It seems like every other day there’s a new messaging application that individuals may use to communicate. Applications like WhatsApp, Confidence, CoverMe, Dust, Hash, Signal, Snapchat, Telegram, and Viper, all use encryption and/or provide for the permanent erasure of messages.
This is probably fine for personal or family communications. However, when it comes to business communication, users of these applications, and perhaps more importantly counsel who work for or who represent businesses that allow the use of these applications, need to be cognizant of the legal and ethical implications that flow from their use.
No Data Source Is Exempt from E-Discovery Obligations
As technology continues to develop programs that create data sources limited only by the technological imaginations of developers and innovators, it is clear there will be new sources of electronically stored information (ESI) or data.
For anyone who does not follow these developments, it is also clear that few, if any, sources of ESI are exempt from discovery requirements.
The standard, in almost every jurisdiction of the world, is one of relevance or materiality. If data is created and it is somehow relevant or material to a claim or defense in litigation, or to an investigation or regulatory inquiry, then arguably that data is subject to discovery obligations—that is, the need to preserve, collect, review, and produce the ESI.
The Disappearing Data Conundrum
But what’s a practitioner to do if the relevant data has disappeared?
Ephemeral messaging data is data that is stored only temporarily; that is, data that disappears or is automatically erased or deleted. There are many forms of ephemeral data in computer systems, in email systems, etc. Some of them overwrite data; others delete the data. But perhaps the thorniest applications are messaging apps on mobile devices where the data does not reside on the device and the data disappears after a short period of time.
The issue is how does a practitioner preserve and collect data that’s no longer there? Obviously, a lawyer’s legal and ethical obligation to preserve relevant information is not extinguished under these circumstances. Ignorance or naïveté are likely not valid excuses either.
The Consequences Are Real
The consequences for failure to preserve ESI are well-documented. A few years ago, JP Morgan Chase & Co. paid a $125 million fine to the U.S. Securities and Exchange Commission (SEC) when they ran afoul of the books-and-records obligations of broker-dealers for failure to preserve messaging data communicated within the brokerage. Earlier this year, Goldman Sachs terminated several high-level employees for communicating about firm business on non-approved messaging channels.
Counsel for the government and both the plaintiff and defense bar are becoming more sophisticated about the various data types. They know or are learning about all the sources of potentially relevant ESI, and they know what data sources to seek in discovery.
How To Manage Ephemeral Data
Yet, organizations appear to continue allowing the use of these applications.
Organizations that allow the use of ephemeral data applications should rethink their use. Many organizations, like J.P. Morgan Chase and Goldman referenced above, prohibit the use of ephemeral data applications when conducting company business. But many organizations may not even know that employees are using these applications.
What should be done?
Well, first of all, organizations need to revise their data and information governance policies. It would be prudent to inform employees that it is not acceptable to use an ephemeral data application to communicate company or firm business information. Prohibit their use as a condition of employment.
Second, conduct training to educate employees about the reasons not to use these applications. Most will likely not use them for business if so instructed and trained. But there’s always likely to be a rogue outlier. Make sure the consequences to the individual employee are significant enough to deter this or any other reckless conduct.
And finally, if an organization is permitting use of ephemeral data applications, business leaders and IT professionals need to ensure that company data retention policies are adhered to. It’s okay to have a data retention policy that results in the deletion of data, provided that there is no legal reason or need to retain that data.
Conclusion
Ephemeral data applications create a very real conundrum for legal practitioners. The reality is that for most of these applications the data does in fact disappear within a short time after a communication is sent. Some applications allow users to adjust the settings, but generally, short of grabbing a screenshot of a message in real-time, the data is permanently erased and is not retrievable. Accordingly, organizations using or permitting the use of these ephemeral data applications need to analyze whether they should continue to use them.
The standard is for a company to have developed clear policies that define business communications and prohibit (or at least discourage) employees from using ephemeral messaging apps for business communications. Strong IT capabilities that support compliance, data governance, and data retention are the best actions an organization can take to ensure the enterprise has minimal risk with regard to ephemeral communications.