2/14/2021 - By Stephen Reyes, CISA, CISSP
The conversations we have with others over the phone, by the water cooler or in someone's office are all ephemeral. There's typically no trace of those conversations. Someone might attest to the fact that it happened, but unless it was recorded, it's gone. Some messaging apps for mobile devices offer features similar to the transient, in-person conversation. Those messages are encrypted and last for a short period of time (hence the term "ephemeral"). To update the old saying, "here today, gone in 30 seconds."
While messaging apps like Signal, Wickr, Confide and Telegram have increased in popularity due in part to offering self-deleting messages, they have also created a quagmire amongst lawyers and judges as to whether there is a duty to preserve. The ability to forensically retrieve said messages is virtually impossible as the messages both disappear and were never on company servers. In short, it creates an information governance firestorm.
There are two prevailing arguments regarding ephemeral messaging. The first argument holds that it is data that is created in the normal course of business, and therefore there is a duty to preserve it. The argument sounds something like this: "If a conversation about the relevant matter is made in writing because the custodians chose to converse in writing, it is therefore no different than e-mail or traditional text messaging in the duty to preserve." The second argument is that ephemeral messaging is no different than a telephone conversation or a colleague stepping into your office to have a conversation. The argument goes something like this: "If there's no duty to record water cooler talk, why should there be a duty to preserve ephemeral messaging?"
Before assessing these conflicting arguments, it is important to explain why we need to understand what ephemeral messaging is in the first place. Next, we'll review facts and trends to illustrate the importance of ephemeral messaging. Then, we'll argue our points leveraging recent case law on the topic.
Facebook CEO Mark Zuckerberg has cited some of the reasons why ephemeral apps are becoming increasingly popular, stating, "People are more cautious of having a permanent record of what they've shared." However, this does not always work well inside the four walls of an organization.
Many might presuppose that data that is knowingly sent by an employee of an organization in the ordinary course of business on an ephemeral app to another employee might indicate some nefarious scheme at play. However, an article by the law firm Faegre Drinker Biddle & Reath, ("The Rise of Ephemeral Messaging Apps in the Business World") states, "There are many legitimate reasons for a company to allow its employees to use ephemeral messaging apps. Today's businesses generate so much data that any effort to reduce duplicative or unnecessary data is a compelling benefit."
Besides the fact that these apps contradict essentially all corporate data retention and destruction policies, it also raises issues tied to e-discovery. A recent article highlights these issues, saying, in part, "ephemeral messaging has become a battleground in e-discovery disputes because potentially key communications often disappear by design—causing some judges to conclude that companies may be using the apps to hide potentially damaging behavior or actions."
Among lawyers, there is an express understanding that we are competent when representing our clients. It seems rather odd that the ABA Model Rules of Responsibility needed to codify such an obvious statement, but alas, it is the fundamental foundation upon which we build our practice. In fact, in 2012, the ABA revised Comment 8 to state that to remain competent, a lawyer must understand "relevant technology." What does that mean exactly?
The ambiguity of the phrase "relevant technology" matches its explicit intent that a lawyer shall understand everything from cybersecurity and data protection controls to technology-assisted review to the potential dangers in ephemeral messaging. In fact, under Rule 1.6, we must protect the client's confidential information. To satisfy that duty, we must be competent in relevant technologies to understand whether or not ephemeral messaging may pose a duty that would expose a client's data. Without having the appropriate level of knowledge as to the technology, it is difficult to comprehend the impacts.
While there are some cases about ephemeral messaging, there are two that are most notable. In the first, Herzig v. Arkansas Foundation for Medical Care, Inc., 2013 WL 2870106 (W.D. Ark. July 3, 2019), the Court found that the plaintiffs were nefariously using ephemeral applications to conceal pertinent communications tied to the litigation. In Waymo LLC v. Uber Technologies Inc., 2018 WL 646701 (N.D. Cal. Jan. 30, 2018), the Court found that there was a legitimate business use for employees leveraging ephemeral apps in the ordinary course of business. The key here was that the parties were able to show legitimate business purposes that were not malicious or nefarious.
It is standard knowledge that once a party knows or reasonably should know of anticipated litigation that the duty to preserve is triggered. Even in a slip and fall case where the fact pattern typically rises to the level of any complexity, if the defendant company's employees then move from e-mail to ephemeral messaging apps, a reasonable person could easily deduce that the justification is to avoid preservation.
However, as noted above, there may be enterprise-level ephemeral messaging apps that are looking to instill confidence in the utilization of and the continued practice of using ephemeral apps that increase data protection, data privacy, don't take up data storage capacity and don’t increase overall costs. To ensure that there is a level of confidence as well as defensibility, repeatability and an auditable policy trail, there should be organizational compliance around these apps included within updated document retention policies. As noted in Law360: "If a company is unable to capture data from a particular messaging service, the company might consider implementing a formal policy requiring individuals using that messaging service to back up their own communications."
Saltmarsh's Information Technology department offers a host of technology services to support businesses of all sizes throughout various industries. Learn more about our services.