Don’t ‘Feign Ignorance’ When Regulatory Agencies Come for Your Communications

Recent FTC-DOJ guidance includes serious warnings about not ignoring data management for collaboration apps.

The Federal Trade Commission (FTC) and Department of Justice (DOJ), together, brought back preservation guidance on collaboration-app data in a new statement—this time, with a novel warning: “Feigning ignorance” on the matter won’t be tolerated.

Both agencies are in the process of updating the language “in their standard preservation letters and specifications for all second requests, voluntary access letters, and compulsory legal process, including grand jury subpoenas, to address the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace,” according to the notice.

The revisions come in light of the proliferation of collaboration apps, and consequently, of the data types they generate.

E-discovery attorneys told Treasury & Risk sister publication Legaltech News that, while the regulatory agencies are reiterating preservation best practices that legal departments should already be well-versed in, the comments should be a wake-up call for the boom of artificial intelligence (AI) start-ups, as well as legacy companies that may not have looked over their policies since before the pandemic. Because many of their information governance structures from “before” may not be conducive to today.

What’s more, if companies were hoping to take the approach of “easier to ask for forgiveness than for permission” when it comes to chasing after collaboration-app data, the guidance should work as a full-stop prevention of that approach.

Beyond the Email Era

David Cohen,  a partner at Reed Smith and chair of the records and e-discovery (RED) group, said that many companies—even established ones with sound preservation policies—have spent so much time on building rules around email data that they haven’t been able to keep track of all the new modes of communication their employees are using.

“The reason for this timing really is that the world has moved in the last several years, from email being the predominant mode of business communication to these new platforms,” Cohen said. The big one is legal’s favorite, Microsoft Teams, followed by Slack. But Cohen noted that organizations should not discount “ephemeral messaging [apps] that automatically delete data after communications are made”—apps like Signal, Telegram, Wickr, and more.

Essentially, since Covid-19 precipitated a dramatic increase in the prevalence of remote work, employees have taken liberties to branch out to various “off-channel communication” platforms, Cohen said. And companies are not necessarily doing a great job of keeping track of, or cracking down on, these practices.

“The biggest takeaway” from the latest FTC–DOJ statement, he said, is that “companies need to maintain an inventory of the applications that are used [and] they need to prohibit employees from using  unapproved communications methods.”

Of course, the concept that “anything that’s written down and relevant to a litigation or investigation needs to be preserved and produced” in discovery is not new, he said. But “I think the DOJ and FTC … are tired of hearing from companies that they didn’t know,” which is the approach a handful of organizations take to these sanctions, Cohen said. “Everybody should know that this kind of information is discoverable even if it’s on messaging platforms or ephemeral platforms. Once litigation or an investigation is pending or anticipated, then a duty to preserve all of that kicks in.”

Old Reminders for New Companies

Of course, while these issues might exist for many start-ups, especially those born from the recent AI revolution, the threat of litigation and regulation from poor preservation practices may not even be on their radar.

Kassi Burns, senior attorney in King & Spalding’s e-discovery practice, said that the latest guidance may come as a reminder of older policies for these newer companies.

“I think a start-up doesn’t want to spend a lot of money on attorneys being proactive for potential litigation,” she said. “That’s kind of a buzzkill.”

Unlike privacy policies, which start-ups are known to “copy-paste” from other providers’ websites (which they shouldn’t do, by the way), preservation policies aren’t so easy to grab from competitors, Burns noted. Especially very tech-forward companies that are underpinned by AI technology can to be looser about letting their employees use apps like Notion and Airtable, Burns said, further creating new data types without a documented location.

“Sometimes start-ups don’t really have in-house counsel [or] a general counsel, [or] they have a very small in-house department,” in which case they should seek out outside counsel to develop the appropriate information governance structure for collaboration-app data, she said. “You have to be proactive on that front, [because] you don’t want to scramble after you’ve gotten a [civil investigative demand] dropped in your lap.”

Silos Can Lead to Blind Spots

A common issue between legacy organizations and start-ups, however, is the lack of communication between IT departments and legal teams, both Burns and Cohen noted. The siloes between IT and legal are no secret, but those “blind spots,” as Burns called them, have persevered—and are likely responsible for the holes in information governance structures that exist at many organizations.

“The IT departments are over here, the compliance departments over there, and the legal departments in the third area,” Cohen said. When adopting new technologies, “whether it’s the latest Microsoft Teams or Copilot or some of these new AI applications,” companies need to realize that they have ramifications on all these internal departments.

“They all need to be talking,” he added. Before beginning to offer employees guidance around which app is allowed for communication, questions like “For how long and how does this information get stored? Can you set up a retention system that fulfills our legal obligations? [Can it meet the] requirement to get rid of information?” need to be asked across the board, Cohen said.

These concerns extend beyond just the FTC and the DOJ, Cohen stressed, pointing to this month’s $81 million settlement with a group of broker-dealers for failure to record-keep effectively—this time, at the hands of the Securities and Exchange Commission (SEC).

If anything, he concluded, the latest guidance is a clarion call of regulatory interest in scrutinizing “this issue of companies communicating in ways that are difficult to preserve [or] not preserving information” at all.



From: Legaltech News