Ephemeral messaging applications like Snapchat, WhatsApp, and Telegram have presented a complex challenge for compliance professionals and legal counsel. On one hand, these technologies can reduce data storage and preservation costs, minimize breach exposure, and allow prioritization of communications data. On the other hand, they can create blind spots by deleting communications records and seriously obstruct internal investigations. How can companies balance the benefits of ephemeral messaging against the risks of compliance program undermining? In this week's episode of Corruption, Crime and Compliance, Michael Volkov discusses recent DOJ guidance regarding ephemeral messaging risks and outlines practical steps organizations can take to strike the right balance. 

You’ll hear him discuss:

• Ephemeral messaging can reduce data storage and preservation costs, which can be significant for companies facing litigation or investigations. It also reduces potential breach exposure by deleting data.
• However, ephemeral messaging can obstruct internal investigations and create corporate blind spots by deleting communications records before they can be reviewed. This undermines compliance programs.
• DOJ's guidance outlines several steps companies can take to allow ephemeral messaging while mitigating risks:
• Understand how the apps delete data and what types of data are stored;
• Tailor policies on use to your specific risk profile and business needs;
• Clearly communicate policies to employees and ensure regular enforcement;
• Examine how policies impact the ability to conduct investigations and respond to subpoenas;
• Evaluate the overall reasonableness of the risk mitigation strategy.
• Practical steps to make ephemeral messaging safer include:
• Restricting use to specific authorized purposes like scheduling;
• Requiring employees to maintain deletion settings;
• Conducting periodic audits of devices;
• Requiring preservation and company access to work communications,
• Coordinating ephemeral messaging policies with broader data preservation policies.
• If a company provides devices to employees, it has more control and ability to restrict apps and access data, but even then, steps need to be taken to mitigate risks.
• BYOD policies are more complex since consent and privacy restrictions may limit what companies can do. However, a BYOD policy still needs to address comprehensively:
•   Preserving data
•   Allowing corporate audits and access
•   Segregating work data where possible
•   Outlining consequences for violations
•   Respecting local privacy laws
•   Getting employee consent
• With the right policy framework, BYOD can potentially allow ephemeral messaging while protecting data availability.

KEY QUOTES

“Companies have a vested interest in preserving their internal communications for a variety of reasons, to hold internal actors accountable, or even outside actors sometimes, and to protect the organization from potential private and government claims or investigations that may have serious direct or collateral consequences.” - Michael Volkov

“If the government issues a grand jury subpoena as part of a criminal investigation and the company fails to preserve data generated by use of an ephemeral messaging system, a company could be held liable for failing to preserve data relevant to the criminal investigation. Such consequences can be significant...” - Michael Volkov

“While a company may have limited access to employees' personal devices when it supplies devices to its employees, the company should regularly secure certifications by its employees that has not used its personal device for work-related purposes, with emergency exceptions, of course. Similarly, companies have to develop testing protocols for its BYOD policy and secure employee consent to examine the personal device limited solely to business data.” - Michael Volkov

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group