As of a decade ago, virtually all private and public organizations had instituted email as a universal method of business communication. More recently, however, the medium of email finds itself being increasingly replaced or at least supplemented by an unstable messaging universe, with none of the relative permanence and searchability of emails residing on network servers and archives controlled by organizations themselves. Ephemeral messaging applications, many of which effectively function as “disappearing messaging apps,” are rapidly disrupting the traditional electronic communications regime, raising numerous recordkeeping, e-discovery, and information security considerations along the way. To meet this challenge, today’s organizations need to implement an effective, timely, and consistent electronic records retention policy that includes addressing the use of ephemeral messaging applications as part of an overall information governance program.
Ephemeral Messaging Applications, Explained
The proliferation of self-destructing messaging services, such as SnapChat, Telegram, Hash, Cover Me, Confide, Signal, Wickr and a host of others, enable the users to share and then delete content immediately or within a particular time after the message is received. Critically, because the messages are typically encrypted and typically stored on personal rather than company devices, this automatic deletion often renders later forensic retrieval of the communication much more difficult if not impossible.
It comes as no surprise that we are seeing the increased use of various unstable messaging apps in the business world. Companies therefore face a potential threat to record keeping as we know it, to the extent that business-related communications are increasingly conducted by employees of enterprises via these types of messaging channels, either on company-owned or employee-owned devices.
There are many legitimate reasons for a company to allow its employees to use ephemeral messaging apps. Today’s businesses generate so much data that any effort to reduce duplicative or unnecessary data is a compelling benefit. Moreover, it has been said that the best way to keep your data safe is not to keep it in the first place. One cannot forget that cyber-criminals are increasingly targeting corporations, and email is often the most vulnerable point of entry for data breaches. Therefore, the use of a secure ephemeral messaging app can significantly minimize the cost of e-discovery, reduce the organizations overall data storage costs, and possibly improve information security.
Obviously, there are some major concerns for any organization to allow its employees to use ephemeral messaging apps for business purposes. Such applications can significantly complicate corporate compliance, document preservation, and self-reporting efforts. The ephemeral or self-destructing message apps enable users to share and then delete content within a range of times depending upon the app, thus reducing a fair amount of digital clutter. But, because the content disappears, the users of these message apps may circumvent regulatory retention requirements and corporate information governance programs. After all, a company cannot preserve a communication that no longer exists.
Ephemeral Messaging in Civil Litigation and Federal Investigations
Recently, this inherent tension played out in the matter of Waymo v. Uber.1
Waymo (Google’s autonomous vehicle unit) claimed that Uber stole its self-driving vehicle technology in order to develop its own fleet of autonomous vehicles. The contentious discovery in part concerned the allegation that Uber destroyed information relating to the alleged trade secret theft by utilizing ephemeral messaging apps (Wickr and Telegram, specifically) to eliminate relevant evidence. Waymo successfully convinced the trial judge to issue an order allowing evidence and argument to the jury that Uber used self-destructing messages to deliberately conceal evidence that it had stolen trade secrets. Uber, which acknowledged its use of the apps, was permitted to present evidence and argument regarding the legitimate business uses of ephemeral messaging.2 We will never know which argument prevailed because the parties settled four days into the trial, with Uber giving up a percentage of its ownership to Waymo. (For those interested, the equity share was valued at approximately $245 million.) Regardless, this case raised serious issues regarding a company’s duty to preserve messages in ephemeral apps during or in anticipation of litigation.
The U.S. Department of Justice (DOJ) has focused on ephemeral messaging in connection with its Corporate Enforcement Policy, pursuant to the Foreign Corrupt Practices Act (FCPA). U.S. Deputy Attorney General Rod Rosenstein recently stated, “The government should provide incentives for companies to engage in ethical corporate behavior. That means notifying law enforcement about wrongdoing, cooperating with government investigations, remedying past misconduct, and preventing future misconduct by implementing a robust compliance program.”3
To that end, under its November 2017 Corporate Enforcement policy (USAM 9-47.120), DOJ put into place a presumption that companies will receive a ‘declination,’ i.e. full remediation credit towards what otherwise would be a substantial monetary sanction, only if the company satisfies certain conditions, including for our purposes here, “appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.”4 This phrasing clearly was intended to include ephemeral messaging in the referenced prohibition.
In March 2019, DOJ removed this outright prohibition against ephemeral messaging. The revised policy now reads, “[a]ppropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.”5 Thus, the new guidance does not interpret employee use of ephemeral messaging for business-related communications as an absolute bar to declination. Yet, despite this relaxed DOJ policy stance, companies nonetheless must carefully consider the effectiveness of their corporate compliance programs as they relate to such messaging apps prior to any FCPA investigation.
In response to these developments, companies should practice good business sense and adopt the following best practices to minimize risk(s) while meeting their e-discovery and compliance obligations:
Create and implement an effective electronic records–retention policy that covers use of ephemeral messaging applications. An effective policy should consider any legitimate business reasons for using these apps; allowable communications and messaging platforms; and data generation, retention, and destruction. The written guidance and controls should be appropriate to the regulatory and legal obligations of the company’s particular industry and circumstances.
Train employees regarding the proper usage of ephemeral messaging for business-related communications.
Monitor the use of new forms of ephemeral messages to appropriately document and preserve business communications.
Once on reasonable notice of potential litigation, disable the automatic deletion of ephemeral communications and institute a “litigation hold” to preserve relevant documents and evidence.6
As described above, the use of ephemeral messaging applications is wrought with potential legal implications pertaining to litigation and investigations. While the use of such applications is expected to increase, a company must prudently assess how (if at all) such messaging tools can both facilitate business-related communications and fit comfortably within its information governance program. In doing so, a company should consider the guidelines offered above in order to avoid the long-lasting consequences that may arise from ephemeral messaging misuse.
The authors would like to thank Lauren Olmsted for her assistance in preparing this article.
1 Waymo LLC v. Uber Techs., Inc., 252 F. Supp. 3d 934 (N.D. Cal. 2017).
2 See, e.g., Aarian Marshall, “The Uber-Waymo Lawsuit Gets A New Star—And Takes a Wild Turn,” Wired (Nov. 30, 2017), https://www.wired.com/story/uber-waymo-richard-jacobs-lawsuit/.
3 Deputy Attorney General Rod J. Rosenstein Delivers Keynote Address on FCPA Enforcement Developments, DOJ (Mar. 7, 2019), https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-keynote-address-fcpa-enforcement.
4 Dep’t of Justice, U.S. Attorney’s Manual § 9-47.120 (Nov. 2017).
5 Dep’t of Justice, U.S. Attorney’s Manual § 9-47.120(3)(c) (Mar. 2019), https://www.justice.gov/usam/usam-9-47000-foreign-corrupt-practices-act-1977 (emphasis added).
6 The Sedona Conference Commentary on Legal Holds, Second Edition: The Trigger & The Process (Public Comment Version, Dec. 2018), available at https://thesedonaconference.org/publications