For companies and their counsel who conduct internal investigations or respond to government requests for documents, dealing with employee communications on non-company platforms, such as personal email and messaging applications like WhatsApp or WeChat, is a persistent challenge. Communications on these platforms can be a blind spot for investigators, as they may be ephemeral, encrypted, or accessible only on an employee’s device.

This has been an area of significant focus for regulators recently. The U.S. Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) have issued fines totally more than $2 billion to more than 50 financial institutions for failing to preserve off-channel communications, contrary to their recordkeeping obligations under the federal securities laws. The issue has also been top of mind for the Department of Justice (DOJ). After initially taking an unrealistic stance in its 2017 FCPA Corporate Enforcement Policy—that companies should prohibit employees from using ephemeral messaging apps—the DOJ has back-tracked.  Now, the DOJ expects that companies will have policies and procedures governing the use of personal devices, communications platforms, and messaging apps, including ephemeral messaging apps, that are “reasonable in the context of the company’s business needs and risk profile.”

This may sound simple, but it is far from it. “Reasonable” is in the eye of the beholder. A prosecutor who feels blocked by an inability to obtain communications among company employees may take a jaundiced view of whether a company has acted reasonably. Companies that find themselves under regulatory scrutiny will need to demonstrate not only that they have a policy but also that they have effectively communicated it to employees and have consistently enforced it. 

The challenges are manifold: How do you know if employees are communicating off-channel?  In many places it is simply unrealistic to ban outright apps that are the predominant form of communication; trying to do so may simply drive the behavior underground. Although companies can purchase “enterprise versions” of some apps, they are expensive and have limited capabilities. And who knows if the popular app of today will be a digital dinosaur in a year.  Where employee consent is required to collect and view communications, the needs of companies and regulators frequently collide head-on with ever-stricter local privacy laws.

To be sure, this is an issue where regulators’ expectations may not align with the realities of doing business globally in a world of ever-changing communication technologies. Nevertheless, companies fail to act at their own peril. Before implementing a policy, companies should take steps to understand how their employees communicate as well as the nature of their business, privacy, security, and legal needs and constraints. After implementing a policy, companies must train employees so they understand what is and is not permitted. Finally, companies should monitor compliance with the policy and ensure that there are consequences for non-compliance. There is no “right” answer to this issue, and companies may struggle to balance the many competing considerations. But it is important to engage in a thoughtful, risk-based process to design, implement, and enforce a policy. Doing so will help protect the company in the long run.    

Jeffrey D. Clark

Partner, Cadwalader, Wickersham & Taft LLP