“Although ephemeral messaging is short-lived, the consequences of failing to comply with data preservation and regulatory obligations may be long lasting.”
– Sheila Raftery Wiggins, Partner, Duane Morris LLP
This week, we consider the long-term compliance, regulatory risk, and information management requirements of using quick communication methods and highlight what companies should do to protect themselves. Next, we explore three considerations for managing communications compliance that allow companies to build trust with clients while mitigating risk. Finally, we learn the importance of establishing effective compliance programs and retention policies and procedures that specifically include ephemeral messaging.
Quick Communication and Long-Term Legal Risk
Legal department leaders have identified regulatory compliance as a top strategic priority due to evolving regulations related to ESG, data privacy, cybersecurity, and more decentralized teams. Legal teams have a broader range of information to consider, making compliance increasingly complex. Information governance policies and practices must be addressed thoroughly as organizations generate as much as 7.5 septillion gigabytes of data per day, growing by 23% each year. Organizations must have a plan and standard operating procedures for employees using messaging apps, which can be subject to discovery in the case of litigation. In-house legal teams should review their organization’s communication methods and information management policies to prepare for potential litigation.
Now You See Them, Now You Don’t: Regulatory Risks of Ephemeral Messages
The use of ephemeral messaging apps by corporations is becoming more widespread globally, offering cost savings and speedy communication. However, concerns have arisen about how this technology affects data preservation, employee monitoring, and compliance obligations. Regulators in the US, EU, UK, and Hong Kong have focused on controls around the use of these apps. The DOJ and SEC have recently announced they will make such messaging a focus of their regulatory efforts. The EU has noted that encryption, typically used in ephemeral messaging, protects data privacy and confidentiality, while global regulators have reservations about the impact of such communications on investigative access. Companies are urged to undertake a global assessment of the risks of ephemeral messaging practices.
3 Considerations for Managing Communications Compliance
The phrase “The customer is always right” has guided businesses to prioritize customer needs, but it can become dangerous regarding communications compliance. Financial service providers must balance their clients’ desire for quick, easy mobile communication with strict data security and confidentiality regulations. To strike a balance, financial institutions should provide secure and compliant mobile communication options and be transparent about security measures. They can also use compliance technology to prevent non-compliant communications, track and analyze internal and client-facing communications, and conduct a gap analysis to identify blind spots in compliance programs. By doing so, financial service providers can build trust with their clients while protecting themselves from risk.
Preservation of Ephemeral Messaging for Business Purposes
Ephemeral messaging apps, such as WhatsApp and Snapchat, are becoming increasingly popular due to their end-to-end encryption and automatic deletion of messages, making it harder for hackers to access data. However, legal risks are involved despite the benefits of reduced data storage and enhanced privacy. Compliance with subpoenas and data preservation when litigation is “reasonably anticipated” are two areas that must be considered. Regulators such as the SEC advise against using apps that allow the automatic destruction of messages. At the same time, DOJ updated its Evaluation of Corporate Compliance Programs to consider the adequacy of compliance programs. Establishing effective compliance programs and reviewing document retention policies and procedures, including ephemeral messaging and mobile device data, is essential.