O’Melveny Worldwide
  • Insights
  • Alerts & Publications
  • Messages Disappear, Obligations Don’t: FTC and DOJ Update Guidance on Preservation of Ephemeral Messages and Corporate Collaboration Tools

Messages Disappear, Obligations Don’t: FTC and DOJ Update Guidance on Preservation of Ephemeral Messages and Corporate Collaboration Tools

February 6, 2024

As Slack, Microsoft Teams, Signal, and other messaging and collaboration tools become standard in corporate offices, federal regulators are taking an increasingly aggressive approach to making sure companies preserve and produce documents and data from these platforms. The latest salvo: On January 26, 2024, the U.S. Federal Trade Commission and the Department of Justice’s Antitrust Division jointly announced updated guidance about document-preservation and production obligations, specifically for data from these tools. In their press releases, both agencies detailed updates aimed at addressing “the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace.” These announcements are yet another sign that regulatory authorities continue to scrutinize employees’ use of ephemeral communications platforms. And they emphasize the risk that companies and their executives take if they fail to take meaningful steps to preserve ephemeral communications and produce them when appropriate. Both the FTC and DOJ’s announcements warn in no uncertain terms that the failure “to produce such documents may result in obstruction of justice charges.”

According to the press releases, the agencies will be updating their preservation letters, document requests, and subpoenas so that they will—for the first time—explicitly cover data from ephemeral messaging platforms and collaborative tools. The FTC has already released an updated model second request—an inquiry sent when the agency plans to scrutinize a potential merger or acquisition—confirming just how expansively the government views companies’ document-preservation obligations. The updated model now explicitly states that a request for documents includes data from “Messaging applications,” broadly defined to include ephemeral and non-ephemeral communications sent or received on company-owned and employee-owned devices. The updated model also includes requests for information about “Collaborative Work Environments,” defined as a “platform used to edit, review, approve, store, organize, share, and access documents and information by and among authorized users, potentially in diverse locations and with different devices.” Although DOJ has not previewed the language it will use, we expect it will likewise focus on ensuring that data from ephemeral messaging platforms and collaboration tools is properly preserved and produced.

The updated guidance comes as companies and their employees have been increasingly turning to collaborative tools and ephemeral messaging platforms—like Slack, Microsoft Teams, Signal, Telegram, Google Docs, and Google Chat—to increase efficiency and facilitate communication in the workplace. The near-ubiquitous adoption of these and similar tools shows how critical they have become. This presents a challenge for regulators. Though many of these platforms enable the automatic deletion of communications or other data—including in their default settings—regulators now demand that the data generated on these platforms be treated the same as hard-copy documents for purposes of a company’s retention, preservation, and production obligations. 

In their recent press releases, the FTC and DOJ noted that “companies have not always properly retained these types of documents during government investigations and litigation.” Indeed, regulators believe that failures to preserve data from collaboration and ephemeral messaging tools have frustrated investigations. In response, regulators have issued repeated announcements underscoring how organizations must implement appropriate retention policies for ephemeral messages as part of their standard compliance programs—and not only when faced with litigation or an investigation. In September 2022, for example, Deputy Attorney General Lisa Monaco issued a memo discussing revisions to DOJ’s Corporate Enforcement Policy, in which she noted the challenge posed by “the use of third-party messaging platforms, including the use of ephemeral and encrypted messaging applications.” Her memo directed prosecutors to “consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” 

And in December 2022, Acting Principal Deputy Assistant Attorney General Nicole Argentieri acknowledged that although “there may be legitimate reasons for the use of these applications, such as reliability and enhanced security through end-to-end encryption,” they nevertheless “present significant challenges for companies’ ability to ensure they have a well-functioning compliance program and ability to access such communications when necessary.” 

These concerns were ultimately incorporated into DOJ’s March 2023 updated guidance on the evaluation of corporate compliance programs—which specifically emphasized the need for prosecutors to consider employees’ use of ephemeral messaging platforms and how well a company’s policies and procedures address those platforms. Assistant Attorney General Kenneth A. Polite, Jr., explained at the time that DOJ “will consider how policies governing these messaging applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate, business-related electronic data and communications can be preserved and accessed. Our prosecutors will also consider how companies communicate the policies to employees, and whether they enforce them on a consistent basis.”

The Consequences for Noncompliance Can Be Severe

The consequences to companies and executives for failing to preserve ephemeral messages can be severe. The FTC and DOJ announcements both warn that “obstruction of justice charges” may be possible. And just last year, a federal district judge in California sanctioned a company because employees who received a document retention notice nevertheless failed to turn off the default auto-delete setting on their ephemeral messaging program. Plaintiffs in antitrust civil cases have looked for opportunities to make preservation efforts an issue and they will continue to do so. Although that sanction ruling came in civil litigation, DOJ officials echoed it with stern warnings of their own. In March 2023, for example, Assistant Attorney General Polite cautioned that if companies failed to produce communications from third-party messaging platforms in an investigation, “prosecutors will not accept that at face value.” And Leslie Wulff, Chief of the DOJ Antitrust Division’s San Francisco Office, recently warned that her office will “scrutinize every decision along the path that led to the deletion of relevant material, regardless of who made the decision and whether or not they hold a law degree.” 

Key Considerations for Effective Compliance

To meet regulators’ heightened expectations, companies must not only account for ephemeral messaging platforms in their compliance programs, but they must also react quickly and aggressively when litigation or an investigation is anticipated. The company should issue a document retention notice to relevant employees, but it will likely need to take additional steps:

  • If company messaging and collaboration platforms permit retention without requiring custodians to take individual action—for example, turning auto-delete off on a per-custodian level—these steps may be straightforward.
  • But where platforms leave individual employees responsible for preserving their own data, companies should follow up with individual custodians to ensure they are abiding by their preservation responsibilities.
  • Companies should also consider monitoring or auditing employee compliance with retention notices.

To navigate the complex regulatory framework governing data retention, companies must also consider additional factors:

  • Privacy laws: International and state privacy laws may limit data retention or, in some circumstances, require deletion. But if a company is under investigation, it will have to ensure its retention or deletion policies do not run afoul of DOJ and FTC guidance.
  • Platform selection: Ephemeral messaging platforms and collaborative tools often provide business efficiencies, but they do not all present the same compliance risk. For example, some more easily permit company IT or legal personal to retain relevant data than others. Companies should evaluate the risks associated with using various platforms, consider whether those platforms are an essential component of their particular industry, and whether using a different platform would cause a substantial competitive disadvantage.
  • Compliance policies: Company policies and procedures should be regularly reevaluated to address the tools employees are using to communicate and collaborate and mitigate their compliance risk. For instance, organizations may consider requiring employees to use corporate-issued devices for business communications or limiting the pool of ephemeral messaging platforms employees are permitted to use. Given DOJ’s persistent focus on this issue, compliance officers should ensure that these policies become a pillar of a company’s compliance program.

*     *    *    *

The updated guidance from the FTC and DOJ serves as yet another reminder to organizations that they must continually evaluate their communications and collaboration platforms for retention capabilities; review their data retention policies and guidance to employees; and take aggressive steps to preserve data as soon as litigation or an investigation is reasonably anticipated. 

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Pete Herrick, an O'Melveny partner licensed to practice law in New York and the District of Columbia, Anna T. Pletcher, an O'Melveny partner licensed to practice law in California, Damali A. Taylor, an O'Melveny partner licensed to practice law in California and New York, James K. Rothstein, an O'Melveny counsel licensed to practice law in California, Mark A. Racanelli, an O'Melveny partner licensed to practice law in New York, Julia Schiller, an O'Melveny partner licensed to practice law in the District of Columbia, New Jersey, and New York, Michael Tubach, an O'Melveny partner licensed to practice law in California and the District of Columbia, and Elizabeth Kimbrough, an O'Melveny associate licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2024 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.

Related Professionals

Pete Herrick
Partner
D: +1 212 326 2145
Anna T. Pletcher
Partner
D: +1 415 984 8994
Damali A. Taylor
Partner
D: +1 415 984 8928
James K. Rothstein
Counsel
D: +1 415 984 8852
Mark A. Racanelli
Partner
D: +1 212 326 4403
Julia Schiller
Partner
D: +1 202 383 5412
Michael Tubach
Partner
D: +1 415 984 8876
Related Practices
Antitrust & Competition
White Collar Defense & Government Investigations
Corporate Investigations
Antitrust Counseling & Compliance
Merger Clearance
Data Strategy, Security & Privacy
Electronic Discovery & Document Retention