noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

City of Santa Ana, CA

City staff participate in Walk to School Day
The Office of the Governor of the[...]

San Gabriel Mountains National Monument project gets boost to improve[...]
Cerence Inc.

Statement of Changes in Beneficial Ownership - Form 4

Politics and Policy

Baker & Hostetler LLP

10/15/2024 | Press release | Distributed by Public on 10/15/2024 15:07

Deeper Dive: Preserving Ephemeral Messaging – Capture Data Before Its Ghosts Haunt Your Compliance

10/15/2024|3 minute read

Organizations whose mantra is "We just never delete anything" (i.e., organizations simply retaining all information indefinitely) are now facing headwinds, especially when the information contains personal information. As our 2024 DSIR Report makes evident, data incidents continue to plague businesses in all sectors of the economy, exposing information of no business value but with real business risk. Likewise, maintaining information containing sensitive personal information may require disclosures under the California Consumer Privacy Act. That said, indiscriminate deletion is not acceptable either, in part because of the risk of prematurely deleting information relevant to litigation or government investigations. This post considers how an organization might consider handling information generally, through the lens of a specifically troubling subset of information: ephemeral messages.

Federal Regulators Reemphasize Significance of Ephemeral Messaging

Although the way we communicate continues to change rapidly, U.S. regulatory agencies remain steadfast in their commitment to ensure all evidence relevant to their respective investigations is being preserved, and plaintiffs' counsel are not far behind. In March 2023, the U.S. Department of Justice (DOJ) reinforced its concerns about the loss of ephemeral messaging and issued comprehensive guidance instructing organizations to preserve all relevant business communications conducted on personal devices and messaging apps. While acknowledging the important role ephemeral messaging platforms could have in enabling business growth and prosperity, the DOJ also made clear that organizations should tailor policies and procedures to effectively pivot from deletion to preservation in the event of an investigation.

Such instruction has been reinforced in recent announcements by the DOJ and the Federal Trade Commission (FTC) concerning updates to their preservation letters that provide accommodation for the ubiquity of ephemeral messaging across all business sections. This comes on the heels of aggressive enforcement by the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) of recordkeeping rules that apply to regulated entities with regard to properly preserving their electronic business communications. Notably, while the SEC and CFTC focus on regulated entities, the DOJ's guidance applies to all businesses.

Fines for Lackluster Off-Channel Communication Preservation

As we have shared before, the SEC and the CFTC have been keen on ensuring that their regulated organizations maintain books and records in accordance with a series of federal securities regulations.

On August 14, the SEC and the CFTC announced $390 million in fines. Specifically, the SEC stated:

Each of the SEC's investigations uncovered pervasive and longstanding use of unapproved communication methods, known as off-channel communications, at these firms. As described in the SEC's orders, the firms admitted that, during the relevant periods, their personnel sent and received off-channel communications that were records required to be maintained under the securities laws. The failure to maintain and preserve required records deprives the SEC of these communications in its investigations. The failures involved personnel at multiple levels of authority, including supervisors and senior managers.

This trend continued through September with even more multimillion-dollar fines. Note, however, that as part of its September slate of enforcement, the SEC appeared to express leniency for firms that self-report and take proactive measures to remediate the issues.

Some have questioned whether the old recordkeeping regulations at issue - such as SEC Rule 17-4(b)(4), which dates from 1948 - even capture these sorts of ephemeral messaging. Nevertheless, few organizations have challenged the law in court.

Developing Internal Information Governance Policies and Approaches

Even if you are not a broker-dealer subject to a strict set of regulations governing internal and customer communications, it behooves every organization to draft policies and procedures that acknowledge the current state of the organization's communications system and foster a secure and responsible environment that provides accommodation for instances when preservation is needed. These policies may include a Bring Your Own Device policy and a Records and Information Management policy, both of which are intended to set clear expectations about how certain communications are to be handled.

The critical things are to implement a consistent methodology for retaining ephemeral messages and to foster an infrastructure that enables your organization to quickly pivot from a policy of routine destruction to one of preservation in anticipation of litigation.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format