Regulatory scrutiny has intensified across industries following updates from the Department of Justice (DOJ) Antitrust Division and the Federal Trade Commission (FTC) regarding the preservation of data from collaboration tools and ephemeral messaging platforms. These developments can have profound implications and regulatory consequences and therefore require careful consideration on an organization’s behalf on how to think about managing communications across applications.

Onna recently hosted a  webinar to explore these issues with three experts:

• Jeaneen Kappell, Senior Counsel, Division of Enforcement, U.S. Securities and Exchange Commission (SEC)
• Tim Anderson, Senior Managing Director, FTI Consulting
• Tim Thames, Onna’s Strategic Solutions and Partnerships Manager

These speakers outlined recent developments in data preservation and offered practical steps for organizations to prepare for a regulatory compliance investigation. Here were their takeaways.

New data preservation guidelines

In January 2024, the FTC and DOJ updated parties’ preservation obligations for data from collaboration tools and ephemeral messaging platforms, in which messages are deleted automatically without custodian intervention. In a  joint press release, the agencies announced that the updates “reinforce longstanding obligations requiring companies to preserve materials during the pendency of government investigations and litigation.” In the release, Manish Kumar, Deputy Assistant Attorney General for Criminal Enforcement, DOJ Antitrust Division, noted, “These updates to our legal process will ensure that neither opposing counsel nor their clients can feign ignorance when their clients or companies choose to conduct business through ephemeral messages.”

Anderson explained, “We’re not talking about anything new here. Organizations have had these obligations, and they should already understand the duty to preserve. There may be new applications, technologies, and platforms, but the guidelines remain the same.”

Kappell agreed. She noted that the agencies “made it abundantly clear with the release of this guidance that all types of communication must be preserved. There’s an awareness across agencies that important business and relevant communications are happening on these types of platforms.” Moreover, she observed that the responsibilities outlined in the new guidance are not tied to any statutory framework; they plainly apply to standard preservation letters, specifications for all second requests, voluntary access letters, and compulsory legal processes, including grand jury subpoenas. Based on this guidance, parties need to do exactly what the preservation letter or subpoena asks.

The updated guidance also includes potential ramifications of noncompliance, including civil and criminal consequences. “That really reinforces that when you’re on the receiving end, [you should] take it seriously and immediately comply,” Kappell urged, suggesting that recipients reach out to the person issuing the subpoena or request to “talk through the parameters of what’s being requested.”

Anderson added that “agencies are willing to discuss and collaborate around some of the different approaches to ensure that the information that is being produced is relevant and responsive.”

The growth of collaborative app data

Thames observed that data sprawl is making it harder for organizations to figure out where data is and how it’s structured when they receive a preservation letter and need to establish a legal hold. “Thinking back 25 years, we were dealing with email,” he said. “Today, what we’re seeing is a growth in reliance on application data.”

On average, he explained, large enterprises use 231 apps, a 54% increase over the last five years. Of the data these apps create, 80% is unstructured, and 90% of that unstructured data is never analyzed. “It’s just sitting there,” Thames advised, and “if you don’t get your hands around it early on and make sure you’re preserving it, it can change the structure of litigation.”

Anderson commented that in addition to the volume and variety of data, the velocity of change also complicates preservation. Platforms are rapidly iterating and deploying new technologies to help organizations stay connected and collaborate more effectively. As a result, he observed, “What worked last week may not necessarily work this week.” Given the pace of change, he added, “Compliance, litigation readiness, and preservation are not always at the top of the priority list — so the functionality to control information is not always at the top of that priority list.”

Kappel advised that service providers and attorneys need to ask their clients “difficult and tedious questions, such as ‘Where is the relevant data?’ and ‘Where does data reside?’” She observed that few situations are as stressful as when an organization learns for the first time during investigation testimony that there may be application data — and that it hasn’t been produced to the agency yet. She recommended, “It pays everyone huge dividends to be proactive and to ask some of those questions of your clients.”

Regulators and courts are cracking down on failures to preserve evidence

In the last 10 years, courts have seen a 656% increase in the number of cases with eDiscovery issues, from 690 cases in 2014 to a whopping 5,216 in 2023. Parties need to be aware of eDiscovery issues since they are clearly important to judges.

Kappel observed, “Preservation obligations are front and center with the courts these days. That takes on any number of different flavors, from distributing legal holds to all relevant custodians to failing to preserve evidence.” She remarked that agencies may also bring subpoena enforcement actions if parties do not want to produce requested documents, which would transform an otherwise nonpublic investigation to a public hearing as the subpoena enforcement action is filed in federal district court.

Our speakers pointed out a few recent cases that involved data preservation issues:

• Dawson James Securities, Inc.: The Financial Industry Regulatory Authority (FINRA) alleged that for nearly a decade, the firm’s CEO had failed to preserve or review thousands of business-related texts sent or received by at least 27 people associated with the firm. The firm violated both the Securities Exchange Act and FINRA rules because its supervisory procedures weren’t reasonably designed to comply with its obligation to retain and review the messages. FINRA fined the firm $500,000, issued a censure, and required a third-party review of the firm’s compliance procedures. But it didn’t stop there: issuing a wake-up call for leaders, the agency also fined the CEO $10,000 and suspended him from associating with any FINRA member for one month.
• Senvest Management: Having policies and procedures does not guarantee compliance; those policies must also be enforced. In this case, the firm’s employees violated established policies and procedures by communicating about company business through personal texting platforms and other non-Senvest messaging applications. The firm failed to maintain or preserve these off-channel communications. In one instance, three senior employees used their personal devices to send off-channel communications that were set for automatic deletion after 30 days. Senvest admitted to compliance failures and agreed to pay a $6.5 million penalty and improve its policies and procedures.
• United States v. Bankman-Fried: In this order from a well-known case, the court ordered the founder of Futures Exchange (FTX) not to communicate with current or former FTX employees except in the presence of counsel and not to use any encrypted or ephemeral call or messaging apps. It did so after finding that the founder had, among other things, taken these steps:
  • Directed employees to conduct business on  Slack and Signal and to set those messages to automatically delete in no more than 30 days
  • Advised one executive that it would be more difficult for anyone to build a legal case against them if their communications weren’t preserved
  • Messaged at least one of the government’s prospective witnesses in an attempt to “reconnect” and “vet things with each other”
• In re Google Play Store Antitrust Litigation: In this multidistrict litigation, the court decided that it would sanction Google for intentionally failing to preserve evidence but withheld judgment on the precise sanctions to be imposed. Although Google properly preserved email evidence, its policy was to automatically delete Chat data within 24 hours. The court concluded that the company “fell strikingly short” on its obligations and that Chat evidence was “lost with the intent to prevent its use in litigation.”

As these cases make clear, organizations and their leaders need to first understand their information, then diligently preserve what’s necessary and find ways to extract value from it.

How to prepare your organization’s data for a regulatory investigation

Compliance is not easy, but an ounce of prevention is worth a pound of cure — not to mention thousands of dollars in fines. Taking proactive measures now can lower your risk, prevent organizational overwhelm, and avoid stress.

Here are some steps to take:

1. Regularly audit your organization’s collaboration tools and internal chat apps for data preservation capabilities. Verify that information from apps is available in a format that allows for legal review and production. Collaborate with legal, compliance, and IT to understand your organization’s current data landscape, including  mapping where the data from these apps lives.
2. Implement specific policies regarding anti-deletion settings.
3. Ensure that litigation holds and other document retention notices instruct employees to preserve all pertinent business communications, including those stored in off-network applications.
4. Maintain records regarding your organization’s data storage and
   retention policies and practices.
5. Partner with counsel and eDiscovery vendors that are experienced in  collecting and imaging materials from advanced technology platforms.
6. Regularly assess and enforce adherence to established policies. Monitor for changes in laws and regulations at the federal, state, and local levels. Offer training where needed, and consider implementing tabletop exercises or drills to test your policies.

To learn more about the implications of the new regulatory guidance on data preservation for your organization and get even more tips for how to prepare before investigations and litigation arise,  watch the replay of the webinar.