Chats, texts and other messages: US authorities expand expectations on data collection of business-related communications

February 2023  |  SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION

Financier Worldwide Magazine

February 2023 Issue

The widespread use of email for business communication has been a boon to enforcement authorities in white-collar enforcement cases. Email provides a record of communications that has allowed Department of Justice (DOJ) prosecutors, state attorneys general, and civil enforcement lawyers to develop evidence in complex cases for more than two decades. It is also straightforward for enforcement authorities to collect business emails: just send a subpoena to the employer to access all the messages in their employees’ accounts.

For a long time, chat messages ran a pretty distant second to email in the evidentiary hierarchy in enforcement cases. Email was good enough and accessing chat messages was a hassle. It often required difficult conversations between employers and employees, involved laborious imaging of phones and yielded information that was not simple to process or understand. But as communication patterns have continued to evolve, the hierarchy has changed.

Employees have gotten used to the idea that employers can monitor work emails and easily turn over that information to authorities. At the same time, more informal communication has shifted to chat platforms. Remaining reservations that might have existed about discussing work in chat messages fell away during the pandemic. Some chat platforms like Microsoft Teams are provided by employers and officially sanctioned for business communications, but others like Apple’s Messages and WhatsApp are not.

This evolution has not been lost on enforcement authorities at the DOJ and the US Securities and Exchange Commission (SEC). The authorities now believe that the most probative evidence is likely to be found not only in emails but in chat messages as well. And they have begun to change enforcement policies to incentivise employers to access and produce chat messages as a top priority.

Lisa Monaco, the deputy attorney general, recently announced that the DOJ will consider companies’ “policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved” in evaluating companies’ compliance programmes. She also noted that companies seeking cooperation credit in investigations should have policies and systems that ensure they will be able to collect all work-related communications, including texts and chat messages.

Days after that policy change, the SEC publicly announced record-breaking penalties against regulated entities based on employees’ use of personal text messaging apps for business communications. The entities involved were broker-dealers and investment advisers subject to legal record-keeping obligations that may not apply to other entities. A total of 16 entities agreed to pay combined penalties of $1.1bn for failing to keep records of their employees’ work communications on text message applications on personal devices.

The technological challenges involved in collecting chat messages are only becoming more acute. Messages are no longer necessarily static. Unlike an email that exists in its canonical form – possessed by both sender and receiver – when the sender presses ‘send’, some chat apps now allow for disappearing or ephemeral messages that are not recoverable after they appear for a brief moment. An increasing number of apps also allow the sender to edit a message after pressing ‘send’. Apple recently updated its iOS software to allow editing of messages sent through its Messages app for the first time.

It is also becoming easier to encrypt messages to prevent their disclosure even when employers have the right to access the devices used to send the messages. Dedicated apps like Signal have offered encrypted communication for a while, but employees no longer need to use a purpose-built messaging app to ensure the privacy of encryption. For the first time with the release of iOS 16.2 in December 2022, Apple has allowed users to enable an encryption option that will prevent recovery of encrypted messages sent on its Messages platform.

So as pressure from the government to access chat messages ramps up, accessing them is becoming more complicated technically. Employers cannot be expected to accomplish what cannot be done technologically, to crack encryption that even the National Security Agency (NSA) cannot. But that should not be an excuse to do nothing in response to the revised incentive structure set out by enforcement authorities.

Employers should take steps now that will allow them to access business communications later when they are needed, whether for business purposes or to respond to a government investigation. By acting to ensure that the company has access to work-related communications, companies put themselves in a position to argue that they lived up to the expectations the DOJ recently articulated. As importantly, they undercut any potential impression that they deliberately avoided learning about potential misconduct by allowing entire categories of work-related messages to be inaccessible to them.

Some companies issue company-owned mobile devices to employees, but many others have taken a hands-off approach to employees’ devices by allowing employees to access company information like email on employees’ own devices. Companies should require employees who use personal devices for work to sign a bring your own device (BYOD) policy that gives the company the contractual right to access business communications on those devices, even though employees own them. Revisions to BYOD policies that allow employers to access employees’ personal devices must comply with data privacy laws of relevant jurisdictions.

Today, it may be considered unrealistic to prohibit employees from using chat messages to communicate about work. Instead, companies must recognise employees’ desire to communicate through more informal channels like chats and designate an official chat platform like Microsoft Teams or Slack for work discussions. Pick a platform that allows the company to access chat messages employees send through it. When the platform has been installed, establish a policy requiring work-related chats to occur on the official platform and not on other platforms. Train employees on the new policy, and act in response to information indicating employees are using other platforms for business communications. If the company learns that employees use other messaging apps to communicate about work, it should take disciplinary action to emphasise the importance of keeping work communications on approved channels.

Taking steps like these now can prevent work-related communications from being unavailable, insulate the company against criticism that it did not do enough to secure business information, and allow the company to remain eligible to claim credit for cooperating with enforcement authorities in the event of a government investigation. By providing clear guidance to employees about how and where to communicate, companies guard against potential legal liability and they can avoid costs that may be associated with preserving and collecting business-related data across a growing number of applications in the event of a government investigation.

 

Brandt Leibe and Grant Nichols are partners at King & Spalding LLP. Mr Leibe can be contacted on +1 (713) 751 3235 or by email: bleibe@kslaw.com. Mr Nichols can be contacted on +1 (512) 457 2006 or by email: gnichols@kslaw.com.

© Financier Worldwide

BY

Brandt Leibe and Grant Nichols

King & Spalding LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.