On October 10, 2023, we hosted a round table discussion led by Timothy Heaphy, Co-Chair of Compliance, Investigations & Enforcement Practice, and Laura Jehl, Partner and Co-chair of the Cybersecurity and Privacy Group, both from Willkie Farr & Gallagher LLP.

The session, moderated by Scott Windfelder, Chief Revenue Officer at SafeGuard Cyber, convened experts from the tech industry, regulatory bodies, and legal sectors to explore the complexities of ephemeral messaging. If you missed the live discussion, we have created this article that summarizes the main insights from that discussion, enhanced with direct quotes from the experts themselves.

The central theme revolved around the challenges of merging emerging communication technologies, like ephemeral messaging, with the long-standing guidelines of regulatory bodies such as the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ).

Understanding the Complexities of Ephemeral Messaging

Ephemeral messaging, which is characterized by its short-lived messages, has become increasingly popular across various industries. The primary appeal of this communication method is its ability to offer users enhanced privacy, as messages are automatically deleted after being viewed.

"Ephemeral means lasting only for a short time... It refers broadly to the software that automatically erases or deletes a conversation between the sender and receiver," Laura Jehl said. "These apps are intended to keep communications confidential... They're cheaper for communications from international communications in Asia, they're widespread," highlighting the global adoption and economic benefits of these technologies.

Yet, this unique feature also brings about challenges, particularly in the context of regulatory compliance. Regulatory frameworks often emphasize the importance of maintaining permanent records for accountability and transparency. In such an environment, the transient nature of ephemeral messaging can pose difficulties for organizations trying to adhere to these standards while also benefiting from the privacy advantages of such messaging platforms.

Adapting to Regulatory Realities

For firms interested in utilizing ephemeral messaging, understanding and adhering to the SEC's Rule 17a-4(b) is essential. This rule, which emphasizes strict record-keeping, appears to conflict with the temporary nature of ephemeral messaging. The discussion highlighted the importance for firms to not only grasp the rule but to actively adjust their practices. It's not just about meeting regulatory standards; it's about using current communication methods without neglecting these standards.

"The SEC... has actual rules in place for including investment advisors... They've since then engaged in pretty robust enforcement activity," Laura Jehl remarked, emphasizing the SEC's active role in ensuring compliance.

"Our ability to provide your organization with unified visibility... is our ability to use contextual AI... We leverage natural language understanding so we're able to look at the conversations and based upon policies that your organization sets," explained Scott Windfelder, showcasing how SafeGuard Cyber's solutions can aid in compliance.

To address the challenge, the panelists provided several recommendations:

  • Policy Adaptation: Firms should develop and regularly update policies regarding ephemeral messaging use. These policies need to clearly define what can be communicated and how essential messages should be archived for compliance. The panelists also discussed the importance of having robust policies in place to ensure compliance in a Bring Your Own Device (BYOD) environment.
  • Technology Utilization: It's important for firms to adopt technological solutions that can merge the benefits of ephemeral messaging with compliance needs. This could include tools that archive necessary messages without affecting the user's experience. Safeguard Cyber was highlighted for its capabilities to monitor and preserve such communications, ensuring that firms can maintain compliance while utilizing modern communication methods.
  • Training and Awareness: Ensuring that the workforce is knowledgeable about the advantages and challenges of ephemeral messaging is key. Continuous training can help in this regard, as well as fostering a culture of compliance that permeates every level of the organization.
  • Regular Reviews: Given that compliance requirements can change, firms should consistently review and adjust their communication practices to stay aligned with any updates. The panelists emphasized the dynamic nature of the regulatory landscape, both domestically and internationally, with specific references to recent developments in the UK and Germany.
  • Open Communication with Regulators: Engaging with regulatory authorities can provide firms with crucial insights, allowing them to foresee and tackle potential compliance issues. The panelists underscored the expectation of forthcoming DOJ resolutions that may sanction companies for failing to capture information on ephemeral messaging platforms.

Compliance as a Continuous Process

The panelists agreed that when it comes to ephemeral messaging, compliance isn't just a single event but a continuous process. Setting up strong policies is an initial step, but these policies must be adaptable and updated as needed.

Reflecting on the evolving legal landscape, Timothy Heaphy noted, "The policy at Justice... has evolved... now if you're going to use them, you have to have appropriate guidance and controls," underscoring the importance of adapting to regulatory changes.

Furthermore, creating a culture that prioritizes compliance is essential. This means it's not just about directives from leadership. It's equally important to have ground-level training sessions. Every employee, regardless of their position, should be aware of and appreciate the significance of compliance in their daily operations.

Transparency in the Digital Context

Given the increasing incidents of data breaches in our current digital environment, the panelists emphasized the critical role of transparency. Ephemeral messaging, while providing a heightened level of privacy, introduces its own set of challenges. It's essential to ensure that the security and control it offers users don't overshadow the overarching need for transparency.

The panelists were in agreement: if companies want to maximize the benefits of ephemeral messaging, they need to prioritize open communication with all involved parties. This involves making sure that all communications, even if they are temporary, are available when needed. Additionally, managing these records should consistently align with ethical standards and regulatory requirements.

The Role of People in Compliance

When it comes to compliance, particularly in the context of ephemeral messaging, it's not just about automated systems doing the heavy lifting. It requires active involvement and decision-making from humans. While technology plays a crucial role in capturing and storing communications to meet regulatory needs, it doesn't solve everything. The panelists stressed that the heart of compliance is the collective effort of people in an organization. Leadership needs to set clear ethical expectations, making sure that following these standards is a core part of the decision-making process. It's also essential to provide ongoing training to ensure everyone understands not only how to comply but why it's important. An open environment where individuals can express concerns without backlash is also key.

This collaboration, built on trust, emphasizes that while technology supports compliance, it's the human commitment to ethics and doing the right thing that truly establishes a culture of compliance.

Future Directions: Integrating Innovation with Regulation

The conversation highlighted the need for careful integration of new communication technologies within the boundaries of current regulations. As we navigate the evolving digital landscape, the objective is straightforward: use technology as a tool that aligns innovative possibilities with compliance requirements. Moving forward, there will be challenges, but it's essential to continue the conversation. As the panelists noted, discussions around the intersection of digital communication and regulation are ongoing, and the insights from this webinar contribute to that vital dialogue.

See our compliance solution for yourself!

Take a Product Tour