By Jason R. Baron – Of Counsel in the Information Governance and eDiscovery Group at Drinker, Biddle & Reath LLP
Every month more than four billion people send 560 billion SMS text messages worldwide – a 7,700 per cent monthly increase over the past decade.
Instant message traffic on apps such as Facebook Messenger, WeChat, WhatsApp, Viber and Line, top 60 billion texts daily. As of 2018, Slack says it has eight million daily active users and three million paid users.
According to one recent survey, nearly 78 per cent of people would like to have a text conversation with a business and 80 per cent of professionals currently use SMS for business purposes. More than half of professionals claim that they cannot stand even 10 minutes without responding to a text.
Coupled with the emergence of messaging generally are self-destructing messaging services, such as Snapchat, Telegram, Confide, Signal, Wickr, Telegram, Hash, Cover Me, SpeakOn, Bleep, and a host of others. Unadorned use of these messaging apps means there may, in fact, be no ‘record’ in any sense that can be captured by any actor or institution subject to regulatory oversight or compliance obligations. Although, admittedly, such applications are less prevalent among business people than they are with the under 18 set, they nevertheless are available to any potential interested party as a means of conducting business – for time-saving efficiency by many, and for less salutary, ‘off-the-books’ uses by some.
In 2017, a Washington DC-based public interest group filed a lawsuit against the current White House, alleging that presidential staff were using communications platforms, such as WhatsApp, Confide, and Signal, that allow for self-deletion, while failing to put into place an adequate archiving scheme for the capture of such messages (either by automated means or by staff copying messages manually). The lawsuit was dismissed on the grounds that under existing precedent the court did not consider itself to have jurisdiction to interfere with presidential records management practices. But on its merits, the allegations in the complaint painted a picture of potential widespread noncompliance with recordkeeping policies that simply are not keeping up with the pace of technological change.
And so, at the end of the second decade of the 21st Century, we face what might be considered an existential threat to ‘recordkeeping’ as we know it, to the extent that business-related communications are increasingly conducted by employees of enterprises via these types of messaging channels, either on company-owned or employee-owned devices. Shall we give up? Shall we try to rigidly enforce prohibitions on the use of these services? Or, as an intermediate position, shall we ask what data controls are reasonable to contemplate as a matter of governance, compliance and oversight? The question is of an urgent nature, given the accelerating proliferation and use of such applications.
Taking a step back, it may first be best to review how we got here, including key milestones and earlier warning signals along the way. Armed with that knowledge, we can take a stab at sketching out a path to better compliance from both the perspective of technology and information governance policy.
In 1986, employees of the US National Security Council were informed in a White House guidance manual that email should not be used to convey official records information. That written policy prohibition went unheeded by Lt. Col. Oliver North, John Poindexter and others, who sent to each other thousands of emails (in the form of ‘PROFS notes’) about high-level, sensitive matters of government, including pertaining to the infamous Iran-Contra affair. Such messages were seized as part of an Independent Counsel investigation and subsequently were caught up in decade-long litigation over the record status of email messages residing on backup tapes. The government eventually lost the argument that only email communications that had been printed out were true government records. Subsequently, the Clinton White House agreed to restore emails from backup tapes, including with certain metadata, for placement in government archives and also agreed to put into place a system for email archiving going forward.
In the intervening decades, email became the lingua franca of office communications, whereby virtually all public and private organisations comprising more than a few employees have instituted email as a communications channel at least in-house.
As history repeatedly has shown, however, institutional policies that enable end-users with access to new types of communications technologies (as email was in the 1980s), coupled at the same time with policy guidance informing those users that they should not use the technology for ‘official’ or ‘business’ communications, have proven to be a recipe for failure from a compliance perspective.
In 1995, the introduction of the Netscape browser led to a period of information inflation, in which the number of websites grew from less than a hundred to more than 100,000 in very short order. This, in turn, heralded an era where end users could, in theory, access a world of online connections from their workplace desktops. That said, it was only in the post-2000 era that the world of communications technologies really started to take off, with the introduction of the Google search engine, coupled with platforms represented by Gmail, Yahoo and other providers. For the first time, employees had realistic, easy-to-use alternatives to sole reliance on corporate email networks – which in many cases have been subject to slow-downs, connection issues and glitches of all types. In this same time period, there was an explosion of laptops, mobile devices, personal digital assistants and, most of all, smart phones with the capability not only of accessing email networks (corporate and private), but also downloading a wide variety of apps.
“A number of controversies have sprung up in countries around the globe, including Australia and Canada where, in addition to many high-level state and federal officials in the US, leaders of all stripes have used private communications channels”
It was therefore entirely foreseeable that employees – including some of the most senior level officials – would gravitate to using alternative means to communicate in the course of carrying out various types of business activities. Just as inevitably, in the last half decade or so, controversies over the use of commercial networks and apps to communicate about official business have blossomed. The controversy over US Secretary of State Hillary Clinton’s use of a private email server is the most prominent example of this phenomenon, but she by no means has been alone: a number of controversies have sprung up in countries around the globe, including in Australia and Canada, where in addition to many high-level state and federal officials in the US, leaders of all stripes have used private communications channels – mostly to date involving some form of email messaging – to discuss government business.
From a law-making perspective, the US federal government has been out in front by enacting into law in 2014 provisions that require officials who conduct government business by means of ‘electronic messaging’ on a private commercial network to take reasonable steps to forward or copy the messages into an official recordkeeping system (with a ‘.gov’ address). Notably, the statute does not prohibit the use of commercial services, but instead provides conditions on use. The statute also includes a provision for agencies initiating disciplinary measures against employees who fail to adhere to these legal requirements.
More recently, the US Department of Justice (DOJ) has focussed on ephemeral messaging in connection with its corporate enforcement policy, pursuant to the Federal Corrupt Practices Act (FCPA). In announcing the new policy rules in 2017, US Deputy Attorney General Rod Rosenstein stated in a speech: “The government should provide incentives for companies to engage in ethical corporate behaviour. That means fully cooperating with government investigations and doing what is necessary to remediate misconduct – including implementing a robust compliance programme. Good corporate behaviour also means notifying law enforcement about wrongdoing.”
To that end, under its recent Corporate Enforcement policy (USAM 9-47.120), DOJ has put into place a presumption that companies will receive a ‘declination’, i.e. full remediation credit towards what otherwise would be a substantial monetary sanction, only if the company satisfies certain conditions, including for our purposes here: ‘appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but not does not appropriately retain business records or communications’.
This phrasing clearly was intended to include ephemeral messaging, although in its scope it may potentially also sweep in very short retention times on email messaging as well (where automatic deletion is set to days, rather than months or years).
At a minimum, it is now in the interest of C-suite executives in enterprises that might be affected by FCPA considerations to perform a risk analysis with respect to the pros and cons of continuing allowance of ephemeral messaging as a matter of corporate policy. Arguably, there are substantial financial benefits in mitigating potential exposure to fines, through clear corporate guidance prohibiting the use of ephemeral messaging apps for the conduct of corporate business. On the other hand, ephemeral messaging decreases overall corporate risks in at least three ways: first, by reducing the volume of retained messages that may be subject to cybersecurity threats; second, by controlling over-retention with corresponding litigation exposure due to the inadvertent or default retention of messages with negative consequences; and third, as a matter of compliance with emerging General Data Protection Regulation (GDPR) policies aimed at reducing long-term preservation of records containing personal data on individuals, including sensitive personal data. This same risk factor balancing ideally should be considered by all companies, not just those affected by FCPA policies.
Corporate policies prohibiting employee use of applications are certainly more easily enforceable on company-owned devices, although some kind of software auditing program – automated or manual – would still need to be put into place. However, a substantial portion of the corporate world has adopted some form of BYOD (bring your own device) policies, allowing for employees to opt to carry out corporate business on their personally owned devices. In such cases, although there are ways to embed software auditing for particular devices and apps on a voluntary basis, there would appear to be wide open compliance issues, given the ease with which individual employees may opt to install messaging apps that essentially can go undetected by their employers for some period of time.
It remains unclear how true enforcement measures can be put in place that guarantee compliance with prohibitory policies on messaging, absent implementing potentially near-Orwellian surveillance measures that would otherwise be unacceptable in many corporate settings, including in Europe under the GDPR framework. That said, for companies that encourage the use of newer forms of messaging in the workplace, there do presently exist at least some software apps that essentially include ‘back door’ provisions that allow for corporate monitoring.
“New forms of technologies pop into existence with each passing year. A corporate strategy that embraces change in acknowledging these new ways of doing business, while providing clear, up-to date-guidance is a sensible path forward in the brave new workplace of our future”
For example, Slack’s suite of offerings includes a feature option known as ‘Corporate Export,’ which the company describes as ‘a self-serve export tool that permits a workspace owner to export content from private channels and direct group messages as needed and permitted by law’. This is a tool that essentially allows for corporate monitoring of employee communications in a manner that for all practical purposes remains opaque to end users. The company provides examples on its Help Centre page where a customer (i.e. the company) may need to export content. Best practices in this area therefore suggest that when messaging software is allowed in the workplace, a company provides for some form of notice to its employees with respect to any reservation the company makes of the right for it to monitor messaging conducted on such apps.
Tackling the issue
In view of the fast-changing world of ephemeral and self-destructing messaging, here are some practical steps company officers should consider taking as part of a robust information governance programme.
1. C-suite executives should make every effort to understand the IT environment that exists in their workplace, including on corporate devices as well as on devices owned by employees but used for company business. What kinds of communications apps are being used, by whom and for what purposes? Executives should consider taking reasonable steps to attempt to control communications, via investing in archiving tools for social media that capture communications on designated apps. As necessary or desirable, companies may consider imposing software blocking the use of certain well known apps to restrain employees from engaging in ephemeral communications. A caveat here is in order, however: such efforts may only encourage users to find less-well known workarounds, especially on their personally-owned devices.
2. Corporate record retention policies and device use policies should be updated to explicitly include recognition of the fact that business records may be created on messaging applications, and that such messages need to be managed. While there is no iron-clad, general duty to preserve all business-related communications, under certain circumstances legal holds may need to be put into effect that cover relevant communications on ephemeral apps. Accordingly, encouragement should be given to employees in the first instance to use stable forms of communications (as defined under corporate policies), that reasonably comply with existing record retention practices and which allow for legal holds to be put into effect. Absent an outright prohibition of ephemeral messaging, companies should at a minimum make clear what is permissible and what is expected of employees using either corporate or personal devices, and should provide notice if the company wishes to perform some kind of audit of those devices.
3. As a matter of setting expectations in a given corporate culture, if senior officials show that they are adhering to using more traditional channels for communication, mid-level supervisors and their employees may be readier to toe the line. The counter example of the head of an enterprise being known to use private channels as a means to communicate about company business only incentivises more widespread noncompliance with corporate policies.
The genie is out of the bottle: there are a seemingly endless amount of easy ways that we as individuals are all now able to communicate with each other. New forms of technologies pop into existence with each passing year. A corporate strategy that embraces change in acknowledging these new ways of doing business, while providing clear, up-to date-guidance (and notice) to everyone on staff on what is and is not permissible, is a sensible path forward in the brave new workplace of our future.
About the Author:
Jason R. Baron serves as Of Counsel in the Information Governance and eDiscovery Group at Drinker, Biddle & Reath LLP, in Washington, D.C
4.See Citizens for Responsibility and Ethics in Washington et al. v. The Hon. Donald J. Trump and the Executive Ofﬁce of the President, 302 F.Supp.3d 127 (D.D.C. 2018)..
5.See Armstrong v. Executive Office of the President, 1 F.3d 1274 (D.C. Cir. 1993).
6.G.Paul & J.R.Baron, ‘Information Inflation: Can the Legal System Adapt?,’ http://law.richmond.edu/jolt/v13i3/article10.pdf.
7.See 44 U.S. Code § 2911 (2019).