Discovery Ephemeral Messages
Discovery of Ephemeral Messaging
June 11, 2019
Challenges Of Cross-Border Data Protection Laws
Recent Cases Spotlight the Challenges of Cross-Border Data Protection Laws in eDiscovery
June 20, 2019

Retention of Ephemeral Messages

Retention Ephemeral Messages

An oft-heard argument is that one form of a recorded communication channel (e.g., Instant Messaging) is more akin to an unrecorded telephone call than another (e.g., email), and the former should thus not be subject to any regulatory or legal retention obligation.  Similarly, some have questioned whether a recorded communication needs to be retained for regulatory purposes or preserved for legal hold if the same communication could have just as easily been made over the phone or in person and had never been recorded.  Yet, as noted in a prior post, the law does not appear to concern itself with such hypotheticals when it comes to the discovery of ephemeral messaging.  As addressed below, there is no such distinction when it comes to the retention of records for regulatory compliance.

Communications: Recorded or Unrecorded Dichotomy

There is a natural dichotomy between recorded communications, which are subject to specific retention obligations, and unrecorded communications. Without regard to the limited functions of human memory -- unrecorded conversations truly last no longer than it takes for the spoken word to dissipate.  They are, by their true nature, ephemeral.  However, records of communications, be they writings or audio/visual recordings in analog or digital form, last until destroyed or rendered unreadable.  This makes recorded communications naturally amenable to retention requirements.

The term “ephemeral” is an adjective that reflects the choice, or accident, in the permanence of the form of a recorded communication.  It does not modify the status of the communication itself: to wit, a recorded communication, be it written on paper, or digital zeros and ones on electronic media, does not become unrecorded by automated disposition at the end of an intentional short retention period.

Only a few industries have affirmative requirements to record communications related to parts of their business across multiple platforms, such as broker-dealers and traders in the financial services sector.[1]  In the absence of such an affirmative legal requirement to record communications, individuals and organizations are free to choose to communicate through recorded or unrecorded means. 

Retention and Preservation Obligations are Based on Content, Not Platform

It was common 20 years ago for “email” to be listed as a records category in a retention schedule, in the same way “memorandum” was once classified its own records category.  But it is now broadly accepted that when classifying information for retention we should focus primarily on the content of a document, rather than the method or platform used to create, transmit, deliver or store that information.[2] 

Similarly, when it comes to the retention of ESI to meet the common law duty to preserve potential evidence for the legal process, identification of what information needs to be preserved should be based on whether the content of a document falls within the scope of discovery for known or reasonably anticipated litigation.

When to Retain or Preserve Ephemeral Messaging Data

The U.S. Supreme Court has declared that in the absence of superseding legal or regulatory obligation, decisions related to standard retention periods for business information is reasonably left to the enterprise.[3]  Accordingly, a company certainly may decide to use one or more ephemeral messaging apps (e.g., Confide, Signal or Wickr) in the ordinary course of business to meet legitimate information governance and data protection objectives, such as privacy by design and data minimization. Under such circumstances, retention for communications using these apps could, arguably, be set to a nominal time period: even as low as one second for ephemeral messaging apps, or one day for emails.[4]

However, if a regulatory retention obligation applies to the content of a message, or if the legal duty to preserve any of these messages has been triggered, absent few specific exclusions, a company must take reasonable efforts to fulfill its retention and preservation obligations.  It is well-established that such preservation obligations include suspending the routine destruction of ESI created during the ordinary course of business.[5]  There is presently no accepted statutory, regulatory, or common law exception for a messaging app labeled by the developer’s marketing team as “ephemeral.”

For the purposes of discovery, one can thus presume, absent fact-specific legal opinion to the contrary, that any recorded communication that falls within the scope of discovery must be preserved and retained for the duration of a legal hold obligation, provided that the preservation and production of such information is proportional to the needs of the case.[6]

Similarly, recorded communications that are subject to a defined minimum time period established by regulation based on the content of the communication should be retained in accordance with a standard records retention schedule.

Addressing Ephemeral Messaging in Information Governance Policies

The topic of establishing and maintaining an effective records retention program was recently addressed in the U.S. Department of Justice (“DOJ”) updated guidance regarding self-reporting under the Foreign Corrupt Practices Act (“FCPA”).  In addressing the factors considered by the DOJ for credit given to corporations for timely and appropriate remediation of violations, the DOJ states:

Implementation of an effective compliance and ethics program … may include:

  • Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.[7]

Conclusion and Takeaways

Companies are not required to deploy systems to record communications in the absence of existing legal requirement.[8] Similarly, other than in select industry sectors, individuals are not required to use recorded communication channels.  People are generally free to pick up the phone or meet up in person to avoid creating a physical, analog or digital record of their communications.  But choosing to communicate using ephemeral messaging apps does not include a legal derogation to the duty to preserve or retain electronically stored information.

Thus, when considering the official use of messaging apps, counsel may wish to consider the following:

  • Does our information governance program include established policies on what communication systems, including ephemeral messaging apps, can be used, and under what conditions?
  • Do we designate required communication channels for specific information or subject matter?
  • Do we prohibit the use of specific messaging apps or other communication channels for discussing the defined subject matter or while legal holds are in effect?
  • Do we have the ability to audit and correct user behavior?
  • Are there efficient administrative enforcement mechanisms for willful policy violations?

[1] See e.g., 17 CFR § 240.17a-4(b)(4).

[2] This is not to say that it would be unreasonable to classify all information in a specific platform under the same records category. For example, all of the information in a database containing only payroll data could be uniformly classified.  However, such mass designation would be based on the homogeneous contents of those records, not the platform containing that information.

[3] See Arthur Andersen LLP v. United States, 544 U.S. 696 (2005).

[4] To be clear, Driven does not recommend such restrictive retention periods, particularly for email systems.  Rather, this argument is consistent with the apparent permissible legal authority for an organization to select restrictive retention periods for legitimate business purposes in the absence of superseding legal or regulatory obligation.

[5] See e.g., Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 218 (“Zubulake IV”) (“Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”)

[6] See Fed. R. Civ. P. 26(b)(1).

[7] FCPA Corporate Enforcement Policy, Justice Manual 9-41.120(3)(c), U.S. Dept. of Justice (2019), available at: https://www.justice.gov/jm/jm-9-47000-foreign-corrupt-practices-act-1977.

[8] See, e.g., Convolve, Inc. v. Compaq Computer Corp., 223 F.R.D. 162 (S.D.N.Y 2004) (company not required to record and photograph testing where it does not do so in the ordinary course of business); Malletier v. Dooney & Bourke, Inc. No. 04 Civ. 5316,2006 WL 3851151 (S.D.N.Y. Dec. 22, 2006) (party not required to record chat room discussions proactively).

Eric P. Mandel
Eric P. Mandel
Eric is an attorney, legal technologist, and privacy professional who has spent the past 13 years focused on solving complex problems at the intersection of law and technology. He has served in senior leadership roles in several U.S.-based trade associations, including The Sedona Conference, the EDRM Institute, the Legal Technology Professionals Institute, and the Association of Certified E-Discovery Specialists, and is a frequent speaker on a broad range of topics relating to electronic discovery, information governance, data regulatory compliance, and data privacy and data protection. Additionally, Eric has worked on numerous leading publications, including The Sedona Principles, Third Edition.
X