I always welcome any chance to use references to The Mandalorian series on Disney (or Ashoka for that matter) in the compliance arena. My take on the issue of electronic communications and ephemeral messaging is rooted in practical, risk-based strategies to avoid potential legal consequences that appear to be steadily growing as DOJ and courts deal with the issues.
So, “This is the Way,” at least from my perspective. The flow of issues proceeds as follows:
Does the company supply communications devices to its employees?
If the answer is “yes,” then the analysis is fairly straightforward. I am assuming that the company also maintains some type of internal communications system, such as Jabber, Slack, Teams or others, that can be used on the company-supplied communications devices.
To manage its electronics communications data, the company may include an ephemeral messaging application as a means to isolate less relevant communications. If the company adds such a system, the company must maintain and enforce policies and controls to minimize legal and compliance risks from use of the ephemeral messaging system.
As part of this process, employees should be prohibited from using ephemeral messaging for important business communications. In addition, companies should develop legal hold response procedures to prepare for potential litigation or regulatory activity.
In this circumstance, the company’s electronics communications policies (e.g. acceptable use or social media policies) should prohibit employees from using personal communications devices for business purposes and vice versa. And the company should prohibit employees from using any unauthorized communications application on its company-owned devices (which would typically be prohibited by restricting employee administrative rights to its communications devices and systems).
In addition, companies that supply communication devices to employees may install mobile device management or middleware software to preserve otherwise “ephemeral” messages.
If the answer to the above question is “no,” and the company relies on a BYOD Policy, then the issue becomes more complex.
Does the company maintain a Bring Your Own Device (“BYOD”) Policy to govern employee use of personal devices for work use?
As an initial step, if the company intends to rely on employees to use their personal devices for business, the company has to establish a comprehensive BYOD Policy that addresses all of the legal and compliance risk factors, including DOJ’s ECCP factor analysis, and comply with all applicable data privacy regimes.
Some companies have implemented a hybrid solution in the BYOD context where the company’s access to an employee’s personal device is segregated between personal and work applications. To the extent this occurs, the above-related set of issues described above with regard to company-supplied devices should be applied to the portion of the personal device walled off for business use.
A BYOD Policy has to ensure that a company can gain access to the employee’s business-related compliance data while preventing the company from accessing personal data.
A BYOD Policy should ensure that the employee recognizes that he/she has a continuing obligation to: (1) restrict use of the ephemeral messaging system for a specific authorized and defined business purpose (e.g. establishing and confirming meetings, participants and logistics); (2) maintain any preservation or deletion settings in accordance with the BYOD Policy; (3) notify relevant managers and compliance personnel if the employee discovers that he/she has not maintained BYOD-required preservation and deletion settings; and (4) agree to periodic audits/verifications of their communications devices, as requested by compliance and IT personnel, and transmittal of such data to a central storage system maintained by the company.
In either case — company-supplied or BYOD devices — a company has to establish practical steps to enforce its policies and procedures through periodic testing, audits and inspection of employee devices. While a company may have limited access to employees’ personal devices when it supplies devices to its employees, the company should regularly secure certifications by its employees that it has not used its personal device for work-related purposes (with emergency exceptions of course).
Similarly, companies have to develop testing protocols for its BYOD Policy and secure employee consent to examine its personal device limited solely to business data. To ensure trust and employee acceptance on this issue, companies should define an established policy for audit and examination of a personal device to prohibit any collection, analysis or review of personal communications data on a BYOD device. Such consent has to be carefully crafted in accordance with applicable data privacy laws and other regulations that govern such audits and consents.
Finally, whatever policies or procedures a company decides to follow, whether it allows ephemeral messaging or not, whether it supplies devices or not, training is key. Employees must fully understand and agree to abide by company policy. Training at the outset, during the onboarding process when employees are first given access to company systems and devices, is a natural place to start, and Legal and Compliance should work closely with IT and Human Resources in this respect. Continuous training and communications also are essential to ensure employees do not fall into bad habits during this digital age.