What ephemeral and third-party messaging apps mean for eDiscovery

Explore the broader eDiscovery implications of third-party and ephemeral messaging apps in the course of investigations and litigation.

In brief

• The updated guidance on third-party and ephemeral messaging apps sets the tone on the importance of having protocols that address this emerging technology.
• Legal professionals want to implement proactive measures to support preservation needs and remediate reactive processes to support legal discovery processes.
• Does your organization have strategies in place to mitigate the risks associated to ephemeral messaging?

In the second installment of this three-part series, the EY Forensic & Integrity Services team explores the broader implications of third-party and ephemeral messaging applications to eDiscovery, including preservation, in the course of regulatory investigations and litigation.

Introduction on preservation obligations for third-party and ephemeral messaging applications

In January 2024, the Federal Trade Commission (FTC) and the Department of Justice (DOJ) issued a joint statement clarifying and emphasizing companies’ preservation obligations for third-party and ephemeral messaging applications. This comes nearly a year after the DOJ’s update to its Evaluation of Corporate Compliance Programs (ECCP) guidelines, which also called for enhanced controls around third-party and ephemeral messaging applications. Read the first article of this three-part series to see steps to take now, next and beyond to effectively address this guidance while laying the foundation for a broader information governance program.

Compliance and consequence: how effective policies shape litigation results

In an ideal world, companies would be in the position to revise policies to conform to regulations at the same pace as these evolving technologies are developed and released to users. Unfortunately, this is far from reality for many companies as they juggle resource constraints and shrinking budgets with complex regulatory environments and emerging technology risks.

The rise of third-party and ephemeral messaging applications presents significant eDiscovery challenges for companies, such as:

• Missing evidence — Ephemeral or “disappearing” messages, as well as text messages with short retention settings, are often unable to be preserved and collected as required in discovery for investigations and litigation.
• Spoliation risk — If not properly preserved, potential consequences include hefty fines, sanctions, loss of shareholder trust and costly reputational damage.
• Comingled data — Collecting data from third-party and ephemeral messaging apps on personal devices can raise data privacy concerns, particularly in many areas outside of the US.

To meet the expectations of courts and regulators, leaders find themselves needing to reassess and refine their policies and procedures more frequently to keep pace with evolving technology and compliance requirements. Effective policies and procedures regarding the use of third-party and ephemeral messaging applications, as well as the underlying management of data, proactively support the effective preservation of data during litigation and investigative matters.

Examples of this include:

1. Clear Acceptable Use Policies: Companies should clearly define the acceptable use of technology and systems, including the use of third-party and ephemeral applications, in their Acceptable Use Policy (AUP). The use of text messaging to support business processes should also be addressed in the AUP.
2. Corporate-issued device policies: Companies are increasingly adopting corporate-issued devices for high-risk or high-profile employees and in jurisdictions with strict data privacy laws, to enable effective retention of data to support compliance with record-keeping and preservation of data in response to discovery requests or regulatory inquiries, while mitigating complications associated with maintaining data privacy.
3. Legal hold policy, training and enforcement: Companies are implementing legal hold policies that prioritize notification, preservation and compliance monitoring to support employee understanding and adherence to legal requirements when using third-party and ephemeral messaging applications.

Leaders must continue to evaluate the effectiveness of their proactive measures and the efficacy of their reactive procedures in the context of litigation and investigations. There have been several recent examples where companies had taken proactive measures to support preservation from third-party and ephemeral messaging applications, including implementing litigation holds, but they failed to consistently enforce these holds and monitor compliance, resulting in evidence spoliation sanctions. This underscores the need for policy enhancements and continuous monitoring to support the preservation of third-party and ephemeral messaging data and compliance with legal and regulatory standards.

Strategic response to guidance: navigating eDiscovery

In light of the joint statement from the FTC and DOJ, consider these strategies to support eDiscovery needs when working with third-party and ephemeral messaging apps.

1. Investigate — Gather information to gain insights into the use of “off-channel” third-party and ephemeral messaging applications. Understand the context and extent of the communications to inform your eDiscovery strategy.
2. Prepare a discovery response plan — Outline procedures for responding to discovery requests where off-channel messages need to be preserved. These procedures should align with obligations for preservation and collection of electronically stored information (ESI) and should consider employee privacy. They should also identify digital forensic and eDiscovery professionals to support preservation and collection needs from third-party and ephemeral messaging applications.
3. Differentiate management strategies for bring your own device (BYOD) and corporate-issued devices — Establish clear policies and enablers that distinguish between BYOD and corporate-issued devices. This may include training, use of mobile device management (MDM) and clear communications about the preservation of business communications to employees.
4. Review and update litigation holds — Litigation hold memos and instructions should specifically highlight third-party and ephemeral messages as potentially relevant electronically stored information (ESI) to be preserved. Provide guidance or resources that will help custodians turn off, where possible, auto-delete and disappearing message settings. This may also be relevant for text messages as employees may have modified their phones’ retention settings. This helps to maintain ESI integrity and reduces the risk of spoliation.
5. Implement archiving platforms — Consider implementing an archiving platform that supports data capture from third-party and ephemeral messaging applications, as well as text messages, to enable effective preservation and collection. Depending on your industry and regulatory requirements and the use of BYOD or corporate-issued devices, this may be helpful in capturing information and managing employee communications in compliance with record-keeping requirements.
6. Continuously monitor — Checking once is not enough. Continuously monitor custodian compliance with company policies and litigation holds. Regular audits and reporting can help detect and prevent policy violations.

From challenge to effective eDiscovery management and compliance

The new guidelines make it clear that leaders must approach third-party and ephemeral messaging as an important component of risk management. Strategic, proactive compliance and reactive readiness play a critical role in managing third-party and ephemeral messaging within the eDiscovery landscape.

As technology — and the way we use it — continues to evolve, so do the challenges confronting today’s companies. The updated guidance on third-party and ephemeral messaging applications raises complex questions for companies that require careful consideration and involve a wide variety of stakeholders, including Compliance, Legal and IT professionals. The first step on a company’s road to transformation is a thorough assessment of its policies, processes and practices and technology use. The insights and knowledge gained will help to steer the organization toward effective eDiscovery management and compliance.

Sydney Soll also contributed to this article.