by Margaret W. Meyers, Rachel S. Mechanic, Daniel C. Zinman, David B. Massey, and Shari A. Brandt

This is Part II of a two-part post. For Part I, discussing recent enforcement actions related to employees’ use of personal devices, and the challenges employees’ use of personal devices pose for compliance with books and records and communication supervision rules, click here.

Incomplete Responses to Subpoenas and Information Requests

Employees’ use of unapproved messaging platforms for business-related communications—and their employers’ failure to monitor and preserve such communications, even if inadvertent—may also cause employers to provide incomplete responses to subpoenas or requests for information issued by prosecutors, enforcement staff, or private civil parties.  To the extent a firm is not aware that its employees are engaging in such behavior, it might fail to draft document preservation notices in response to a subpoena or anticipated litigation broadly enough to encompass responsive messages on personal devices or unapproved messaging applications.  Moreover, even if the firm does issue a broadly drafted preservation notice, it is nearly impossible for the firm to ensure compliance with such notices by its employees.  And, if the firm does not have systems or practices in place reasonably designed to identify, capture, and preserve business-related communications sent or received on unapproved messaging platforms, the firm cannot be confident that its document productions in response to subpoenas or requests are complete.    

To the extent a firm knows, or reasonably should know, that its employees may have responsive communications on their personal devices that are not captured by the firm’s systems—and thus not included in the firm’s response to subpoenas or requests for documents—the firm risks actions for recordkeeping violations, false statements, and even obstruction of justice.  Similarly, individual employees who either lie to a regulator about their compliance with a preservation notice or, worse, delete business-related messages that are relevant to an investigation, may find themselves the target of enforcement actions for false statements, obstruction, and spoliation.

How Firms and Employees Should Navigate These Challenges

Although financial services and other firms may not be able to prevent employees from using unapproved mobile text messaging platforms for business purposes, they can and should take certain reasonable steps to obtain custody and control over those communications.

• Maintain Clear Policies. Firms should ensure their written policies clearly require employees to keep personal and business communications separate and to preserve all business communications, no matter the platform used.  The policies should proscribe the use of unapproved messaging applications for business purposes and should prohibit altogether the use of truly ephemeral messaging applications, where messages are automatically deleted after a short time, if the firm’s systems cannot otherwise capture them before deletion.  The policies should define “business” broadly to include discussions about ancillary matters such as scheduling, personnel changes, compensation, and general market color.  Finally, the policies should make clear that if employees choose to use unauthorized devices or applications for business purposes, the firm will have the right to access that data, and the employee may face employment consequences.
• Enhance Employee Training. Firms should provide employees with specific training on the relevant policies regarding electronic business communications, and should require employees to sign an annual certification confirming compliance with those policies.  Employees should be trained that if a client insists on using unapproved messaging applications to discuss business, the employee should (1) forward the communication to the firm system that preserves business communication; (2) request that the conversation be moved to an appropriate business platform; and (3) flag the issue to his or her supervisor and/or compliance personnel.  Employees also should be instructed to retain all messages in response to document retention requests, regardless of where they are stored.  Employees should be reminded that, when in doubt, they should ask compliance staff.  
• Provide Meaningful Alternatives. While prohibiting employees from using unapproved messaging applications for business communications is ideal, often it is not a practical solution—especially when clients insist on using those applications.  Where firms realistically know their employees are going to communicate with colleagues and clients over text messaging applications, the next best solution is to find a way to do so in compliance with firm policies.  Specifically, firms should offer employees meaningful alternatives to unauthorized text applications that will allow them to meet their clients’ expectations of convenience and responsiveness while enabling the firm to maintain custody and control of the communications.  One option is to give employees company-issued cell phones loaded with text functionality that the firm can monitor, preserve, and otherwise control, as with business email.  Another solution is to require employees to install firm-sponsored text applications on their personal cell phones that the firm can use to capture business-related text messages as part of their document retention policies, instead of needing to collect and image employees’ entire personal devices—including all personal communications, photographs, search history, and the like.  The technology in this area is constantly evolving, and firms should follow developments so they can remain ahead of them.
• Monitor Use and Respond Appropriately. As part of routine compliance, firms should monitor their employees’ company-sponsored platforms for references to unauthorized devices and applications.  In particular, firms should search for phrases such as “call me,” “text me,” and the names of well-known unauthorized applications.  Where violations are discovered, firms must establish a record of taking remedial action—ranging from written warnings to termination, depending on the frequency and circumstances.  In particular, firms should ensure that senior management and supervisors are compliant; if firm policies are seen merely as window dressing and not adhered to—even by managers—regulators will be especially critical.
• Ensure Broad Retention. Firms should draft document hold notices broadly to include personal cell phones and all messaging applications.  Along with such notices, firms should give employees clear instructions on how to suspend auto-deletion for text messaging applications if there is any possibility their personal devices contain business communications, and require written confirmation that the employee has received and reviewed the hold notice that includes those instructions.  If firms become aware that specific employees who fall within a hold notice may have been using their personal devices for business communications, the firms may wish to encourage employees to back up to a cloud-based network or even image their cell phones as a proactive measure so they are not later accused of deleting messages that were stored only on their cell phones.  Finally, to ensure a reasonable search is done while also protecting employees’ privacy, firms should consider bringing in outside counsel who can retain a forensic services firm under the privilege to back up and image employees’ phones, review the contents, and produce only what is truly business-related.

Margaret W. Meyers, Daniel C. Zinman, David B. Massey, and Shari A. Brandt are partners, and Rachel S. Mechanic is counsel, at Perkins Coie LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.