A company’s use of so-called ephemeral messaging platforms—where messages disappear after viewing or can be erased within a time window—sits at the intersection of its compliance interests and its employees’ privacy rights. Popular applications such as Snapchat, Telegram, Signal, and Wire grant individuals and teams the ability to communicate confidential or proprietary information in environments where verbal communications might be unwieldy or indiscreet. But ephemeral messages present obvious problems for corporate compliance and self-reporting. A company cannot record and report what it cannot capture. Corporate oversight of employee use of these applications, whether the use occurs over a company network or on mobile devices paid for by an employer, can both be impractical and infringe on individual privacy rights, particularly abroad. Recognition of the ubiquity of ephemeral messaging—and the inherent difficulty in regulating and monitoring its use—has led the U.S. Department of Justice (DOJ) to alter its complete prohibition of ephemeral messaging applications in order to receive full credit under its FCPA Corporate Enforcement Policy.
The initial version of the policy, adopted in 2017, established a presumption in favor of declination of criminal enforcement for companies that (1) voluntarily self-disclose potential violations; (2) fully cooperate with the government’s investigation; and (3) timely remedy the identified problems. To qualify for remediation credit, the policy provided that, among other things, a company must implement procedures ensuring “[a]ppropriate retention of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications.” Under the plain language of the policy, companies had little choice: either prohibit use of these popular messaging platforms or lose the benefit of the policy.
As revised, the policy nominally relaxes the DOJ’s stance on ephemeral messages—but offers no concrete guidance on instances when use of ephemeral messages would be consistent with a fulsome self-reporting. The March 9, 2019 revision provides that a company may receive full credit for timely remediation if it adopts procedures ensuring “[a]ppropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.”
So the question is whether this largely semantic change—i.e., an outright prohibition versus the implementation of guidance and controls—should affect a company’s compliance plans for document retention and use of ephemeral messages for business purposes. The answer: probably not. The touchstone of the policy remains complete and well-documented self-disclosure. Under the new ephemeral messaging guidance, employee use of ephemeral messaging for business purposes is not an absolute bar to declination. But the spirit of the policy remains that not only should companies counsel their employees to avoid use of ephemeral messaging in the business context, but also that business discussions should fundamentally occur via traditional platforms that archive communications for compliance purposes in accessible and searchable formats.
In sum, while the DOJ’s stance on ephemeral messaging has relaxed in recognition of prevailing practicality and privacy concerns (especially internationally), this hardly means that the prevalence of ephemeral messaging platforms to facilitate business communications—particularly following a self-disclosure in which corruption was furthered through the use of such platforms—will go unnoticed or unchecked. Companies are well advised to adopt policies stressing the importance of using permanent messaging platforms for business purposes, specifically including through privacy waivers (where available and enforceable) and through the use of networked applications that store business communications and facilitate their ready retrieval.