Now You See Them, Now You Don’t: Regulatory Risks of Ephemeral Messages
Corporate use of ephemeral messaging applications (communications that disappear after a set time) has become increasingly common across the globe in recent years, with companies recognizing its value in decreasing data storage costs and providing employees a convenient method for communicating quickly with customers and clients. However, the prevalence of these messaging applications in the corporate context has caused regulators to grow concerned about how encrypted and ephemeral messaging might affect regulatory obligations related to data preservation, employee monitoring, and compliance.
In the United States, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have increasingly focused on how companies can implement controls around these applications that fit their particular risk profile.1 Similarly, other global regulators — including in the European Union (EU), the United Kingdom (UK), and Hong Kong — have adopted their own policy requirements for corporate use of ephemeral messaging. Companies operating outside the U.S. cannot assume that U.S. compliance will meet the requirements of these diverse jurisdictions and must tailor their approach to the regulations and messaging culture of each jurisdiction.
This Sidley Update considers recent U.S. regulatory developments, canvasses the approach and regulations adopted outside the U.S. around ephemeral messaging, and urges a global assessment of this emerging risk.
Recent Developments in the United States
In 2017, the DOJ took the position that companies under investigation for violations of the U.S. Foreign Corrupt Practices Act were at risk for not receiving full credit for timely and appropriate remediation if they did not prohibit ephemeral messaging. However, by 2019, DOJ policy updates contemplated providing cooperation credit to such companies if they could prove that they had established appropriate safeguards to properly retain and prevent the improper destruction of business records, including implementing guidance and controls on the use of ephemeral messages. More recently, the DOJ and SEC have signaled that ephemeral messaging is a prime focus for regulators, and when making decisions about corporate liability for misconduct and future settlements, their focus will be on whether the controls implemented around these communications are sufficient in light of a company’s unique risk profile.
In September 2022, Deputy Attorney General (DAG) Lisa Monaco issued a directive to study corporate best practices regarding the use of personal devices and third-party messaging platforms, including ephemeral and encrypted messaging. Just days later, the SEC announced the imposition of over US$1.1 billion in penalties on over a dozen financial institutions resulting from their failure to implement and maintain proper controls over business-related communications, including those conducted over such “off-channel” mediums as WhatsApp and Signal. Continuing this trend — and in response to DAG Monaco’s directive — on March 3, 2023, the DOJ issued updated guidance on the evaluation of corporate compliance programs in which employees’ use of ephemeral messaging was specifically highlighted as a factor for consideration by prosecutors.
Global Regulatory Developments
While the scrutiny on employees’ use of ephemeral messaging is generally framed from the U.S. perspective, the implications of ephemeral messaging usage is much more widespread. For instance, WhatsApp has over 2.24 billion users per month. In 2022, WeChat reached 811 million users in China, accounting for over 57% of its population, and KakaoTalk reached 47 million users in South Korea, accounting for over 90% of its population. In its November 23, 2020, resolution on encryption, the EU observed that encrypted communications — which tend to include ephemeral messaging functionality — protect data privacy and confidentiality and are an “important tool” for the protection of data transfers out of the EU.
However, much as in the U.S., global regulators have expressed reservations about the use of ephemeral messaging and its impact on the retention of business information for investigative purposes. In its 2020 resolution on encryption, the EU noted that despite its benefits, encrypted communications make accessing and analyzing communications “extremely challenging or practically impossible” even when such access would be lawful. Similarly, in January 2021, the UK Financial Conduct Authority (FCA) released a newsletter on market conduct and transaction reporting issues that directed businesses to implement “a rigorous monitoring regime” to ensure that business-related telephone conversations and electronic communications are “recorded and auditable,” noting that business-related communication are increasingly conducted outside the office environment. And, in relation to financial institutions’ obligations to retain client orders for two years, the Securities and Futures Communication of Hong Kong released a circular on May 4, 2018, that required intermediaries using instant messaging technology to implement adequate measures and controls, including prohibiting employees from sending to or receiving from clients electronic communications unless the financial institution has full control over the recording and retention of such messages.
Global regulatory authorities have also been active in scrutinizing the record retention obligations of highly regulated financial institutions. In May 2022, the German Federal Financial Supervisory Authority requested that a global financial institution clarify how its employees use private messages for business purposes after suspicions that senior executives and board members of the bank used WhatsApp, other messaging tools, and private email accounts for business communications. And more recently, it was reported in October 2022 that the FCA issued information requests to several global financial institutions regarding the frequency and content of employee communications through texting and applications such as WhatsApp.
In light of the ever-increasing global developments and potential enforcement of ephemeral messaging practices, an immediate reaction may be to err on the side of caution and simply prohibit employee use of ephemeral messaging applications. While this may be an appropriate response for some corporations, it may not be feasible for certain international companies where it is common practice for business partners and customers to communicate using ephemeral messaging applications. And in certain industries, there may be a legitimate need for such usage — for example, to avoid theft of intellectual property or cutting-edge technology when bringing a new product to market.
Given these tensions, many companies will need to conduct a more nuanced review of their employees’ use of ephemeral messaging and consider appropriate next steps given the practical realities of such use. Notably, DOJ’s new guidance specifically directs prosecutors to move beyond merely reviewing a company’s official messaging policy and instead probe more deeply into employees’ actual use of ephemeral messaging applications as well as “the rationale for the company’s approach to determining which communication channels and settings are permitted.” More fundamentally, prosecutors are now expected to understand at a granular level “how does [the use of ephemeral messaging] vary by jurisdiction and business function, and why,” what precise “preservation or deletion settings are available to each employee under each communication channel, and what do the company’s policies require with respect to each.”
If these are not questions that your company is equipped to answer or address to a regulator upon request, it may be time to engage counsel and conduct a more fulsome self-assessment of your corporate policies and employee practices to help limit future liability. Such an effort could include:
- conducting an assessment to understand your company’s risk profile based on DOJ guidance around the evaluation of corporate compliance programs and including in that assessment a review of your company’s use of encrypted and ephemeral messaging both domestically and abroad
- reviewing and revising your corporate policies to satisfy your legal obligations and the varying record retention requirements of the global jurisdictions in which you operate
- for highly regulated companies, ensuring that your policies explicitly address the use of ephemeral messaging and taking into account the common messaging applications employees use to communicate internally or with business partners, including the nature of the ephemeral functionalities in those applications
- adopting clear policies tailored to your business’s needs, conducting trainings, and consistently monitoring to ensure employee compliance with ephemeral messaging policies
Tackling this is no simple task, especially with the myriad considerations to account for (e.g., the differing standards on ephemeral messaging internationally; the practicalities of monitoring employee usage of messaging applications; and avoiding any inadvertent contraventions of local data privacy or labor laws). We invite you to contact us with any questions you may have as you begin the process to evaluate your company’s communication practices.
1 Notably, the use of ephemeral messaging can violate SEC rules, and the SEC has brought significant enforcement actions in this area. This Sidley Update does not address the many developments related to the SEC’s treatment of this topic for companies and investment firms subject to the SEC’s rules and regulations. See https://www.sidley.com/en/insights/newsupdates/2022/01/sec-encourages-self-reporting-recordkeeping-violations-from-employees-use-personal-devices-bus-comms; https://www.sidley.com/en/newslanding/newsannouncements/2022/11/sec-continuing-focus-on-offchannel-communications-what-investment-advisers-need-to-know-and-do-now.