Helping law firms come to grips with self-destruct messaging
More and more individuals and corporate enterprises are using encrypted self-destruct messaging, also known as ephemeral messaging apps such as WhatsApp, Snapchat or Wickr. Ephemeral messaging is the transmission of encrypted messages that automatically or within a set period of time, disappear from the recipient’s device after the message has been viewed. These apps are no longer used just between friends, but are also being used within the corporate world to prevent IP leaks and confidential information from getting in the wrong hands.
In some cases, employees are using self-destruct messaging as a way of communicating between colleagues that goes under the radar of internal detection. Increasingly, companies are allowing the use of ephemeral messaging for incident response investigations where a trusted secure channel is often required to properly conduct the investigation in confidence while a determination of compromised assets is underway. Other examples include mergers and acquisitions information exchanges, sensitive internal investigations, attorney/client and board of director confidential communications.
Legitimise ephemeral messaging
However, ephemeral messaging by its nature can create legal complications for information governance and eDiscovery. A strong use policy is critical to staying out of trouble with this technology. It is important to recognise that data transmitted in ephemeral messaging may create legal headaches. The mere existence of any secret conversation in a corporate environment can often have the appearance that the parties are using it for ill intent or to circumvent litigation holds. Having a strong use policy will help demonstrate that the technology is being used responsibly and in good faith for legitimate reasons.
A basic information governance principle is that effective and secure collaboration and communication within corporate groups requires that information be properly controlled. Ideally, to mitigate risk and enforce record retention polices, document controls should be set at or before the information is created. Typical document controls used by enterprises include labelling the document by category, controlling how long the document can live within the enterprise (time-to-live, or TTL), or restricting access by user or geography. All of this can be relatively easy to achieve with a single corporate ephemeral messaging technology platform like Wickr.
Obligation to preserve data
In a pre-trial hearing ahead of a trade secrets case late last year, the use by two Uber employees of ephemeral messaging app Wickr came under scrutiny. Reuters reported that although Timothy Heaphy, a lawyer at Hunton & Williams and a former US Attorney in Virginia, said there is nothing inherently unlawful about instructing employees to use disappearing messaging apps, companies do have an obligation to preserve records that may be reasonably seen as relevant to litigation or that fall under data retention rules set by industry regulators1.
There are measures companies can take to better manage ephemeral communications:
- Create an ephemeral communication use policy for authorised uses. Companies may have to preserve certain types of business-related documents to meet regulatory requirements in highly regulated industries such as finance, or for litigation holds. The legal department should provide clear guidance in the use policy on what is proper and what is not. Careful consideration should be given to any legal or regulatory restrictions that could affect so called TTL messaging use in a particular scenario. That said, unless it has had notice of a governmental investigation, probable or pending litigation, or another source of a duty to preserve evidence, a company generally has the right to dispose of its own property, including documents, electronically stored information, or tangible things, without liability. The case law is clear – there is no spoliation issue where the corporate document retention policy provides for the routine deletion of data and there was no existing duty to preserve at the time the information was destroyed.
- Set up an acceptable use oversight team. This will require stakeholders like the CISO, CIO, CTO, and legal officers to determine acceptable uses of ephemeral messaging and add them to your acceptable use policy manual. The policy should include the specific rationale for each use scenario. Acceptable use examples include data breach investigations when the extent of a breach cannot be immediately determined, attorney/client communications within the enterprise where normal communication channels can possibly waive the privilege, internal investigations, sharing of sensitive corporate strategy or financials and any time that sensitive and confidential corporate information is transmitted outside the corporate firewall. The policy should include the default TTL for each acceptable use. The policy should also clearly spell out unacceptable uses – anything that violates company policy, compliance and regulatory requirements.
- Determine which employees will have permission to use the technology. All authorised users should be assigned identities by the administrator. The use policy should be distributed to all employees who will have access and permission to use the technology. Those employees will be required to sign off that they have read and fully understand the acceptable use policy and the consequences for violation of the policy.
- Provide training. Train authorised users in the acceptable use of the technology so there is consistent understanding of that throughout the organisation.
- Audit the organisation’s usage of ephemeral messaging periodically to make sure it is being used for its intended purposes. There should be regular use evaluation, establishing the platforms and features employees are using, and how they are using them, and an update to the existing policy should follow if necessary.
With all the hacking going on these days and how easy it is to intercept electronic communications, ephemeral messaging is valuable where a trusted secure channel is required. It is a safe way of carrying out sensitive communications. However, as with all new technologies, the risk of misuse and the compliance implications requires that it is governed by a strong data governance policy coupled with a proactive re-evaluation of the changing technology in use and its legal implications.
About the author
Albert Barsocchini is Director of Client Advisory Services, NightOwl Discovery.
Albert Barsocchini joined NightOwl Discovery in 2012 and is currently the director of client advisory services. Albert is an internationally recognized expert in the fields of privacy and protection, compliance, audit and corporate investigations. He has served on the Law Technology News editorial board, as chair of the California State Bar’s Law Practice Management & Technology Section, and as a court appointed special master. He writes and lectures frequently on industry issues.