The Situation: Most companies have faced challenges in finding the right balance between their information governance programs and their employees' use of technologies that do not permit retention of communications. Government enforcement authorities too have struggled with these technologies in assessing regulatory compliance and corporate cooperation.
What Happened: The U.S. Department of Justice revised its Foreign Corrupt Practices Act Corporate Enforcement Policy and loosened the prohibition on ephemeral communications in the context of assessing corporate cooperation. However, SEC staff has not changed its view with respect to regulatory compliance.
Looking Ahead: Notwithstanding DOJ's policy revision, ephemeral communications remain a challenging subject for businesses.
On November 29, 2017, the U.S. Department of Justice ("DOJ") released a revised FCPA Corporate Enforcement Policy in order to "provide guidance and greater certainty for companies struggling with the question of whether to make voluntary disclosures of wrongdoing." The guidance included examples of items "required for a company to receive full credit for timely and appropriate remediation," one of which was "[a]ppropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications."
The software identified by DOJ is colloquially considered to be "ephemeral messaging" apps—messaging that is often mobile device-only, not archived or searchable, and automatically deletes after a short period of time that often can be designated by the user. Consistent with then-DOJ policy, on May 8, 2018, Daniel Kahn, Chief of the DOJ's Foreign Corrupt Practices Act ("FCPA") unit, warned companies: "Don't expect full cooperation if there are no records of the misconduct." Nevertheless, there are legitimate reasons to incorporate ephemeral messaging into a business environment, including information security and the facilitation of internal creativity and openness.
On March 11, 2019, DOJ revised its policy to loosen the prohibition on ephemeral communications, now indicating that timely and appropriate remediation includes: "Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company's ability to appropriately retain business records or communications or otherwise comply with the company's document retention policies or legal obligations."
However, on December 14, 2018, the U.S. Securities and Exchange Commission ("SEC") National Exam Program continued to inform its registered broker-dealers and investment advisers that "practices that the staff believes may assist advisers in meeting their record retention obligations" include "[s]pecifically prohibiting business use of apps and other technologies that can be readily misused by allowing an employee to send messages or otherwise communicate anonymously, allowing for automatic destruction of messages, or prohibiting third-party viewing or back-up."
SEC registered broker-dealers and investment advisers should continue to use extreme caution with respect to the use of ephemeral communications. While the revised FCPA guidance restores an element of business judgment to entities that operate multinationally that are not registered with the SEC, DOJ still appears to take a pejorative view of ephemeral communications by noting that they "undermine the company's ability to appropriately retain business records."
As such, companies would be well advised to take the following steps with respect to ephemeral communications:
- Ensuring there is a specific business justification for use of ephemeral messaging, based on a full understanding of the business's litigation and regulatory risks.
- Adopting written policies governing the use, maintenance, and retention related to ephemeral messaging that specifically address the business's litigation and regulatory responsibilities, including clear guidance as to when use of ephemeral messaging is appropriate and when it is not.
- Providing regular, documented training about the appropriate use of ephemeral messaging.
- Periodically testing and auditing the use of ephemeral messaging.
- Imposing appropriate and recorded discipline for instances in which employee misconduct occurs in violation of company policies related to ephemeral messaging.
Two Key Takeaways
- The DOJ has revised a previous policy and loosened the prohibition on ephemeral communications. But companies should take certain steps with respect to these communications, including ensuring there is a specific business justification for their use based on full knowledge of the potential risks.
- The SEC, however, has not altered its policies with regard to ephemeral communications, and multinational registered broker-dealers and investment advisers subject to SEC registration should continue to use extreme caution with respect to their use.