the evolving expectations of regulatory authorities.

Enforcement Spotlight on Messaging Apps

On multiple occasions during the last year alone, U.S. authorities have highlighted their focus on instant messaging and preservation of business communications. To this end, in March 2023, the Department of Justice (DOJ) announced significant changes to its “Evaluation of Corporate Compliance Programs” (ECCP), the criteria it uses to evaluate a corporate compliance program and to determine appropriate consequences for violations of law. Under the revised ECCP, when evaluating a corporate policy for detecting and investigating potential misconduct and violations of the law, DOJ prosecutors will consider:

• The corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging apps, including ephemeral messaging apps;

• Whether such policies are tailored to the corporation’s risk profile and specific business needs;

• Whether the policy insures that to the greatest extent possible, business-related data and communications are accessible and amenable to preservation by the company;

• How such policies have been communicated to employees; and

• Whether the corporation enforces the policies and procedures on a regular and consistent basis.

More recent developments underscore DOJ’s focus not only on messaging apps, but also other collaboration tools. On January 26, 2024, DOJ’s Antitrust Division and the United States Federal Trade Commission (FTC) announced new guidance reinforcing companies’ obligations to preserve data from messaging and collaboration platforms, the latter of which have become for many organizations an indispensable tool in an era of remote work and cross-office collaboration. Deputy Assistant General Manish Kumar of the Antitrust Division described these updates as necessary to ensure “neither opposing counsel nor their clients can feign ignorance when their clients or companies choose to conduct business through ephemeral messages.” Taking this a step further, DOJ and FTC made clear that the “failure to produce such documents may result in obstruction of justice charges.”

Other U.S. regulators have similarly taken interest in how companies preserve electronic communications—with a focus to date on the financial services sector. In 2022, the Securities and Exchange Commission (SEC) assessed significant penalties, totaling over $1.1 billion, on companies that failed to maintain and preserve what the SEC refers to as “off-channel” electronic communications. Even more recently, on February 9, 2024, the SEC announced that 16 more companies were subject to $81 million in civil penalties for failing to preserve business-related text messages sent via personal devices. 

Practical and Legal Challenges

There is no shortage of examples of the challenges associated with data preservation. For one, although bring-your-own-device policies can offer practical and financial benefits for companies and employees alike, such policies can complicate a company’s efforts to preserve and collect business-related communications. Where business-related communications are intermingled with personal messages on the same device, and within the same app, targeted collection of business-related communications may be challenging at best—particularly where local privacy law is protective of personal communications. Additionally, app- and device-specific obstacles to data retention are numerous, and range from autodeletion settings to limited storage capacity, to name a few.

Often, use of instant messaging applications is driven not by a company’s employees themselves, but rather by third parties—customers, clients, or other business partners—who prefer or who insist on communicating through such informal but convenient channels. That reality only underscores the need for companies to develop policies that fully account for the practical scenarios that its personnel will encounter, while remaining mindful of the expectations of regulators.

Looking Ahead

Notwithstanding these challenges, enforcement authorities will continue to scrutinize corporate policies and practices around third-party messaging apps and, increasingly, other collaboration platforms. Companies are well-advised to review, with assistance of experienced legal counsel, both the letter and—just as important—the application of their policies governing instant messaging and other platforms, with a keen eye toward how those policies account for reality.

In undertaking such an assessment, companies must first identify what devices and/or apps are currently being used within the organization for business purposes and by which employees. Companies should then consider whether it makes sense to either limit or prohibit entirely the use of certain apps where sufficient data preservation cannot occur. Companies may also consider providing alternative communication platforms—such as enterprise versions of relevant messaging apps—to help ensure the preservation of data. For their part, executives should consider both the expectations of regulators and the benefits and limitations of available communications platforms, when engaging in their own business-related communications.

To help mitigate risk, companies should then review and update their data retention policies and procedures, as well as their legal hold protocols. Once a company implements robust retention policies that align with the actual communications and collaboration practices of its employees, employees must be informed and trained about these policies in a way that provides meaningful guidance. Moreover, when individual employees fail to abide by these standards, companies must hold those individuals accountable in a fair and consistent way.  However complex and arcane the area of data preservation may be, the risks of compliance failures in this area warrant serious attention by companies and their senior leadership.