Ephemeral and Off-Channel Communications – Are we missing the serious questions?

In the compliance and ethics field we regularly see waves of scandals and enforcement actions. Certainly, a newsworthy one has occurred in the highly regulated securities industry, where there are fences around participants’ conduct to protect those who are vulnerable to abuse by industry insiders.  In this specific industry there are requirements that participants keep records of their business activities. This allows management to control conduct and ensure that actions taken are consistent with the securities laws. 

The history – recordkeeping requirements in the securities industry.

If you are a broker-dealer, a practitioner in the investment advisory field, or a swaps dealer you know these recordkeeping  rules apply to you and you know what is required.  These firms must have compliance people responsible for making sure the rules are followed.  In reality the rules on record keeping did not match the practice. In part, the development of technology overtook the compliance efforts.  In this industry, participants found it easy to use ephemeral message apps, such as WhatsApp, We Chat, Signal and Slack, for business communications.  They could also communicate “off channel” for their business purposes, meaning they used communications vehicles that were outside of the company’s purview and control. All of this allowed them to conduct business with no records being made or retained – the very thing the rules were created to prevent.

The SEC, CFTC and DOJ, in conducting investigations, found their efforts hampered by the inability to access records that were legally required to be created and retained. The SEC, for example, found that executives were telling employees to take communications offline. Even senior managers used off-channel communications.  M. Sun, “SEC Top Cop Says Tougher Penalties Prove to Have ‘Deterrent Effect,’” Wall St. J. B9 (12/30-31/23). It was simply accepted practice to circumvent the rules.   

The result was as predictable as all the other scandals and waves of violations we have seen in the compliance field over the years:  serious enforcement actions, terrible publicity, and walloping fines in the billions of dollars.  Had the story ended at that point it would have been attention-getting the way other scandals have been.  But there was much more. 

Government agencies carry this a big step beyond one regulated industry.

The SEC’s head of enforcement, Gurbir Grewal, purported to apply this initiative generally to those subject more broadly to the SEC’s jurisdiction.  He warned all publicly traded companies, if, while litigation is anticipated or pending, they have not followed the law and maintained required communications or ignored subpoenas or litigation hold notices or deliberately used ephemeral technology that allows messages to disappear, “we may well conclude that spoliation of evidence has occurred and ask the court for adverse inferences or other appropriate relief.” He also said failure to preserve business-related text messages may “obstruct investigations, [and] raise broader accountability, integrity and spoliation issues.”  Gottschall, Newman & Roberts, “What to do about Business-Related Text and WhatsApp Messages” Compliance and Ethics Professional 52-53 (Oct. 2023).

DOJ’s Criminal Division also started using this base of regulatory activity to reach a much broader range of actors.  The Division generally provides guidance to compliance and ethics professionals to ensure that their compliance program activities are effective.  As part of this initiative the Division has offered a guide dealing with how its enforcement people will assess company compliance programs.  Only an effective program can gain a company significant benefits in the event of a criminal violation.  On the heels of the enforcement actions in the securities industry, this guide, the Evaluation of Corporate Compliance Programs (“ECCP”), has been revised to address the use of ephemeral communications. 

The ECCP now purports to tell companies how to treat this element of “risk.” There are, however, no statutes or regulations in this area, unlike the regulated securities area. Beyond the law as it has long applied to dealing with documents during litigation and government investigations, there was nothing that required those outside of the originally regulated securities industry to retain anything else nor was there any requirement that they deliberately take steps to retain records of any activities.

Compliance programs in this process.

 In the context of the ECCP’s new focus, we should consider the important role of compliance programs. They exist to prevent and detect misconduct.  They are not there to make government’s job easier or ensure employees create evidence the government can use. What we are seeing now is arguably a government agency using enforcement discretion to create new rules with no authorization from Congress. What is the purpose of these new moves?  They are not being put out there to prevent anything or to protect anyone.  Instead, their function is simply to create evidence for the government. This may not seem so bad in a tightly defined context within a highly regulated industry like securities.  But imagine applying these concepts to all organizations in all areas where there could be any kind of enforcement action.  The scope is unheralded.

What is the legitimate interest of enforcers? 

The law relating to records has not changed.  There are only limited legal requirements.  Companies must not obstruct justice in the handling of records. If the government arrives to conduct a search, disposing of records to avoid disclosure is illegal.  Similarly misprision of felony, which is not tied to any legal requirement to create documents, is prohibited.  However, these provisions do not apply in just any case where records cannot be produced.  In each criminal provision there is also an element of intent. 

Companies may already have policies to address this narrow range of improper and illegal actions designed to impede litigation and investigations.  There should be a system for litigation holds, and cooperation in investigations.  But is anything else really necessary or appropriate?

The evolution of business records.

Consider this in the historical context of corporate records.  At one time the corporate world was connected by paper.  These materials could be enormous in volume and difficult to sort and review. They could also be shredded and irretrievably lost. There was also the possibility of wire taps, which if legally justified provided important evidence.  Then came video recording.  No better example exists than the antitrust conspiracy case involving ADM.  The government had an insider who helped set up the conspirators.  For years, DOJ used and made available a video of the conspiracy in action.  One classic comment caught on tape was by a senior official at ADM, advising his coconspirators that “our customers are our enemies and our competitors are our friends.”

With the development of email the government had found an easy goldmine of records. Initially people were quite careless in what they wrote in email.  It seemed like everything was recorded and retained forever.  One could conclude that, in fact, the government had become completely spoiled and never wanted this source to end.

However, technology kept evolving and means of communication came onto the scene that did not retain the written records.  Companies found that “the way their employees talk to each other keeps changing.”  “Wall Street Faces Texting Dilemma,” WSJ B4, Nov. 1, 2023.  In a survey, 69% of Gen-Z indicated that they prefer communicating via messaging apps, rather than email or phone calls

With the pandemic, such tools as Zoom and Teams have proliferated and are also subject to whatever rules apply. So would these also have to be captured for regulators and prosecutors in their new, aggressive approach? Consider that in the ECCP DOJ’s Criminal Division says “to the greatest extent possible” companies must ensure that business-related data and communications are accessible and amenable to preservation by the company. If that means you only needed to hit the “record” button on Zoom, how could you justify not doing that?

What do we make of disappearing messages? 

If an app automatically disappears unless you intervene, how is that different from using Zoom where you elect not to record it?  See

Gottschall, Newman & Roberts, “What to do about Business-Related Text and WhatsApp Messages” CEP p. 52, 54  (Oct.2023). As the authors note, “[e]phemeral messaging applications continue to evolve rapidly.” It is also very important to note that while many may be making the serious mistake of assuming that this only applies to “ephemeral” messaging applications, the glaring fact, from reading the ECCP, is that there is no such limit in DOJ’s direction. 

How far does this go?

According to the ECCP, DOJ enforcers are not just talking about how you respond in litigation. They are talking about everything you do, every day, throughout your business.  They are talking about all forms of communication.  And unlike the provisions of the securities laws, there are no limits on all of this. Who does this “guidance” and the related threats apply to?  Unlike the securities laws, there are no limits on what industries are covered by this.  But outside of the SEC and looking at DOJ’s perspective, this goes well beyond publicly traded companies.

Where is the line?

There is an even more unnerving question in this.  Where, if at all, is the fire break? While the ECCP on its face applies to businesses, the origin of the scope of compliance is the USSGs.  The USSGs compliance program standards apply to all organizations, not just businesses. When it comes to DOJ’s position, there is no logical stopping point. 

Who else would DOJ’s threat apply to? 

Any organization that might use its compliance and ethics program to mitigate adverse treatment by DOJ.  In other words, all types of organizations.  This requires some thoughtful consideration.  This directive to take steps to preserve any evidence the government might someday want applies just as well to:

i. Unions

ii. Churches

iii. Universities & colleges

iv. The press

v. Political parties

Given the breadth and scope of US law, there is no organization that is without risk of breaking a law.  In such cases the organization’s efforts to be a good citizen by working to ensure compliance with the law would apply.  Thus, complying with this new regime being created by DOJ’s compliance program guidance would become necessary. Organizations whose focus is free speech, advocacy, and sometimes opposition to the government are now in this strange new environment where they can be effectively punished for not retaining records open to government examination. 

The unexamined harm to compliance programs.

There are direct and immediate adverse consequences of this new reach by DOJ. There can be little doubt that this power move by DOJ will result in weakening compliance programs and undercutting compliance professionals.  This profession will now be responsible for actively resisting the adoption of new communications technology. We will be the tech communications Luddites, charged with holding back the flood of new communications approaches. 

One could fairly ask if the government, in all its work in this area, has ever come across compliance and ethics professionals who complain about having too much time and resources and not enough to do?  Is this really where we should be devoting our efforts?  Or are we being thrown into a corporate fool’s mission.

Is the answer just writing a new policy?

At first glance, as bad as this is, it might just appear to require updating a policy or two. But even this step requires promulgating the new policies and then updating them regularly.  It cannot stop there, if we read carefully what DOJ says.  Policies are never enough.  We would be expected to treat this just like any compliance risk. That is very simple to say, but an enormous resource leech, devouring compliance program resources. 

DOJ, in the ECCP, has made it clear that merely having a policy that follows their directions, is not enough.  Here is some of the most directive language on this point:

The company is expected to “ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.” (emphasis added)   Prosecutors are also told to ask “whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.” “What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?” What policies and procedures “ensure that communications and other data is preserved from devices that are replaced?” “How have the company’s data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications?”  “Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications?” 

From DOJ’s perspective, these expansive data retention requirements are to be treated as if they were legal requirements, with all the efforts applied to implementation and enforcement that would apply in preventing serious criminal conduct.  But record creation and retention is conduct that companies are free to pursue as they think appropriate with no legal mandate beyond the narrow, specific requirements that are already part of the law.

For example, we would have to add training in this document creation and retention standard. Given the range of potential misconduct, the at-risk group is the entire employee body. No matter what your official policy on company devices might be, your employees almost all will have smart phones and access to apps.  And any employee anywhere could break some law, or witness someone in the company breaking a law.  Anything that might be on any employee’s communications device could be potential evidence. Unlike the securities field, where the scope is at least defined and limited, no such restriction applies to the logic of DOJ’s approach. 

Implementing this enormously broad, ambiguous and likely constantly evolving policy.

How else do we bring policies to life and ensure compliance?  This could mean attestations at onboarding, periodically thereafter, and on leaving the company, on this specific point. How could we not also cover this in exit interviews? How would this apply to third parties acting for the company in any way? This could not be met successfully by occasional diligence.  Every employee of every third party acting for the company may access all kinds of apps and discuss anything.  Unlike other compliance diligence this open-ended compliance scope calls for attention to the entire body of employees, agents and the agents’ agents and contractors.  They all communicate. 

Compliance and ethics also calls for auditing and monitoring, discipline when people do not follow these pervasive documentation rules, investigating any instance where someone used an unauthorized app, evaluating whether the efforts to squelch new technology were “effective,” and keeping up with current trends in suppressing this form of communications.

The resource cost to compliance professionals.

Each one of these steps to enforce these new rules means we are not doing the work to prevent actual crimes.  A day doing training on apps and “off channel communications” is a day not spent training on anti-bribery or price fixing or government contract fraud.  Every step like this has a cost and takes resources from other activities.  Given the government’s apparent view that this is one of every company’s risk areas, this would call for applying the full range of the compliance programs steps – e.g., everything in the USSGs, for this poorly defined and unrestrained purpose. All designed to prevent people from doing things that are perfectly legal and may actually serve legitimate purposes.

It is worth reading in detail this article, Gottschall, Newman & Roberts, “What to do about Business-Related Text and WhatsApp Messages” CEP p. 52 (Oct.2023), for a sense of the potentially enormous and enormously bureaucratic scope of this new de facto rule.

What about disciplining violators?  

One article notes that Morgan Stanley imposed fines on violators – in some cases really large amounts.  But this was not simply violating a company policy that was adopted on a “just-in-case” basis.  Morgan Stanley had a binding, enforceable legal obligation to retain records. This simply is not the case for the rest of the organizational world.

Conflicts with other laws and policies.

Nor is this the only issue with these messages from DOJ.  There is serious potential for conflicts with other laws.  There are state laws that protect access to employees’ personal records, online postings, etc.  Policing DOJ’s de facto omnibus records rules may lead to illegal snooping, conflicting with actual laws enacted by legislatures. 

Unlike laws applicable to securities firms, these new requirements apply to any organization to which an individual may be connected.  Are organizations supposed to be creating artificial barriers between different parts of people’s lives?  Suppose someone has more than one job?  And considering the logic of what DOJ is trying to do, how many people are members of different groups and organizations?  Are they supposed to have a different phone for each group they are in? If in an employee’s evenings she works in a political party’s office, is she supposed to use a different phone for that organization’s activities? If an employee works during the week in a law firm, but spends weekends working in a bookstore, is this employee supposed to have three phones, one for each activity and one for personal matters?  DOJ has clearly not thought out the logic of how their de facto new “rules” apply to all organizations.

To police this effectively means the company must have some way of checking what people are doing in their communications – accounting for their phones, other devices, Zoom, online posts, occasional access to various online communications media from their home computer, etc.  And all this for companies to serve as a stalking horse for the government. 

Legitimate reasons not to collect and retain more records.

Nor is this a clean and simple policy point that supports DOJ’s view.  There are serious reasons for not creating and retaining more records, just in case someday the government may want them as evidence.  There are reasons to minimize the amount of records created or retained.  It is not as if recording and retaining everything is a virtue in itself.  Retention of enormous amounts of data, “just in case” the government might want it, has real costs.  In the words I have heard from one businessperson, the amount of data generated now is staggering, and IT department budgets are buckling under the costs of retaining digital data. 

Privacy is a growing policy imperative around the world. 

The fewer records there are, the less exposure there is of personally identifiable information. Consider, for example, just how much personal information would be included in recordings of all the Zoom/Team calls, especially with so many done while people are at home. The company will be retaining video of the insides of employees’ houses.  Companies should only be keeping records of personal information as needed and justified for business purposes. 

One commentator, being sensitive to the government message, raises the question whether to engage in “surveillance of publicly facing social media for impermissible uses.”  Consider the privacy issues this raises and other types of legal risks (e.g., you discover an employee has a disease running in their family, and thereby risk violating GINA in any subsequent employment decisions.)  There are now various state laws protecting employee privacy.  And even if a privacy law has an exception for retention required by law, none of this is legally required – it has no legal basis whatsoever.    Gottschall, Newman & Roberts, “What to do about Business-Related Text and WhatsApp Messages” Compliance and Ethics Professional 52, 54 (Oct.2023).

There is also a strong policy issue in protecting records from malicious hacking. The less data and records there are, the less exposure to leaks and access to the data by bad actors.  Consider just the volume from recording all of a company’s Zoom and Teams calls. 

The First Amendment still applies.

There is also a serious First Amendment issue that seems to be completely absent from DOJ’s considerations.  We have the right, in a free society, to be critical of government and even shield what we are doing from the prying eyes of big brother. This applies for all the different kinds of organizations this DOJ initiative could apply to.  If a business wants to do something it knows the in-power political party does not like, why is that something the government has the right to access?  Why do we have to preserve that?  It is certainly about business – we don’t like the government’s policy that affects our business.  But where does government get the power to tell us we must record it and keep it?

Is this the atmosphere all organizations in America should be creating?

Consider, also, what atmosphere we want to create in companies and other organizations? Should we all be living as if any minute the government will be there challenging anything we ever say to anyone?  That our function when we are in any organization includes creating and preserving records just for the government to use in litigation? 

It is one thing for compliance and ethics professionals to be telling people they need to follow the law to protect all of us.  Environmental law protects our air and water.  Antitrust protects us from being cheated by conspiracies.  Anti-bribery law protects the integrity of government. What does this new push do?  Its purpose is to make it easier for government to know what we are doing and what we are saying to one another. 

How do we solve this dilemma? 

There is a narrow slice of business activity where the government has a legitimate interest, and the job of compliance and ethics includes ensuring that we follow the law.  We should, indeed, have a policy to protect records when they become legally relevant to litigation, and to prevent obstruction of justice. Except for highly regulated industries, that is all the law requires.

There is also genuine value in teaching our people how to communicate clearly, without exaggeration or the types of careless communications that can lead to mistakes. Text messages, for example, typically do not have room for the background or any explanation, and should be limited in their use for business purposes.  It is easy for spur of the moment text messages to be misinterpreted after the fact.  Eric M Baim, “Text Education: Being Responsible in a Digital World,” Compliance & Ethics Professional 42 (SCCE July 2023). Aside from the legal risks of unthinking and casual communications, there is significant cost to any business from generating confusing or ill-considered communications. 

DOJ may, of course, want more.  There is a way to do this.  DOJ should go to Congress for a debate about our First Amendment freedoms, the burdens this will put on all of us, and the many questions about controlling and recording our communications. For any scholar who would like to opine about this, it is worth remembering that DOJ’s approach applies just as much to universities and colleges as it does to companies.  For reporters commenting on this area, the same message applies to them. 

At some point it may also occur to members of Congress that these new standards apply as well to them, if they are a member of any organization or have any kind of business they are connected with. For example, it would certainly apply to all political parties.  They may not think so highly of the idea when they learn that their discussions with colleagues are expected to be recorded and retained.  

DOJ tried this type of back door path once before. 

Finally, I have to record a sense of Deja vu.  I lived through DOJ’s attempt to eviscerate attorney-client confidentiality by conditioning prosecutorial leniency on waiver of privilege protection. Oops.  Congress is full of lawyers.  The reaction was fast and furious. DOJ completely backed away. Time has passed and perhaps the lesson has been forgotten.  But each, in its own way, was an abuse of power.  And each deserves the same fate.  For a push this broad and intrusive, perhaps we need to let the people, through their elected representatives, decide what standard they want to apply.  We value our right to communicate in confidence with our legal counsel.  And we value the right to communicate how we want, whether to document how we communicate, and whether our job is to create and retain evidence for governments to use against us.