Published on Jun 17, 2019 An oft-heard argument is that one form of a recorded communication channel (e.g., Instant Messaging) is more akin to an unrecorded telephone call than another (e.g., email), and the former should thus not be subject to any regulatory or legal retention obligation. Similarly, some have questioned whether a recorded communication needs to be retained for regulatory purposes or preserved for legal hold if the same communication could have just as easily been made over the phone or in person and had never been recorded. Yet, as noted in a prior post, the law does not appear to concern itself with such hypotheticals when it comes to the discovery of ephemeral messaging. As addressed below, there is no such distinction when it comes to the retention of records for regulatory compliance.
Communications: Recorded or Unrecorded Dichotomy
There is a natural dichotomy between recorded communications, which are subject to specific retention obligations, and unrecorded communications. Without regard to the limited functions of human memory — unrecorded conversations truly last no longer than it takes for the spoken word to dissipate. They are, by their true nature, ephemeral. However, records of communications, be they writings or audio/visual recordings in analog or digital form, last until destroyed or rendered unreadable. This makes recorded communications naturally amenable to retention requirements.
The term “ephemeral” is an adjective that reflects the choice, or accident, in the permanence of the form of a recorded communication. It does not modify the status of the communication itself: to wit, a recorded communication, be it written on paper, or digital zeros and ones on electronic media, does not become unrecorded by automated disposition at the end of an intentional short retention period.
Only a few industries have affirmative requirements to record communications related to parts of their business across multiple platforms, such as broker-dealers and traders in the financial services sector.[1] In the absence of such an affirmative legal requirement to record communications, individuals and organizations are free to choose to communicate through recorded or unrecorded means.
Retention and Preservation Obligations are Based on Content, Not Platform
It was common 20 years ago for “email” to be listed as a records category in a retention schedule, in the same way “memorandum” was once classified its own records category. But it is now broadly accepted that when classifying information for retention we should focus primarily on the content of a document, rather than the method or platform used to create, transmit, deliver or store that information.[2]
Similarly, when it comes to the retention of ESI to meet the common law duty to preserve potential evidence for the legal process, identification of what information needs to be preserved should be based on whether the content of a document falls within the scope of discovery for known or reasonably anticipated litigation.
When to Retain or Preserve Ephemeral Messaging Data
The U.S. Supreme Court has declared that in the absence of superseding legal or regulatory obligation, decisions related to standard retention periods for business information is reasonably left to the enterprise.[3] Accordingly, a company certainly may decide to use one or more ephemeral messaging apps (e.g., Confide, Signal or Wickr) in the ordinary course of business to meet legitimate information governance and data protection objectives, such as privacy by design and data minimization. Under such circumstances, retention for communications using these apps could, arguably, be set to a nominal time period: even as low as one second for ephemeral messaging apps, or one day for emails.[4]
However, if a regulatory retention obligation applies to the content of a message, or if the legal duty to preserve any of these messages has been triggered, absent few specific exclusions, a company must take reasonable efforts to fulfill its retention and preservation obligations. It is well-established that such preservation obligations include suspending the routine destruction of ESI created during the ordinary course of business.[5] There is presently no accepted statutory, regulatory, or common law exception for a messaging app labeled by the developer’s marketing team as “ephemeral.”
For the purposes of discovery, one can thus presume, absent fact-specific legal opinion to the contrary, that any recorded communication that falls within the scope of discovery must be preserved and retained for the duration of a legal hold obligation, provided that the preservation and production of such information is proportional to the needs of the case.[6]
Similarly, recorded communications that are subject to a defined minimum time period established by regulation based on the content of the communication should be retained in accordance with a standard records retention schedule.
Addressing Ephemeral Messaging in Information Governance Policies
The topic of establishing and maintaining an effective records retention program was recently addressed in the U.S. Department of Justice (“DOJ”) updated guidance regarding self-reporting under the Foreign Corrupt Practices Act (“FCPA”). In addressing the factors considered by the DOJ for credit given to corporations for timely and appropriate remediation of violations, the DOJ states:
Implementation of an effective compliance and ethics program … may include:
Conclusion and Takeaways
Companies are not required to deploy systems to record communications in the absence of existing legal requirement.[8] Similarly, other than in select industry sectors, individuals are not required to use recorded communication channels. People are generally free to pick up the phone or meet up in person to avoid creating a physical, analog or digital record of their communications. But choosing to communicate using ephemeral messaging apps does not include a legal derogation to the duty to preserve or retain electronically stored information.
Thus, when considering the official use of messaging apps, counsel may wish to consider the following:
[1] See e.g., 17 CFR § 240.17a-4(b)(4).
[2] This is not to say that it would be unreasonable to classify all information in a specific platform under the same records category. For example, all of the information in a database containing only payroll data could be uniformly classified. However, such mass designation would be based on the homogeneous contents of those records, not the platform containing that information.
[3] See Arthur Andersen LLP v. United States, 544 U.S. 696 (2005).
[4] To be clear, Driven does not recommend such restrictive retention periods, particularly for email systems. Rather, this argument is consistent with the apparent permissible legal authority for an organization to select restrictive retention periods for legitimate business purposes in the absence of superseding legal or regulatory obligation.
[5] See e.g., Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 218 (“Zubulake IV”) (“Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”)
[6] See Fed. R. Civ. P. 26(b)(1).
[7] FCPA Corporate Enforcement Policy, Justice Manual 9-41.120(3)(c), U.S. Dept. of Justice (2019), available at: https://www.justice.gov/jm/jm-9-47000-foreign-corrupt-practices-act-1977.
[8] See, e.g., Convolve, Inc. v. Compaq Computer Corp., 223 F.R.D. 162 (S.D.N.Y 2004) (company not required to record and photograph testing where it does not do so in the ordinary course of business); Malletier v. Dooney & Bourke, Inc. No. 04 Civ. 5316,2006 WL 3851151 (S.D.N.Y. Dec. 22, 2006) (party not required to record chat room discussions proactively).
