by David Craig, Michael Koenig, and Mark Rosman

In the not-too-distant past, professionals used email as their primary, if not their only, means of electronic communication. Texting was a futuristic novelty but also clumsy endeavor requiring between one and four button pushes on a small keypad to produce a single letter on an even smaller screen. It goes without saying, text messaging was ill-suited for rapid and substantive business communications. While a company’s employees occasionally sent work-related text messages for scheduling purposes, clear dividing lines generally existed between personal and professional communication. This made litigation holds and discovery relatively straight forward: discoverable business-related communications were in one bucket and non-discoverable personal communications were in another.

While it is difficult to pinpoint exactly when things shifted, the rise of ephemeral messaging platforms fueled by the rapid adoption of bring-your-own-device (BYOD) policies have created a situation in which the traditional approach to preservation and discovery is no longer sufficient. Indeed, over the last several years the DOJ, FTC, SEC have expressed their increasing frustration with parties under investigation that were unable or unwilling to retain and produce important communications from off-channel and ephemeral messaging platforms, to the point where, the DOJ’s Antitrust Division issued a public warning that “[f]ailure to produce such documents may result in obstruction of justice charges.”[1]

In this article, we review at a high level the evolution that led to the current state where ephemeral messaging and BYOD have upended preservation and discovery methods of the past, we offer our perspective on how to define the problem, and finally we outline a risk-based investigative discovery approach that may help to avoid pitfalls that have recently led to governmental frustration and scrutiny.

The Road to Today’s Compliance Complexities

The issue is not new and dates to the early 2000s when preserving, reviewing and producing email became a major consideration in investigations and litigation. At that time, companies struggled to evolve paper-based processes and compliance policies to electronic communications.

One case in particular, Coleman Holdings v. Morgan Stanley, underlined these risks when a Florida judge issued a partial directed judgement against Morgan Stanley for failing to produce responsive emails. The judge went on to eviscerate counsel for not taking reasonable steps to preserve evidence.[2] Over time, companies improved and normalized internal compliance practices and eDiscovery capabilities, aimed primarily at email collection, lulling them into some level of complacency.

The SEC’s 2022 Off-Channel Communications (OCC) sweeps, however, illustrated how difficult things have become. The first SEC OCC settlement with JPMorgan Chase was announced in December of 2021 on the heels of COVID. At first blush, compliance failures were thought to be triggered by work from home practices imposed by the pandemic. However, digging a little deeper into the settlement, the SEC discovered that “from at least January 2018 through November 2020, [JPMorgan’s] employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts.”  The SEC staff highlighted the pervasive use of non-approved applications, even by senior executives and those responsible for recordkeeping compliance enforcement.[3] As the sweeps extended to the rest of the large global financial institutions, it became clear that this was an industry-wide problem.

Although the OCC settlements focused on compliance failures, the conversation quickly pivoted to antitrust and other DOJ/FTC enforcement actions. In 2022, Deputy Attorney General Lisa Monaco instructed DOJ prosecutors that when weighing corporate cooperation, they “should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.”[4]

As a result, so-called “ephemeral” messages now affect charging decisions and that seems to have energized authorities to pursue spoliation and sanction remedies in such cases, all under the looming threat of obstruction:

• In 2023, in the Google Search monopolization case, the DOJ sought sanctions and spoliation against Google, alleging that the company made “history off” chats available to employees—and, indeed, trained employees how to use that feature—thus allowing the daily deletion of such chats.[5]
• In 2024, in the FTC’s monopolization case against Amazon, the Commission pursued a spoliation remedy against the company on the basis that senior executives, despite being made aware of their retention obligations and the inherent risks of Signal, not only continued to use the app but also regularly turned on and off the “disappearing message” feature for conversations regarding competition matters.[6]
• Later in 2024, the FTC again sought a spoliation remedy in its challenge to the Kroger-Albertson’s merger because a key executive’s text messages were not preserved, possibly “because of settings on the iPhone that automatically delete files after a period of time.”[7]

Those ephemeral messaging cases evince varying levels of culpability—from a nefarious-sounding “disappearing” message to a possibly unwitting auto-delete setting—but nevertheless led down similar troubling roads.

Defining “Ephemeral”

A key question to be answered is what, in the context of litigation and government investigations, is an “ephemeral” message?

The answer is informed, in some part,  by acknowledging the increased likelihood that even the most diligent corporate citizens communicate about business matters on platforms and devices outside of the purview of corporate IT.[8] The use of personal devices not only makes it more difficult to identify and retrieve relevant communications in response to a discovery request, but also makes it extremely risky to rely on corporate IT understanding its users’ communications behavior. The proliferation of tools that offer messaging and chat functionality, coupled with corporate IT’s limited ability to control application usage on personal devices make it increasingly likely that individual and non-compliant workgroup communications can go undetected, sometimes for years, in a typical organization.

Furthermore, the blurring of the lines between our personal and professional lives makes it increasingly more difficult to cull business records for the purposes of retention in a BYOD environment. Platforms such as WhatsApp and WeChat have evolved in some geographic regions from being a personal tool to becoming a de facto standard corporate electronic correspondence platform. To make matters worse, most of these platforms do not have the capability to selectively retain individual messages or threads.

In the present era of BYOD, it has thus become clear that an organization cannot proactively enforce preservation, as they may have done in the past, for corporate email, IM or even traditional SMS messaging, which can be archived by the carrier, without the involvement of end users. Apple’s ubiquitous iMessage, for example, is a proprietary peer-to-peer messaging platform that offers auto-deletion functionality like that of Signal and Telegraph and does not currently provide a preservation mechanism other than the forensic collection of the device.  In fact, some of the firm’s impacted by the SEC OCC sweeps have scrapped BYOD, provided employees mobile phone numbers and devices, and disabled iMessage to enforce carrier-based SMS archiving and comply with their regulatory obligations.[9] That is not only an impractical and burdensome solution, but it may also encourage individuals to use their personal devices in violation of corporate policy.

Such issues further underscore the importance of defining “ephemeral” from a preservation perspective beyond tools like Signal and Telegraph that were specifically designed from the outset to “delete after reading.” We therefore suggest “ephemeral” should be defined as any messaging system where a company cannot systematically enforce a litigation hold without end-user involvement.

Our definition, while admittedly broad, is supported by both the realities of BYOD and, importantly, by Judge Amit Mehta’s admonition in Google Search: “Any company that puts the onus on its employees to identify and preserve relevant evidence does so at its own peril.”[10]   

Investigative Discovery

The breadth and seeming intractability of the ephemeral messaging problem may be daunting, but it is not going away. And the after-the-fact narrative in the recent cases offers a cautionary tale of the consequences of uncovering key facts after months or years of discovery. This, in many ways, is reflective of the linear approach to discovery that has been ingrained over the years as the standard approach to investigations: identify a list of custodians and collect massive amounts of data and frequently hand over that data to a third-party team for relevance review that is an arm’s-length removed from the fact team conducting the investigation. Typically, the review team is not trained nor expected to look for discovery gaps or clues in the data that suggest additional sources of relevant information. In the case of ephemeral and off-channel electronic communications, by the time those gaps are identified, it is often too late.

The problem is that, although the reasonable-and-defensible standard that has historically guided discovery remains, what may have been reasonable and defensible in the past is no longer so in the BYOD era. We thus offer suggestions for a risk-based approach toward investigative discovery.

First, at the very outset, consider deploying a small team of tech-savvy and legally informed investigators to conduct—overtly or covertly—an on-the-ground risk assessment of the communication habits of employees in positions with the most exposure to civil or criminal liability. Such an assessment (which may involve interviews, coordination with IT, limited collection, etc.) allows counsel to obtain a more fulsome understanding of the facts and, importantly, to prove to a government agency or a court that meaningful preservation efforts were undertaken if/when discovery disputes arise.

Second, when implementing a litigation hold at the outset of an investigation, the guiding principle for counsel should be Trust but Verify. Few organizations have a clear understanding of where responsive material exists, and instead rely on out-of-date and inaccurate data maps and retention schedules. When the stakes are high, counsel should maintain a skeptical posture and validate a client’s underlying assumptions about what may have been retained and what is readily accessible.

Additionally, we have found that although an increasing number of companies have adopted specific policies that forbid or limit the use of certain messaging platforms, those policies rarely coincide with a compliance framework or audit process that confirms adherence. One of the lasting lessons learned from the SEC OCC sweeps was the stark difference between the very explicit policies and the staff’s actual findings. In one settlement, the SEC identified “widespread and longstanding failure of Goldman Sachs employees throughout the firm, including at senior levels, to adhere to certain of these essential requirements and the firm’s own policies.”[11] Although best practices require the discovery and review of compliance policies regarding potentially responsive data repositories at the outset of an investigation, that should be coupled with verification of actual practices.

Third, when issuing preliminary hold notices, counsel should build and reflect upon what has been learned through the preliminary analysis of user behavior. For example, if it is discovered that key individuals regularly use a workgroup chat or IM tool to communicate about relevant business topics outside of the company’s purview and does not have a mechanism to mitigate the risks of user deletion, hold notices should explicitly call out that platform. In some cases, such as grand jury investigations, counsel should even consider, especially for volatile sources like personal phones that run the risk of message auto-deletion,[12] mitigating the risk of spoliation or obstruction by taking a proactive approach to forensic collection and preservation for critical individuals.

In most cases when the adherence to litigation hold is expected and individuals are asked to retain relevant and responsive messages, counsel and the company should weigh how that can be accomplished against the potential burden on the individual. This can be complicated by a number of factors, including:

• the limited to non-existent archiving capabilities of leading messaging platforms;
• the potential for inadvertent deletion of messages stored on a personal device; and
• the lack of integration with corporate records management and eDiscovery tools.

Litigation hold notices should reflect these real-life risks and provide some practical guidance as to how a reasonable level of compliance can be achieved. Is it reasonable to expect an individual to screenshot every text message they send? What should they do with their screen shots? What happens if they lose their phone?

Fact-driven investigative discovery can frequently shed light on electronic communications behavior. In Google Search, the DOJ cited dozens of emails—that were systemically retained—suggesting employees’ knowledge of the ephemeral nature of chat and a desire to move sensitive conversations to that platform. The collection and cursory review of readily available and searchable emails of a few key individuals at the outset might have given the clues necessary to take preemptive action to preserve the relevant chat threads and avoid the spoliation claims.

Investigative discovery should also be run in parallel with a more comprehensive discovery plan. Modern search and data analytics tools can easily crawl through and index vast amounts of unstructured data in a very short period. If combined with basic Artificial Intelligence (AI) and machine-learning techniques, an investigations team can create a reasonable and defensible electronic communications roadmap.

************

Returning to a point in this BYOD world where a company has control over the myriad forms of ephemeral communications, and where there is a clear line between personal and professional communications, seems remote if not a fantasy. In fact, it is quite likely that things will get worse as new social media and collaboration platforms emerge and are adopted by business users. In this “new normal,” counsel’s toolkit should always include investigative methods and the requisite technology to determine, to the best of their ability, their client’s electronic communications culture and have at the ready the processes in place to minimize the risk of spoliation, sanctions, or obstruction.

Footnotes

[1] Joint Press Release, Antitrust Div. of the U.S. Dep’t of Justice & Fed. Trade Comm’n (Jan. 26, 2024), https://www.justice.gov/opa/pr/justice-department-and-ftc-update-guidance-reinforces-parties-preservation-obligations.

[2] Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co., No. CA 03-5045 AI, 2005 WL 674885 (Fla. Cir. Ct. 2005), https://app.ediscoveryassistant.com/case_law/28141-coleman-parent-holdings-inc-v-morgan-stanley-co.

[3] Press Release, U.S. Sec. and Exch. Comm’n (Dec. 17, 2021), https://www.sec.gov/newsroom/press-releases/2021-262.

[4] Memorandum from Lisa Monaco, Deputy Attorney General, U.S. Dep’t of Justice, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, at 11 (Sept. 15, 2022), https://www.justice.gov/d9/pages/attachments/2022/09/15/2022.09.15_ccag_memo.pdf.

[5] United States’ Mot. for Sanctions at 1-3, United States, et al., v. Google, Inc., No. 20-3010 (D.D.C. Feb. 23, 2023), ECF No. 512 (redacted version).

[6] Pls.’ Mot. to Compel at 11-12, Fed. Trade Comm’n, et al., v. Amazon.com, Inc., No. 23-cv-1495 (W.D. Wash. Apr. 25, 2024), ECF No. 198.

[7] Pls.’ Mot. In Limine for an Adverse Inference at 2, Fed. Trade Comm’n, et al., v. The Kroger Co., et al., No. 24-cv-347 (D. Ore. Aug. 16, 2024), ECF No. 268 (redacted version).

[8] Even before the pandemic, over 95% of organizations allowed some form or another of BYOD, https://www.nist.gov/news-events/news/2022/12/spotlight-cybersecurity-and-privacy-byod-bring-your-own-device (Dec. 1, 2022), and that number seems unlikely to decrease in the foreseeable future.

[9] Although some companies have required individuals implement mobile device management (MDM) tools on their own devices to facilitate some organizational control over and insight into messaging application usage, that is the exception, not the rule, and has been met with user reluctance amid privacy concerns.

[10] Mem. Op. at 276, United States, et al., v. Google, Inc., No. 20-3010 (D.D.C. Aug. 5, 2024), ECF No. 1033 (redacted version).

[11] Exchange Act Release No. 95922, at ¶ 2 (Sept. 27, 2022), https://www.sec.gov/files/litigation/admin/2022/34-95922.pdf.

[12] Auto-deletion refers to not only the “disappearing message” features of tools like Signal and iMessage, but also the inherent risks of data loss resulting from device operating system or application updates or physical device damage.

David Craig and Michael Koenig are Managing Directors at Secretariat. Mark Rosman is a Partner at Proskauer Rose.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).