table of contents
- New data retention guidelines
- Collaboration app data growth
- Regulators and courts are cracking down on failure to preserve evidence
- How to prepare your organization's data for regulatory investigation
Regulatory scrutiny is increasing across industries following updates from the Department of Justice (DOJ) Antitrust Division and the Federal Trade Commission (FTC) regarding the storage of data from collaboration tools and ephemeral messaging platforms . These developments can have significant ramifications and regulatory implications, so organizations should think carefully on how to think about managing communication between applications.
Recently, the woman webinar We explore these issues with three experts.
- Jeaneen Kappell, Senior Advisor, Enforcement Division, Securities and Exchange Commission (SEC)
- Tim Anderson, Senior Managing Director, FTI Consulting
- Tim Thames, Onna Village Strategic Solutions and Partnerships Manager
These speakers outlined recent developments in data retention and provided practical steps to help organizations prepare for regulatory compliance investigations. Here we will introduce their points.
New data retention guidelines
In January 2024, the FTC and Department of Justice updated parties' retention obligations for data from collaboration tools and ephemeral messaging platforms. With this obligation, messages are automatically deleted without administrator intervention.in joint press release, the agencies announced that the update “strengthens long-standing obligations requiring companies to preserve materials during pending government investigations and litigation.” “These updates to our legal process ensure that when customers and businesses choose to do business, they are more aware of the other party's Lawyers and their clients will no longer be able to feign ignorance.” temporary message. ”
Anderson explained: “We're not talking about anything new here. Organizations have these obligations, and they should already understand their obligations to preserve. New applications, technologies, and platforms may emerge. But the guidelines remain the same.”
Kappel agreed. She said the agency “has made abundantly clear with the release of this guidance that all types of communication must be maintained.” There is a recognition across government agencies that critical business and related communications take place on these types of platforms. ” Additionally, she said the responsibilities outlined in the new guidance are not bound by any legal framework. These clearly apply to mandatory legal proceedings, including standard preservation letters, all her second request specifications, voluntary access letters, and grand jury subpoenas. Based on this guidance, parties should do exactly what the preservation letter or subpoena requires.
The updated guidance also includes the potential consequences of non-compliance, including civil and criminal consequences. “It's when you're on the receiving end, [you should] Please take it seriously and respond immediately,” Kappel urged, suggesting that recipients contact the issuer of the subpoena or ask them to “discuss in detail what is being requested.”
Anderson added that “agencies are open to discussing and collaborating on different approaches to ensure that the information produced is relevant and responsive.”
Collaboration app data growth
Thames says data sprawl makes it difficult for organizations to know where their data is and how it is structured when they receive retention letters and need to establish legal holds. I observed that it was. “If you look back 25 years ago, we were dealing with email,” he said. “What we're seeing now is an increased reliance on application data.”
He said large companies use an average of 231 apps, a 54% increase over the past five years. 80% of the data these apps create is unstructured data, and 90% of that unstructured data is never analyzed. “It just sits there,” Thames advised. “If we don't address it early on and make sure it's preserved, it could change the structure of the case.”
Anderson commented that in addition to the volume and variety of data, the rate of change also makes preservation difficult. The platform is rapidly iterating and deploying new technologies to help organizations stay connected and collaborate more effectively. As a result, he observed, “what worked last week may not necessarily work this week.” Given the pace of change, “compliance, litigation response, and integrity are not always at the top of the priority list. Therefore, the ability to manage information is not always at the top of the priority list.” he added.
Kappel advised that service providers and lawyers need to ask their clients “difficult, boring questions like 'Where is the relevant data?'” She observed that few situations are more stressful than when an organization learns for the first time that application data may exist during investigative testimony and that it has not yet been submitted to a government agency. She recommended, “Being proactive and asking your clients some questions will greatly benefit everyone.”
Regulators and courts are cracking down on failure to preserve evidence
Over the past decade, courts have experienced: 656% increase in cases eDiscovery issuesThe number of cases increased from 690 in 2014 to a whopping 5,216 in 2023. Parties should be aware of e-discovery issues, as they are clearly important to judges.
Kappel said: “The duty of preservation is at the heart of courts these days. This has many aspects, from the distribution of legal preservation to all relevant administrators to the failure to preserve evidence,” he said. If a party is unwilling to produce the requested documents, authorities can also bring a subpoena enforcement action, he said, turning a closed-door investigation into a public hearing as subpoena enforcement actions are filed in federal district court. He said it would happen.
Speakers pointed to several recent cases related to data retention issues.
- Dawson James Securities Co., Ltd.: The Financial Industry Regulatory Authority (FINRA) alleged that the company's CEO failed to preserve or review thousands of business-related texts sent and received by at least 27 people associated with the company over nearly a decade. The company violated both securities laws and FINRA rules because its supervisory procedures were not reasonably designed to comply with message retention and review obligations. FINRA fined the company $500,000, imposed reprimands, and required an independent review of the company's compliance procedures. But the problems didn't end there, and in a warning to leaders, regulators fined the CEO $10,000 and suspended him from associating with FINRA members for a month.
- senbest management: Having policies and procedures does not guarantee compliance. Those policies must also be enforced. In this case, a company employee violated established policies and procedures by communicating about company business through personal text messaging platforms and other non-Senvest messaging applications. The company was unable to maintain or store these off-channel communications. In one example, three senior employees used personal devices to send off-channel communications that were set to be automatically deleted after 30 days. Senvest admitted to non-compliance, paid a $6.5 million penalty and agreed to improve its policies and procedures.
- United States vs. Bankman Freed: In this order from a high-profile case, the court ordered the founders of Futures Exchange (FTX) not to communicate with current or former employees of FTX except in the presence of an attorney, and to send encrypted temporary They were ordered not to use any calling or messaging apps. We took these steps after discovering that the Founders had, among other things:
- Directing employees to perform tasks slack Set Signal and these messages to automatically delete within 30 days
- One executive advised that if communications were not preserved, it would be more difficult for anyone to bring a case against them.
- Sent messages to at least one prospective government witness in an attempt to “repair relations” and “examine each other's circumstances.”
- Regarding Google Play Store antitrust lawsuit: In this multidistrict case, the court decided to sanction Google for willfully failing to preserve evidence, but deferred ruling on the precise sanctions to be imposed. Although Google properly preserved email evidence, its policy was to automatically delete chat data within 24 hours. The court concluded that the company was “seriously lacking” in that duty and that the chat evidence was “lost for the purpose of preventing its use in litigation.”
As these examples demonstrate, organizations and their leaders must first understand the information, then diligently store what they need and find ways to derive value from it.
How to prepare your organization's data for regulatory investigation
Compliance is not easy, but an ounce of prevention is worth a pound of cure, not to mention thousands of dollars in fines. By taking proactive steps now, you can reduce risk, prevent organizational disruption, and avoid stress.
Follow some steps below.
- Regularly audit the data storage capabilities of your organization's collaboration tools and internal chat apps. Ensure that information from your app is available in a format that can be legally reviewed and produced. Work with legal, compliance, and IT departments to understand your organization's current data landscape. Map where data for these apps resides.
- Implement specific policies regarding deletion protection settings.
- Ensure that any notices regarding legal holds and other document retention instruct employees to preserve all relevant business communications, including those stored in off-network applications.
- Maintain records about your organization data storage and
Retention policy And practice. - Partner with experienced attorneys and e-discovery vendors. collect Imaging materials from advanced technology platforms.
- Regularly assess and enforce compliance with established policies. Monitor changes in laws and regulations at the federal, state, and local levels. Provide training as needed and consider conducting tabletop exercises or drills to test your policies.