In January 2024, the U.S. Department of Justice updated its 2023 guidelines clamping down on the use of personal devices and third-party messaging apps in business to address companies’ increased use of collaboration and information sharing tools and ad-hoc messaging platforms. Businesses are scrambling to comply with the new compliance code without losing critical communication channels that facilitate valuable customer interactions.
For decades, employees have come to work, conducted the majority of their work on a monitored, employer-owned phone, and left with no other means of contacting clients, only to resume work the next day under their employer’s surveillance.
Eventually, that primary communication channel changed to email, with employees conducting business with customers from email addresses owned and monitored by their employer, usually on company-owned computers.
The days of email were perhaps the most peaceful times for businesses in terms of communications compliance and risk management, especially those in highly regulated industries such as financial services, pharmaceuticals, and energy.
These were likely simpler times when employers only had to monitor and maintain one centralized communication channel to scan for violations and ensure compliance, and when the Department of Justice and other regulators only had to parse one centralized written record to find wrongdoing when conducting investigations.
But the rapid adoption of mobile devices into all areas of business complicated the situation, especially when work conversations began to spill over to ephemeral encrypted messaging apps on personal devices, like iMessage, RCS (Google’s version of iMessage), WhatsApp, and Signal.
Fragmented Communications and a “Look No Where You Go” Strategy Today’s enterprise communications environment is more fragmented than ever, spread across a variety of devices (including personal devices), platforms, apps and services, which has two simultaneous and important consequences:
Because much of corporate messaging occurs outside of regulated channels, fragmentation makes it difficult for the Department of Justice to regulate communications, conduct investigations, and take effective action against illegal business activity. Fragmentation also makes it difficult for companies to develop and enforce effective policies regarding corporate communications.
DOJ regulations have been slow to catch up with modern communications practices, especially when it comes to messaging on personal devices and ephemeral apps, and historically they have only obtained evidence from telephone calls, emails, and internal company messaging platforms when conducting investigations.
As a result, corporate compliance programs have also lagged, turning a blind eye to conversations that take place outside of regulated channels, on ephemeral messaging apps and personal devices. After all, the only punishment so far has been a light punishment with small fines for employers failing to turn over those messages.
In the past, it was easier for companies to say they “didn’t know” employees were using those apps on their personal devices to get work done and therefore “had no way” to monitor those channels or store data, rather than go through the resource-intensive task of proactively enforcing personal device policies – especially when there was no incentive to do so from regulators.
Expanded guidelines from the Justice Department But now regulators are finally encouraging companies to take action.
In 2021, JPMorgan paid $125 million to the SEC for widespread use of unauthorized communications methods and deficient record-keeping.
In 2022, the SEC fined 16 Wall Street firms a total of $1.1 billion for “the companies’ widespread and long-standing failures to maintain and secure electronic communications.”
Wells Fargo paid $125 million to the SEC last year for illegally using private messaging to conduct business, one of many Wall Street fines against WhatsApp that could total more than $2.5 billion in 2023.
The SEC’s 2023 investigation into corporate messaging comes in the wake of DOJ guidance regulating the use of personal devices and third-party messaging applications, which was first introduced in 2022 under a memorandum that recommended all companies in highly regulated industries “develop policies regulating the use of personal devices and third-party messaging platforms for corporate communications.”
On March 3, 2023, the Department of Justice expanded its initial memorandum to provide clearer details about the agencies’ expectations for compliant corporate communications, particularly with respect to the use of ephemeral messaging applications on personal devices.
In January 2024, the DOJ and FTC jointly issued updated guidance strengthening the parties’ retention obligations regarding collaboration tools and ephemeral messages.
Now, with this new language and documentation in the background, regulators are expected to crack down even harder.
Who owns the data? The latest update from the Department of Justice has caused companies to reexamine their compliance programs related to message retention and archiving, sparking an interesting discussion about personal devices, privacy, and the workplace.
Most notably, under the new regulations, if a company has a “Bring Your Own Device” (BYOD) program, prosecutors will now investigate:
The policies governing the storage and access of corporate data and communications stored on personal devices, including data contained in temporary messaging platforms, the rationale for the policies, application and enforcement of the policies, and any exceptions to the policies
Organizations must consider how to capture, review, and retain relevant data from enterprise platforms and third-party applications. In most companies, much of that data is stored on personal devices and is commingled with a wealth of personal data. For organizations with BYOD programs, there seems to be no clear way to implement it without raising privacy concerns.
Think about it: Would you want a company scraping your phone for business-related communications on an app while you’re texting your spouse?
This whole situation raises the question: When corporate communications are conducted on personal devices, who owns the data? The company or the employee?
By comparison, under the EU’s GDPR, all activity on personal devices, including company-related messaging, is personal property, but the new DOJ guidelines clarify that in the US, data belongs to the company, regardless of what device the company is conducting business on.
The challenge for American companies in 2024 is to answer the question: “How do we separate corporate-owned data from personal data on personal devices?”
To solve this problem, some companies have implemented strict no-BYOD policies, forcing messaging only on corporate-issued devices with strict app restrictions, while others allow BYOD but ban certain apps entirely.
However, these solutions are impractical because clients often have different communication preferences than businesses. In fact, in a recent survey of over 200 compliance leaders in the financial services industry about the current state of mobile communications compliance, 66% of respondents cited clients as the primary initiator of mobile messaging conversations.
The reality is that mobile communications, including conversations on apps like iMessage, are now crucial to sales and customer relationships, and businesses that block these channels to facilitate compliance are missing out on potential revenue.
Additionally, the most common solution for monitoring app activity in BYOD is Mobile Device Management (MDM), which allows employers to periodically back up employee phones to check for prohibited apps being used. Even if an employee removes a prohibited app before inspection time, the MDM will show that removal, which is valuable information in itself (allowing the business to take action against that employee, mitigating risk and promoting compliance).
However, with DOJ guidelines placing special emphasis on storing corporate data on employee devices, this approach also falls short: MDM does not provide BYOD companies with access to content that fully meets compliance regulations, but rather provides only a way to marginally mitigate risk by identifying at-risk employees.
A framework for enhancing decision-making (and compliance)
That’s why recent years have seen a proliferation of new software designed to capture corporate data from personal devices for evidentiary, compliance, and investigative purposes. And thankfully, the technology is only getting better.
In 2024, companies in financial services, pharmaceuticals, oil & gas, and other highly regulated industries should focus on finding smartphone data discovery solutions that help them pull laser-clear data from individuals’ phones. Rather than scraping entire phones, they should look for software that prioritizes privacy by filtering personal data like photos, notes, and emails out of their reports. This low-touch precision not only helps manage employee privacy concerns and compliance, but also helps reduce the technology burden (and associated cloud-based storage limitations/costs).
To find the right smartphone data discovery product, you first need a comprehensive, enterprise-specific framework for managing your business-related app data.
Thankfully, the Department of Justice recognizes that there is no one-size-fits-all solution to this policy, specifically noting that “policies governing such applications must be tailored to an enterprise’s risk profile and specific needs.”
This framework should include information about how often mobile data is collected, what type of data is collected (and through what channels), where and how the data is stored, and how the company will handle employees who refuse to comply (broken down by jurisdictional requirements (such as California, which has strict privacy laws) and industry-specific requirements).
Internally, the Data Privacy Officer (DPO), General Counsel, and IT department are responsible for creating this data retention framework.
The DPO is responsible for data classification (what to do with Signal, email, SMS) and event triage (how to access that data). The GC ensures that policy entry and subsequent data collection meets compliance regulations and is defensible with respect to privacy laws. Finally, IT uses these data classification workflows and compliance guardrails to source the appropriate data discovery technologies.
To prepare for a future of increased compliance scrutiny, having the “right” products in place will enable companies to respond quickly and defensively to requests.
Looking to the Future: A Proactive, Agile Approach to Communications Compliance Companies that proactively embrace, rather than fear, the changes outlined by the DOJ will be able to mitigate long-term compliance risk and gain an advantage over their competitors. By setting up the right framework for data retention and selecting the right smartphone data discovery tools (with the right scoping mechanisms) today, companies can do just that.
Larger companies in highly regulated industries should also consider hiring someone to manage this program full-time. After all, new chat apps are released frequently, compliance regulations are constantly changing, and privacy laws continue to evolve. Smart, forward-thinking organizations will hire in-house experts or external consultants to monitor these changes, ultimately increasing business agility, ensuring compliance, and reducing risk.
Matt Rasmussen is the founder and CEO of ModeOne Technologies. After becoming frustrated with the difficulty of collecting data from Apple and Android mobile devices for litigation, compliance and investigation purposes during his role at O’Melveny & Myers, Matt developed and patented ModeOne’s SaaS framework. Matt is based in Southern California.
