Most companies have policies requiring the preservation and storage of work-related communications to comply with various legal requirements, to produce to management for various purposes and to respond to regulators if needs be. Implementation of these policies has proven complicated with the use of personal devices and the advent of new technologies that go beyond typical email and texting, especially messaging apps such as WhatsApp, Facebook Messenger, Signal and Telegram.
The U.S. Department of Justice (DOJ) has raised concerns about companies that fail to properly preserve business-related communications. These include communications on personal devices, encrypted messages and "ephemeral" messages – messages designed to go poof.
DOJ recently issued guidance on the topic. Personal devices raise "corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation." The same goes for "third-party messaging platforms, including the use of ephemeral and encrypted messaging applications." When prosecutors evaluate a corporation's compliance program, they "should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved."
Compliance with communication-preservation requirements will become even more complicated in the metaverse. After all, 20 minutes in the metaverse generates 2 million (albeit nonverbal) data points – 6 million per hour. Most legal requirements for preservation of records, and most government subpoenas for them, define terms such as "communications," "records" and "information" exceedingly broadly. So there seems little reason they would not apply to employee communications in the metaverse.
Here are some questions companies should be considering for employee communications in the metaverse:
- How are our employees communicating in the metaverse?
- What policies do we have in place, and what policies do we need to have in place, to make sure we are appropriately preserving employee communications in the metaverse?
- What technological solutions, if any, do we need to implement to match our preservation policies in the metaverse?
- What training do we have in place for proper channels of metaverse communications?
- Are our metaverse communication policies compliant with government recordkeeping requirements?
- Are employee communications stored in a jurisdiction and in such a manner that we have legal possession, custody or control over them?
- Are employee communications stored in a jurisdiction and in such a manner that we have the practical, real-world ability to review and produce them for compliance purposes, employee evaluations, internal or government investigations, or litigation?
- Are employee communications or related data blockchain-based? If so, do we need, and can we get, related employee-held private keys to, for instance, ascertain a transaction participant's identity?
- Are our employees using private devices, including virtual-reality headsets, to do company business in the metaverse?
- What data is on those (and our) headsets and other metaverse hardware, does it need to be preserved, and is it preserved and producible?
- How can we implement all the foregoing without violating domestic or foreign privacy laws?
These questions will pose challenges in the months and years ahead as more work shifts to the metaverse – and with it, litigation and regulatory scrutiny.