Now you see it, now you don’t – How to overcome the compliance risks of ephemeral messages to meet DOJ guidance

Business communication is no longer limited to ‘traditional’ channels like email, fax, or telephone. Increasingly, organizations permit the use of myriad channels for business, from Microsoft Teams or Slack, to WhatsApp or Signal. As long as these channels of communication are approved and, in the case of financial services in particular, captured and preserved, there is relatively little at stake.

Problems arise, however, when organizations are not able to capture, record, and monitor the communications that employees are conducting for business purposes. This is especially true in the event of regulatory or legal investigation. In financial services, this has become abundantly clear, with record-breaking fines for so-called ‘off-channel comms’ totaling almost $3 billion in the past five years.

More recently, a new risk has come to the fore – disappearing or ‘ephemeral’ messages – and regulatory and governmental bodies are taking a hard-line approach, especially in the U.S – unsurprising given it was U.S. regulators leading the charge in the original wave of off-channel comms enforcements.

What is ephemeral messaging?

Ephemeral messaging is the term used for communications that disappear. Increasingly, communication channels, including WhatsApp, Telegram, and even Zoom, have introduced features that allow messages to be deleted once opened by the recipient, or after a pre-set amount of time. WhatsApp, for example, allows users to set a disappearing message timer where messages will be automatically deleted within 24 hours, seven, or 90 days.

What risks do ephemeral messages pose to organizations?

Disappearing messages present multiple risks to organizations:

• They may be used by bad actors as a means of concealing misconduct or unauthorized communications
• They may cause organizations to fall outside of regulatory recordkeeping requirements that oblige firms to capture and retain business communications for set periods of time
• They break consistency in a firm’s audit trail, so in the event of regulatory or criminal investigation, a firm is unable to present investigators with a full picture of events

Disappearing messages present an easy and almost untraceable way for individuals to conceal valuable data – which may in time become valuable evidence. This was clearly seen in the U.K.’s COVID-19 inquiry, where critical evidence was unable to be assessed as the WhatsApp disappearing message function was used by multiple government officials and departments.

What does DOJ and FTC guidance say about ephemeral messages?

U.S. governmental bodies are increasingly aware of the risks of ephemeral messages, especially with regard to regulatory and criminal investigations. We’ve seen particular focus from the DOJ and the FTC, who have issued a series of messages around this topic.

Initially, in March 2023, the DOJ released amendments to its Evaluation of Corporate Compliance Program, in which it set out new data retention expectations for personal devices and, specifically, ephemeral messages. In a keynote related to the published amendments, Assistant Attorney General, Kenneth A. Polite, Jr., commented that:

“During an investigation, if a company has not produced communications from these third-party messaging applications [including ephemeral messages], our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws.”

In January 2024, the FTC and DOJ updated this guidance that “reinforces parties’ preservation obligations for collaboration tools and ephemeral messaging”. This guidance reviewed the language around the preservation of communication “to address the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace.” 

Commenting on the update, the FTC’s Bureau of Competition Director, Henry Liu, said:

“Companies and individuals have a legal responsibility to preserve documents when involved in government investigations or litigation in order to promote efficient and effective enforcement that protects the American public. Today’s update reinforces that this preservation responsibility applies to new methods of collaboration and information sharing tools, even including tools that allow for messages to disappear via ephemeral messaging capabilities.”

Deputy Assistant Attorney General of the Justice Department’s Antitrust Division, Manish Kumar, added:

“The Antitrust Division and the Federal Trade Commission expect that opposing counsel will preserve and produce any and all responsive documents, including data from ephemeral messaging applications.”

What does the DOJ and FTC guidance mean for organizations?

In short, the latest guidance from the DOJ and FTC obliges firms to have robust, clear policies around the use of ephemeral messaging channels, to capture communications made through such channels and – if firms have not been able to capture such communications – to have a good reason why. “A company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability,” said Polite.

How can organizations manage the risks of ephemeral messaging?

• Develop clear, robust policies that directly tackle the use of ephemeral messaging

Although seemingly simplistic, the DOJ has made it clear that it will be looking to see that firms have robust policies in place that set out their expectations around disappearing messages. These policies should be clear, easy to follow, readily accessible, and proactively communicated to all affected staff.

• Deliver engaging training that sets out the expectations and consequences of failure

Once policies have been established, training must be delivered to explain to employees what the policy means for them. Training should be engaging, offering real-life examples and context as to why the policy exists. Training should explain what the consequences may be in the event that an employee fails to adhere to the policies – in this instance, criminal liability is at stake. This should be clearly emphasized to employees to encourage adherence.

• Implement technology solutions that limit access to ephemeral messaging options

Aside from manual policies and training, technological solutions exist that can aid in the mitigation of compliance risks. Mobile Device Management (MDM) solutions offer the ability to switch ephemeral messaging options on or off remotely, within in-app settings. Similarly, compliant communication apps, such as Global Relay App, allow employees to communicate via WhatsApp or text, but remove the option to use disappearing messages – so all communications are captured and archived by default, and available in the event of investigation.

• Implement solutions that enable you to capture communications made through ephemeral messaging applications

Another technological consideration is data Connectors, which seamlessly connect communication data from any source and deliver that data into a compliant archive for comprehensive, complete data retention. Connectors capture data at source, so, depending on the communication channel you’re looking to retain, may facilitate the capture of ephemeral messages sent – before they disappear.