Now You See Me, Now You Don’t: Ephemeral Messaging Challenges
The emergence of ephemeral messaging applications to communicate with friends, family, and coworkers quickly, securely, and effortlessly has boomed over the past decade. In that time, users of ephemeral messaging apps have risen significantly, from millions to billions of active users!
These new sources of data have many advantages, but also present new and unique issues for companies. Ephemeral messaging data, and the rapidly expanding use of these apps, have quickly changed the landscape of what may be discoverable and what companies must be aware of when a litigation hold comes across their desk, and more prudently, long before they must consider whether the data these ephemeral messaging applications create is discoverable.
What is ephemeral messaging?
A leading authority on E-Discovery issues, The Sedona Conference Journal, describes ephemeral messaging as “secure, written communications between one or more parties that are generally considered dynamic, nonstatic, and ’lasting a very short time.’”[i] In general terms, ephemeral messaging allows a user to have end-to-end encryption, ensuring that their communications are secure, while also having built-in automatic deletion or expiration of those messages after a set period. One example of this kind of system is WhatsApp that enables messages that send encrypted files from user to user that expire and are automatically deleted after the message is read. This type of system, obviously, causes a major issue in collection of data in anticipation of litigation. Where emails are typically stored on backups or in the cloud, ephemeral messages are specifically designed to not be stored.
Why use ephemeral messaging?
Ephemeral messaging is increasingly prevalent in both work and personal life. Its benefits are numerous, and its usage is sure to continue to accelerate in the future. Ephemeral messaging enhances information governance best practices, deleting non-essential information after a set period, rather than storing everything indefinitely. This deletion not only reduces the dollars spent to archive data the business retains but further protects exposure of information that is no longer relevant to the business through data breaches.
Deletion of ephemeral messages also enhances a company’s legal compliance with regulations intended to protect personal data, ensuring that data breaches do not expose all the personal data that would otherwise be stored using traditional messaging systems. This is especially important with the increase in data protection legislation, such as the GDPR.
Ephemeral messaging essentially promotes privacy by design, meaning the application is designed to optimize the user’s private and confidential data to prevent unauthorized access and enhance data security. Coupled with the user-to-user encryption protections, ephemeral messaging is evolving into a highly beneficial tool for legal risk mitigation.
Issues with ephemeral messaging
As with any emerging technology, ephemeral messaging comes with its own set of issues. Regulatory agencies have generally emphasized the importance of long-term access to data. These agencies tend to require companies and individuals to store massive amounts of information to remain compliant with agency standards that assist in their respective investigations. However, agencies are progressing towards allowing some usage of ephemeral messaging, albeit only in certain circumstances. These agencies remain hesitant in allowing companies to use ephemeral messaging without first creating detailed policies and procedures for its use that are complaint with agency standards.
The looming challenge to the acceptance of ephemeral messaging in the corporate and legal sectors comes via court-imposed retention requirements that occur regularly during a legal dispute. The duty to preserve information relevant to a reasonably anticipated or pending litigation in the United States presents a new set of issues when dealing with ephemeral messaging data.
In response to this challenge, companies must get ahead of potential litigation that involves ephemeral messaging and implement retention and usage policies and procedures to satisfy the courts. These policies and procedures should enable companies to suspend or disable the use of ephemeral messaging for custodians once the preservation obligation arises, circumventing the issue of automatic deletion of data.
Companies have a responsibility to not only be aware of the ephemeral messaging apps that its employees use, both on company and personal devices, but also to understand what the uses of each app are. It is essential that these companies take proactive steps to limit the types and uses of ephemeral messaging apps to avoid losing relevant data and suffering consequences in legal proceedings. Despite the initial design of automatically deleting data, most ephemeral messaging apps have evolved to allow for data to be preserved if the user opts into that. Companies must take the crucial step to create policies and procedures to manage the date ephemeral messaging applications create to address the preservation issue before it is too late.
Consequences for failing to adopt preservation polices for ephemeral messaging may include court sanctions. There are increasingly more instances of courts issuing sanctions to companies that fail to properly preserve ephemeral messaging data. Despite a decline of 8% in the number of civil cases filed, 2023 saw a 10% increase in the number of E-Discovery decisions in U.S. District Courts.[ii] The majority of these decisions were related to the failure to preserve data and the consequences of that failure.[iii]
Conclusion
Ephemeral messaging is an integral and evolving part of both individual and company communications with advantages and challenges impacting companies and the legal industry. Companies must consider the ramifications of their employees' use of ephemeral messaging and adopt policies and procedures to best protect themselves and comply with requirements relating to litigation and regulation. Courts have already begun addressing the failure to preserve relevant ephemeral messages and have been issuing sanctions in a myriad of legal challenges. Ephemeral messaging is here to stay, and companies, courts, and attorneys must understand and adapt to evolve with this emerging technology.
DISCLAIMER: The information contained in this blog is not intended as legal advice or as an opinion on specific facts. For more information about these issues, please contact the author(s) of this blog or your existing LitSmart contact. The invitation to contact the author is not to be construed as a solicitation for legal work. Any new attorney/client relationship will be confirmed in writing.
[i] See The Sedona Conference Journal, The Sedona Conference Commentary on Ephemeral Messaging, 22 Sedona Conf. J. 435 at 446 (July 2021).
[ii] See eDiscovery Case Law Year in Review 2023 at 6, eDiscovery Assistant, available at https://www.ediscoveryassistant.com/2023-ediscovery-case-law-year-in-review-report/.
[iii] See also DR Distribs., LLC v. 21 Century Smoking, Inc., 513 F. Supp. 3d 839 (N.D. Ill. 2021); Fed. Trade Comm’n v. Noland, 2021 WL 3857413, (D. Ariz. Aug. 30, 2021); Franklin v. Howard Brown Health Ctr., 2018 WL 4784668, (N.D. Ill. Oct. 4, 2018); Freeman v. Giuliani, 2023 WL 5600316 (D.D.C. 2023); FTC v. Am. Future Sys., Inc., 2023 WL 3559319 (E.D. Pa. 2023); Herzig v. Arkansas Found. for Med. Care, Inc., 2019 WL 2870106 (W.D. Ark. July 3, 2019); Hunters Capital, LLC v. City of Seattle, 2023 WL 184208 (W.D. Wash. 2023); and In re Skanska USA Civil Se. Inc., 340 F.R.D. 180 (N.D. Fla. 2021).
