For many companies, COVID-19 has upended long-established working environments and forced many to rethink how employees can best communicate and collaborate while working remotely. Communication platforms that may have seemed unfamiliar and futuristic have become essential tools virtually overnight. If employers were not equipped to support their employees' transition to working from home—or when the tools the company supported did not adequately meet staffs' needs—many employees embraced communication platforms more rapidly than their employers, leaving behind their employers' retention and privacy policies.
Tension between new technologies and old corporate policies is not new, of course. Last month, for example, the Securities and Exchange Commission (SEC) announced it had settled charges against JonesTrading Institutional Services LLC (JonesTrading), a registered broker-dealer, for violating the record-keeping provisions of Section 17(a) of the Securities Exchange Act of 1934 (Exchange Act) and SEC Rule 17a-4(b)(4).1 JonesTrading maintained standard records and communications retention policies and prohibited employees from conducting business-related communications over text message or on non-firm systems. However, after the SEC requested certain records from JonesTrading, the firm discovered that some responsive communications had not been retained. Why? Because certain JonesTrading employees had used text messages for business purposes and failed to preserve the messages. To compound the problem, certain JonesTrading senior management and compliance personnel knew that employees were sending and receiving business-related text messages—and were even doing so themselves. After being alerted to this issue, JonesTrading took remedial steps, but it was too late. The SEC censured and fined the company.
Months into the challenges posed by ongoing quarantines, companies must grapple with the technologies their employees are using to avoid JonesTrading's fate or worse. But no two communication tools are exactly alike, and various platforms have different retention and privacy features that may present varying types and levels of risk for employers, their employees and other stakeholders such as board members. Companies and their counsel should know what risks lurk in the default settings and user controls of common tools, and remain attuned to these differences to avoid loss of data, regulatory risk and legal liability.
This alert highlights for companies and their counsel a set of key issues to consider as we all continue to navigate these uncharted waters.
(1) How significant are the risks created by employees' use of communication tools not authorized by the company?
Employees may seek out communication tools not authorized by their employer in a good faith attempt to address real business needs. Some technologies are free, easy to use, and may be effective ways to communicate with non-US clients. Earlier this year, the Financial Industry Regulatory Authority (FINRA) sanctioned a broker-dealer employee who used WhatsApp Messenger to communicate with overseas customers on his personal phone and company computer.2 Or employees may seek to use a tool that allows for efficient collaboration while working remotely. Many businesses use Google Docs, which permits simultaneous, live editing of and commenting on documents, rather than static Word documents that require employees to wait for one another to exit the file.
Although these new tools may confer many benefits in a remote working environment, companies should not underestimate the risks created by their unauthorized and unsupervised use. Unauthorized tools can limit a company's ability to control data retention or adjust privacy settings. While some tools may make retention features available, they also often permit users to control their own privacy settings, so when individual employees independently employ unauthorized tools, they may disable built-in retention functions and fail to preserve those communications and documents. This presents problems for regulated entities, such as JonesTrading, that are legally required to retain certain documents and communications. Even for companies not subject to those same regulations, loss of data and documents can be problematic. Companies may be required to preserve data as a result of a new investigation or a litigation hold. (This is further discussed immediately below and at Section 4, infra.) Loss of documents also reduces institutional memory, since records might not be preserved when an employee leaves the company. And use of unauthorized tools allows employees to create records that may not otherwise have been permitted to be created—for example, recording, even unwittingly, a sensitive internal meeting or presentation that was not intended to be recorded.
Unauthorized tools can also create unique problems if the company or an employee becomes involved in litigation or an investigation. If an employee used personal accounts for business activities, that employee's personal data could be subject to collection and review because the business use and personal use have become intertwined. Employees might be hesitant to turn over personal email, cloud, and cellphone accounts, which would be an issue both they and their employer would need to address. In addition, companies often have no knowledge of what documents are stored in unauthorized locations and by unauthorized platforms. The cost of document collection increases when a company must diligently seek documents from a variety of unauthorized platforms and custodians. And companies facing litigation in years to come may fail to collect and produce documents in response to discovery requests or government subpoenas because the documents are not located within the companies' systems.
Finally, unauthorized tools can frustrate efforts to prevent or halt employee wrongdoing. With limited ability to monitor communications, companies may be caught off guard as to their employees' illegal or negligent acts, yet still be liable under theories of vicarious liability. For entities with affirmative obligations to review employees' electronic communications, such as broker-dealers, companies may not be able to comply with their regulatory obligations.
(2) Will documents be retained and maintained securely? What controls must an employer know about and manage in order to appropriately retain and protect data?
Many communications tools, including videoconference, collaboration, and work management platforms, offer customers a range of subscription options that often determine the extent to which a customer can access or control the retention and privacy features built into the platform. Broadly speaking, the level of customization and control increases with the cost of the subscription.
a. Enterprise and Business subscriptions.
In Enterprise and Business subscriptions, the customer, usually an employer, designates an administrator account to manage retention and privacy features for individual employee use. This provides a greater degree of employer control over and consistency to these settings. As individual users of an Enterprise subscription, employees do not possess the same privileges as an administrator, and so cannot override the administrator's decisions or chosen privacy and retention settings. On Skype for Business or Webex, for example, if an employee wishes to delete all or part of her self-generated content, she usually cannot directly request deletion from the platform and must seek permission from the administrator.
b. Individual and Free subscriptions.
Fee-based Individual subscriptions as well as Free subscriptions may appeal to companies looking to save money because there is no need to invest in an Enterprise subscription. However, such subscriptions typically lack centralized control over privacy and retention settings, and carry attendant risks that companies should keep in mind.
On some platforms, Free subscriptions permit individual users to control the retention and privacy settings of their own user-generated content. On Skype or Slack, for example, a user can often unilaterally determine the scope of content sharing (e.g., sharing only the transcript of a recorded videoconference) or the length of a data retention period (e.g., designating files to be preserved by the platform for a month as opposed to a week).
For other platforms, Free subscriptions permit retention and privacy settings to be determined by any users in a room or chat. On WeChat, for example, a specific chat is retained and encrypted according to the highest levels of privacy setting established by any chat participant, trumping other participants' retention and encryption settings for that chat. To illustrate: If three people are in a chat and two participants have settings that save the chat to the cloud but one does not, the chat would not be saved to the cloud. Similarly, if one participant has a setting to encrypt the chat and the other two do not, the chat would be encrypted.
c. A note on data encryption and retention.
Regardless of subscription type, companies should focus on the encryption settings for their communication tools. Depending on the nature of the encryption, text message collection may not be possible, which would limit or prohibit the ability to retain that data. (Other encryption-related issues are discussed at Section 3, infra.) If the platform's encryption settings make text collection impossible, the company may need to consider alternative retention methods, such as capturing screenshots of text exchanges or video recording text chats.
(3) Is end-to-end encryption a necessary security feature, an organizational vulnerability or both?
End-to-end encryption typically prevents third-party intermediaries that help transmit (and often store) a communication from accessing that communication's content. Platforms offering end-to-end encryption now increasingly also prevent themselves, the provider of the communications service, from accessing a message's content.
While this feature provides heightened security for those transmitting communications, it can hinder a platform's ability to preserve or otherwise retain data. For example, some messengers' end-to-end encryption prevents them from accessing, and therefore retaining, the content of communications. As a result, the content is preserved only on the devices of the sender and the recipient of the message. Those platforms might still collect and retain metadata, however, including a device's unique Internet Protocol address and message time stamps. In contrast, other messengers do not collect either the content or the metadata associated with any messages, but the content remains accessible on the devices themselves, so long as the sender or recipient does not delete it.
Companies should be aware of the security and encryption settings of any communication platform their employees use, and consider whether additional software is needed to ensure sufficient data retention.
(4) How significant are the risks created by employees using personal devices for work?
As the JonesTrading matter illustrates, personal cellphones and personal computers have replaced company devices for many employees. While the use of personal devices is fairly common across industries, there are significant risks to consider for conducting business on personal devices.
One of the largest risks is that data might be unrecoverable by the company in the event of an investigation—for example, if the employee used a communication tool that permits the deletion of message content, such as Signal or Telegram, and deleted the communication. For employers in industries that require document retention, such as certain regulated financial institutions, failure to retain company communications transmitted over employees' personal devices can also result in violations of federal laws and regulations. As JonesTrading and others have discovered, employers can still be responsible for retaining relevant electronic information, even from employees' personal devices, and be held liable and subject to fines if such material is lost.3
In contrast, employer-provided devices or software provide better control of content, are clearly the property of the employer and assist with improved liability management. Consider whether a personal device policy or an employer-provided device policy best suits your business needs.
(5) What can I do to reduce our company's risk?
a. Review your current retention policies.
With more employees working remotely than ever before, your company's retention policies may need to be reviewed and updated.
For example, you may consider adjusting your company's data retention and deletion periods. The shift to remote working may have increased the volume of your employees' digital footprints, perhaps because in-person handling of data takes too long to be (or cannot be) completed, or because data previously transferred on physical drives has been shifted to transfer by way of FTP/SFTP sites or shared network locations. As a result, it may take longer to run backups of your company data, or you may hit storage volume limits.
Now is also a good time to review the retention policies on software and cloud options your company uses and has available. Cloud services often update their service offerings, including security and retention. Even now, providers are modifying their offerings to meet new needs their clients are asking for in the post-COVID-19 environment.
b. Send a compliance reminder about which platforms your employees may use while working remotely.
Providing clear guidance for employees and reminders of the new communication policies may help reduce employee use of unauthorized tools. But as the JonesTrading matter shows, simply having policies is not enough if those policies are not followed. Therefore, in addition to providing copies of relevant compliance policies, taking the time to explain the security and legal risks of noncompliance may further incentivize employees to refrain from using unauthorized forms of communication.
Consider offering trainings on the policies, and create opportunities for employees to ask follow-up questions without fear of retaliation. For example, an employee may realize she needs to transfer a client relationship that had been maintained on an unauthorized platform—the client's preferred form of communication—to an authorized platform but be unsure how to do so; that same employee may also need help retaining any still-available prior communications from the unauthorized platform, whether on the new platform or otherwise.
c. Consider whether any SEC and FINRA retention policies make sense for your business.
Many industries are subject to retention requirements. For example, retention of broker-dealer books and records is governed by Exchange Act Section 17(a)(1), SEC Rules 17a-3 and 17a-4, and FINRA Rule 4511; for investment advisors, Rule 204-2 of the Investment Company Act of 1940 controls. While not all industries have such legally mandated retention policies, a review of regulatory guidance and industry best practices to ensure compliance with applicable and current data retention policies is recommended.
d. Communicate with your employees, and address gaps in the technology.
Keep open channels of communication with your employees to ensure they have the communication and internal collaboration tools required to meet client needs. The aphorism "the best offense is a good defense" applies. Identify gaps in technology before your employees need to figure out solutions for themselves. This will not only prevent individualized, and potentially conflicting, approaches, but also affirm your company's commitment to support your employees during this challenging period.
e. Be vigilant and respond to red flags.
Often, employees using unauthorized methods of communication are well-intentioned. They may refer to their use of unauthorized platforms ("Following up on my text...") or copy or forward unauthorized communications to other staff members or managers. Encourage your entire organization (and especially supervisors) to work together to identify when an employee is using an unauthorized medium and respond appropriately to correct the situation.
1. See generally In re JonesTrading Institutional Servs. LLC, Exchange Act Release No. 89975, SEC Admin. Proceeding File No. 3-20050 (Sept. 23, 2020), https://www.sec.gov/litigation/admin/2020/34-89975.pdf.
2. In re Paul A. Falcon, FINRA Letter of Acceptance, Waiver, and Consent No. 2018059746001 (Feb. 24, 2020), https://www.finra.org/sites/default/files/fda_documents/2018059746001 Paul A. Falcon CRD 2464566 AWC sl.pdf.
3. See, e.g., Alter v. Rocky Point Sch. Dist., No. 13-cv-1100 (JS) (AKT), 2014 WL 4966119, at *10, *12 (E.D.N.Y. Sept. 30, 2014) (rejecting defendants' claim that "they were not obliged to preserve work-related ESI which employees . utilized on their personal computers" because "the information should have been preserved on whatever devices contained the information (e.g., laptops, cellphones, and any personal digital devices capable of ESI storage)" and imposing a fine).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.