How to save Records Management from Self Destructing Messages
Every month more than four billion people send 560 billion SMS text messages worldwide—a 7,700% monthly increase over the past decade. Instant message (IM) traffic on apps such as Facebook Messenger, WeChat, WhatsApp, Viber, and Line, top 60 billion texts daily.(1) As of 2018, cloud-based collaboration tool Slack says it has eight million daily active users and three million paid users.(2)
According to one recent survey, nearly 78% of people would like to have a text conversation with a business, and 80% of professionals currently use texting for business purposes. Interestingly, more than half of professionals claim that they cannot stand even 10 minutes without responding to a text.(3)
Coupled with the emergence of messaging generally are self-destructing messaging services beyond the popular Snapchat and Telegram platforms, such as Bleep, Confide, Cover MeHash, Signal, SpeakOn, VaporStream, Wickr, and a host of others. Unadorned use of these messaging apps means there may, in fact, be no “record” in any sense that can be captured by any actor or institution subject to regulatory oversight or compliance obligations. Although, admittedly, such applications are less prevalent amongst business people than they are with the under 18 set, they nevertheless are available to any potential interested party as a means of conducting business—for time-saving efficiency by many, and for possible dubious “off-the-books” uses by some.
In 2017, a Washington, D.C.—based public interest group filed a lawsuit against the current White House, alleging that presidential staff were using communications platforms such as WhatsApp, Confide, and Signal, that allow for self-deletion, while failing to put into place an adequate archiving scheme responsible for the capture of such messages (either by automated means or by staff copying messages manually).(4) The lawsuit was dismissed on the grounds that under existing precedent the court did not consider itself to have jurisdiction to interfere with presidential records management practices. But on its merits, the allegations in the complaint painted a picture of potential widespread noncompliance with recordkeeping policies that simply are not keeping up with the pace of technological change.
… we face what might be considered an existential threat to recordkeeping as we know it.
And so, at the end of the second decade of the 21st century, we face what might be considered an existential threat to recordkeeping as we know it. This is to the extent that business-related communications are increasingly conducted by employees of enterprises via these types of messaging channels, either on company-owned or employee-owned devices. Shall we give up? Shall we try to rigidly enforce prohibitions on the use of these services? Or, as an intermediate position, shall we ask what data controls are reasonable to contemplate as a matter of governance, compliance and oversight? The question is of an urgent nature, given the accelerating proliferation and use of such applications.
Taking a step back, it may first be best to review the bidding on how we got here, including key milestones and earlier warning signals along the way. Armed with that knowledge, we can take a stab at sketching out a path to better compliance from both the perspective of technology and information governance policy.
In 1986, employees of the National Security Council were informed in a White House guidance manual that e-mail should not be used to convey official records information. That written policy prohibition went unheeded by Lt. Col. Oliver North, John Poindexter, and others, who sent to each other thousands of emails (in the form of “PROFS notes”) about high-level, sensitive matters of government, including pertaining to the infamous Iran-Contra affair. Such messages were seized as part of an Independent Counsel investigation, and subsequently were caught up in decade-long litigation over the record status of e-mail messages residing on backup tapes. The government eventually lost the argument that only e-mail communications that had been printed out were true government records. Subsequently, the Clinton White House agreed to restore e-mails from backup tapes, including with certain metadata, for placement in government archives, and also agreed to put into place a system for e-mail archiving going forward.(5)
In the intervening decades, e-mail became the lingua franca of office communications, whereby virtually all public and private organizations comprising more than a few employees have instituted e-mail as a communications channel at least in-house. As history repeatedly has shown, however, institutional policies that enable end-users with access to new types of communications technologies (as e-mail was in the 1980s), coupled at the same time with policy guidance informing those users that they should not use the technology for “official” or “business” communications, have proven to be a recipe for failure from a compliance perspective.
In 1995, the introduction of the Netscape browser led to a period of information inflation, in which the number of websites grew from less than a hundred to over 100,000 in very short order.(6) This, in turn, heralded in an era where end-users could, in theory, access a world of online connections from their workplace desktops. That said, it was only in the post-2000 era that the world of communications technologies really started to take off, with the introduction of the Google search engine, coupled with platforms represented by Gmail, Yahoo, and other providers. For the first time, employees had realistic, easy-to-use alternatives to sole reliance on corporate e-mail networks — which in many cases have been subject to slow-downs, connection issues, and glitches of all types. In this same time period, there was an explosion of laptops, mobile devices, personal digital assistants, and most of all, smart phones, with the capability not only of accessing e-mail networks (corporate and private), but also downloading a wide variety of apps.
It was therefore entirely foreseeable that employees – including some of the most senior level officials — would gravitate to using alternative means to communicate in the course of carrying out various types of business activities. Just as inevitably, in the last half decade or so, controversies over the use of commercial networks and apps to communicate about official business have blossomed. The controversy over Secretary of State Hillary Clinton’s use of a private email server is the most prominent example of this phenomenon, but she by no means has been alone: many high-level state and federal officials, as well as political leaders in such countries as Australia and Canada, also have used private communications channels to discuss government business.
From a lawmaking perspective, the federal government has been out in front by enacting into law in 2014 provisions that require officials who conduct government business by means of “electronic messaging” on a private commercial network to take reasonable steps to forward or copy the messages into an official recordkeeping system (with a “.gov” address).(7) Notably, the statute does not prohibit the use of commercial services, but instead provides conditions on use. The statute also includes a provision for agencies initiating disciplinary measures against employees who fail to adhere to these legal requirements.
More recently, the Department of Justice (DOJ) has focused on ephemeral messaging in connection with its corporate enforcement policy pursuant to the Federal Corrupt Practices Act (FCPA). To that end, under its recent Corporate Enforcement policy (USAM 9-47-120), as amended in March 2019, DOJ as put into place a presumption that companies will receive a “declination,” i.e., full remediation credit towards what otherwise would be a substantial monetary sanction, only if the company satisfies certain conditions, one of which involves “prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications. . . .” Thus, companies must carefully consider the effectiveness of their corporate compliance programs as they relate to such messaging apps prior to any FCPA investigation.
At a minimum, it is now in the interest of C-suite executives in enterprises that might be affected by FCPA considerations to perform a risk analysis with respect to the pros and cons of continuing allowance of ephemeral messaging as a matter of corporate policy. Arguably, there are substantial financial benefits in mitigating potential exposure to fines, through clear corporate guidance controlling the use of ephemeral messaging apps for the conduct of corporate business. On the other hand, ephemeral messaging decreases overall corporate risks in at least three ways: first, by reducing the volume of retained messages that may be subject to cybersecurity threats; second, by controlling over-retention with corresponding litigation exposure due to the inadvertent or default retention of messages with negative consequences; and third, as a matter of compliance with emerging General Data Protection Regulation (GDPR) policies aimed at reducing long-term preservation of records containing personal data on individuals, including sensitive personal data. This same risk factor balancing ideally should be considered by all companies, not just those affected by FCPA policies.
Corporate policies prohibiting employee use of applications are certainly more easily enforceable on company-owned devices, although some kind of software auditing program – automated or manual – would still need to be put into place. However, a substantial portion of the corporate world has adopted some form of BYOD (bring your own device) policies, allowing for employees to opt to carry out corporate business on their personally owned devices. In such cases, although there are ways to embed software auditing for particular devices and apps on a voluntary basis, there would appear to be wide open compliance issues given the ease in which individual employees may opt to install messaging apps that essentially can go undetected by their employers for some period of time.
In view of the fast-changing world of ephemeral and self-destructing messaging, here are some practical steps company officers should consider taking as part of a robust information governance program.
First, C-suite executives should make every effort to understand the IT environment that exists in their workplace, including on corporate devices as well as on devices owned by employees but used for company business. What kinds of communications apps are being used, by whom, and for what purposes? Executives should consider taking reasonable steps to attempt to control communications, via investing in archiving tools for social media that capture communications on designated apps. As necessary or desirable, companies may consider imposing software blocking the use of certain well-known apps to restrain employees from engaging in ephemeral communications. A caveat here is in order, however: such efforts may only encourage users to find less-well known workarounds, especially on their personally-owned devices.
Second, corporate record retention policies and device use policies should be updated to explicitly include recognition of the fact that business records may be created on messaging applications, and that such messages need to be managed. While there is no iron-clad, general duty to preserve all business-related communications, under certain circumstances legal holds may need to be put into effect that cover relevant communications on ephemeral apps. Accordingly, encouragement should be given to employees in the first instance to use stable forms of communications (as defined under corporate policies), that reasonably comply with existing record retention practices and which allow for legal holds to be put into effect. Absent an outright prohibition of ephemeral messaging, companies should at a minimum make clear what is permissible and what is expected of employees using either corporate or personal devices, and should provide notice if the company wishes to perform some kind of audit of those devices.
And third, as a matter of setting expectations in a given corporate culture, if senior officials show that they are adhering to using more traditional channels for communication, mid-level supervisors and their employees may be more ready to toe the line. The counter example of the head of an enterprise being known to use private channels as a means to communicate about company business only incentivizes more widespread noncompliance with corporate policies.
The genie is out of the bottle: there are a seemingly endless amount of easy ways that we as individuals are all now able to communicate with each other. New forms of technologies pop into existence with each passing year. A corporate strategy that embraces change in acknowledging these new ways of doing business, while providing clear, up-to date-guidance (and notice) to everyone on staff on what is and is not permissible, is a sensible path forward in the brave new workplace of our future.[/glossary_exclude]
recent posts
You may already have a formal Data Governance program in […]