DOJ and FTC Update Guidance on Preservation Obligations regarding Ephemeral Messages - What Steps Should You Be Taking?

3 min read

On January 26, 2024, the DOJ and FTC announced that they were updating the language in their "standard preservation letters and specifications for all second requests, voluntary access letters, and compulsory legal process, including grand jury subpoenas, to address the increased use of collaboration tools and ephemeral messaging platforms."1

This official update is intended to reinforce existing preservation obligations as they relate to modern collaboration tools, including those with ephemeral messaging capabilities, i.e., that allow, or default to, the deletion of messages. In the announcement, Manish Kumar, Deputy Assistant Attorney General of the DOJ Antitrust Division, emphasized that failing to preserve and produce relevant data from "ephemeral messaging applications designed to hide evidence" could lead to "obstruction of justice charges."2

This update follows the DOJ Criminal Division's March 2023 updates to its Evaluation of Corporate Compliance Programs document, which included additional guidance regarding employee use of off-network messaging apps, including ephemeral messaging apps. In assessing a company's corporate compliance program, DOJ prosecutors will consider a variety of factors, including what communication channels a company allows employees to use to conduct business and its rationale for any permitted use of off-network messaging apps for such communications; whether a company has a written policy governing employee use of off-network messaging apps, trains employees on that policy, and enforces the policy uniformly; and what mechanisms a company has put in place to preserve business communications via off-network messaging apps if their use is permitted.

At last year's National Institute on White Collar Crime, then Assistant Attorney General Kenneth A. Polite, Jr. explained that the DOJ would not accept at "face value" a company's unexplained failure to produce communications from off-network messaging apps.3

The SEC and CFTC have also shown an interest in this area, settling with multiple financial institutions whose employees were using off-network messaging apps, including ephemeral messaging apps, in violation of their recordkeeping obligations. Combined the penalties exceeded $1.8 billion.

In light of U.S. enforcement authorities' continuing focus on the use and preservation of off-network business communications, companies may wish to consider taking the following steps:

  • Conduct a risk assessment to understand whether employees are using off-network messaging apps to conduct business and, if so, in what countries, for what purpose, and with what kind of parties. The results of such an assessment should inform the creation or revision of a risk-based policy governing employee use of off-network messaging apps for business communications. The policy should address what type of off-network messaging apps are approved and for what purpose (e.g., for communications regarding scheduling and logistics, but not for substantive communications), and which are prohibited for business use. It should also make clear that business communications belong to the company wherever they may be located and require employees to preserve, and at the company's request, to provide access to business communications stored on off-network messaging apps.
  • Consider alternative ways to preserve off-network messages, e.g., whether it is possible to move off-network messaging on-network via a business subscription to the messaging app.
  • Assess your retention settings for on-network collaboration tools, including those with chat functions.
  • Ensure that litigation holds and other document retention notices direct employees to preserve all relevant business communications, including those stored in off-network apps.
  • Train employees on the policy requirements governing the use and preservation of off-network messaging apps for business communications.
  • Ensure there are consistent consequences for violations of the policy. Certainty and consistency of disciplinary consequences for policy violations have an important deterrent effect and align with best compliance practices and the expectations of enforcement authorities.

2 Id.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP