Search
Close this search box.
Search
Close this search box.

Messaging Apps And Government Scrutiny: What CEOs Should Know

The technology offers significant business advantages, but also poses potentially serious compliance risks.

Given the explosion in third-party messaging apps and their use for business purposes, it is unsurprising that companies’ data preservation practices are coming under increased scrutiny. Despite their convenience, privacy and security benefits, third-party apps pose particular compliance risks for companies and their employees, particularly where communications occur through encrypted or “ephemeral” messaging apps that delete messages after sending—where, by design or by user setting, messages will not be retained. Enforcement risks are most acute where such apps are suspected to have been used in furtherance of corporate misconduct—whether involving bribery, fraud, or otherwise. Senior executives have a strong interest in tracking enforcement trends—both to anticipate scrutiny of their own communications practices, and to support efforts by legal and compliance teams to develop policies that mitigate risk and account for the evolving expectations of regulatory authorities.

Enforcement Spotlight on Messaging Apps

On multiple occasions during the last year alone, U.S. authorities have highlighted their focus on instant messaging and preservation of business communications. To this end, in March 2023, the Department of Justice (DOJ) announced significant changes to its “Evaluation of Corporate Compliance Programs” (ECCP), the criteria it uses to evaluate a corporate compliance program and to determine appropriate consequences for violations of law. Under the revised ECCP, when evaluating a corporate policy for detecting and investigating potential misconduct and violations of the law, DOJ prosecutors will consider:

• The corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging apps, including ephemeral messaging apps;

• Whether such policies are tailored to the corporation’s risk profile and specific business needs;

• Whether the policy insures that to the greatest extent possible, business-related data and communications are accessible and amenable to preservation by the company;

• How such policies have been communicated to employees; and

• Whether the corporation enforces the policies and procedures on a regular and consistent basis.

More recent developments underscore DOJ’s focus not only on messaging apps, but also other collaboration tools. On January 26, 2024, DOJ’s Antitrust Division and the United States Federal Trade Commission (FTC) announced new guidance reinforcing companies’ obligations to preserve data from messaging and collaboration platforms, the latter of which have become for many organizations an indispensable tool in an era of remote work and cross-office collaboration. Deputy Assistant General Manish Kumar of the Antitrust Division described these updates as necessary to ensure “neither opposing counsel nor their clients can feign ignorance when their clients or companies choose to conduct business through ephemeral messages.” Taking this a step further, DOJ and FTC made clear that the “failure to produce such documents may result in obstruction of justice charges.”

Other U.S. regulators have similarly taken interest in how companies preserve electronic communications—with a focus to date on the financial services sector. In 2022, the Securities and Exchange Commission (SEC) assessed significant penalties, totaling over $1.1 billion, on companies that failed to maintain and preserve what the SEC refers to as “off-channel” electronic communications. Even more recently, on February 9, 2024, the SEC announced that 16 more companies were subject to $81 million in civil penalties for failing to preserve business-related text messages sent via personal devices. 

Practical and Legal Challenges

There is no shortage of examples of the challenges associated with data preservation. For one, although bring-your-own-device policies can offer practical and financial benefits for companies and employees alike, such policies can complicate a company’s efforts to preserve and collect business-related communications. Where business-related communications are intermingled with personal messages on the same device, and within the same app, targeted collection of business-related communications may be challenging at best—particularly where local privacy law is protective of personal communications. Additionally, app- and device-specific obstacles to data retention are numerous, and range from autodeletion settings to limited storage capacity, to name a few.

Often, use of instant messaging applications is driven not by a company’s employees themselves, but rather by third parties—customers, clients, or other business partners—who prefer or who insist on communicating through such informal but convenient channels. That reality only underscores the need for companies to develop policies that fully account for the practical scenarios that its personnel will encounter, while remaining mindful of the expectations of regulators.

Looking Ahead

Notwithstanding these challenges, enforcement authorities will continue to scrutinize corporate policies and practices around third-party messaging apps and, increasingly, other collaboration platforms. Companies are well-advised to review, with assistance of experienced legal counsel, both the letter and—just as important—the application of their policies governing instant messaging and other platforms, with a keen eye toward how those policies account for reality.

In undertaking such an assessment, companies must first identify what devices and/or apps are currently being used within the organization for business purposes and by which employees. Companies should then consider whether it makes sense to either limit or prohibit entirely the use of certain apps where sufficient data preservation cannot occur. Companies may also consider providing alternative communication platforms—such as enterprise versions of relevant messaging apps—to help ensure the preservation of data. For their part, executives should consider both the expectations of regulators and the benefits and limitations of available communications platforms, when engaging in their own business-related communications.

To help mitigate risk, companies should then review and update their data retention policies and procedures, as well as their legal hold protocols. Once a company implements robust retention policies that align with the actual communications and collaboration practices of its employees, employees must be informed and trained about these policies in a way that provides meaningful guidance. Moreover, when individual employees fail to abide by these standards, companies must hold those individuals accountable in a fair and consistent way.  However complex and arcane the area of data preservation may be, the risks of compliance failures in this area warrant serious attention by companies and their senior leadership.


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.