Trends in corporate investigations:
“Ephemeral Messaging Applications”
There are many considerations to take into account when conducting a corporate investigation. In more recent times “ephemeral messaging applications” (i.e. disappearing messages) have become a key talking point, particularly in relation to the use of those applications and messages in a corporate environment.
An overview
While it may seem like a new concept or some unknown terminology, in reality there is a high probability you have come across these applications, or applications with ephemeral messaging features, before; for example WhatsApp or Signal.
“Ephemeral messages” are “disappearing messages” – once you open the message and view, it will disappear… that’s right, the contents of the message, seemingly gone without a trace as if it never existed (bar for some limited exceptions which we will not consider now). The message usually disappears or “self destructs” automatically after viewing, either immediately or shortly thereafter.
While it may seem unusual in a corporate context, but as digital communications and applications have evolved, it has become more likely that ephemeral messaging is being used in corporate environments for business related communications possibly with or without an employer’s approval on business supplied devices.
The good, the bad and…?
As with all technology, there are benefits and risks. These applications are often cost efficient, a convenient manner in which to communicate confidentially and encourage data privacy. However, they effect data retention, raise risks as to whether business communications have been improperly deleted and potentially impact compliance with certain regulatory obligations.
There is also the glaring difficulty of lawful access and then analysing business communications that have been sent or destroyed using this messaging feature and there will nearly always be “something missing” from an initial data set collected for purposes of a corporate investigation.
Often during the course of a corporate investigation, it becomes apparent that a company policy does not address the use of ephemeral messaging applications and messages. While it is not unusual that internal policies are not always updated timeously, ephemeral messages have come into the vision and sight of regulators in various sectors around the world and in circumstances where ephemeral messages have been identified as an emerging risk, it is important to consider whether there are appropriate controls within a company to address this.
What factors should be considered?
A company’s policy framework and controls tend to be informed by the company’s risk profile but there are also various other factors that will impact a company’s approach. For example:
- The judications a company may be operating within and the norms in that jurisdiction are relevant.
- The type of industry or business sector. In respect of the latter, it is arguable that there might be a benefit of ephemeral messaging, for example where there are risks to intellectual property.
- For some, the preferred solution to the risks that ephemeral messages pose may be to have a company policy that prohibits these messages and applications entirely. This is likely easier to do if a company issues employees with business only devices (laptops and mobiles) and limits what applications can be downloaded or utilised. Indeed, this practice of “prohibition” was the position adopted by the Department of Justice (DOJ) in 2017 and so companies, understandably, followed. The DOJ however, has moved away from that position and now appears to acknowledge the corporate use of these applications and messages and the focus now appears to be risk control and safeguarding measures.
- It is also possible to tailor a company’s approach to ensure that there are appropriate controls that are implemented and maintained to secure and preserve business communications. For example, a company policy could address: what communication channels are permitted and within that – what preservation or deletion settings are applicable or disabled; what devices can be used for business communications (solely company issued or can personal devices be used?) and therefore the manner in which those devices are monitored; and there could be a policy that seeks to ensure that electronic communications from certain applications are recorded and/or exported from devices to a centralised company platform.
- In addition, there could be an agreement with counter-parties that any business communications must be preserved and not sent via disappearing messages. For example, a term in a contract with suppliers that they offer assurance to preserve business communication records and not allow for communications on platforms where ephemeral messaging is enabled.
What next?
As mentioned above, while ephemeral messages have caught the attention of various regulators, there are no clearly defined criteria against which a regulator will assess a company. While some regulators have offered helpful guidance, a lot remains unknown.
Therefore, while it is unlikely that company policies will ensure perfect retention of all business communications or eradicate the use of ephemeral messages, the focus in the first instance ought to be on the steps taken by a company to comply with its relevant obligations and mitigate risk.
However, policies alone will not be sufficient and a company ought to be able to demonstrate that its controls and policies are being enforced and followed in practice. We consider ongoing fraud, ethics and risk training for employees should engage on the subject of ephemeral messaging so that they can understand the risk these pose to the organisation and the employee, especially in circumstances where an innocent employee has used such messaging and creates the impression of wrongdoing when they are entirely innocent.
If you require advice on the issues discussed in this article in relation to claims relating to fraud or otherwise, please do get in touch with us at hello@tenetlaw.co.uk
Authors Kirthi Kalyan