Navroop Mitter:

[00.00.03.23–00.00.17.21]

Hello, and welcome to The Lock & Key Lounge podcast. I am Navroop Mitter, your host for today, and I am delighted to welcome back Amy Mushahwar, along with two of her colleagues from Lowenstein Sandler, Kathleen McGee and Rachel Maimin, to our program.

Amy Mushahwar:

[00.00.18.01–00.00.20.22]

Thanks for inviting us. We’re excited to be on.

Rachel Maimin:

[00.00.21.00–00.00.23.01]

Yes, we really appreciate it. Thank you.

Navroop:

[00.00.23.04–00.00.47.18]

All right. On this episode, we’ll be touching on a topic we initially covered in episode number two of The Lock & Key Lounge, where we discussed the Signal/Atlantic group chat with Marisa Darden of Benesch Law. The latest DoD IG report has brought the privacy-versus-compliance conflict back to the front page. So, today we’re going to translate those findings for an enterprise audience.

[00.00.47.20–00.01.14.17]

But before we get into all of that, a bit more about each of our guests. First up, Amy Mushahwar. Amy is one of the rare lawyers who has actually built security programs and not just advised on them. A former CISO and technical consultant, Amy now serves as Chair of Lowenstein Sandler’s Privacy, Data Security, and Data Management Practice. She has led hundreds of major cybersecurity and data incidents, many that impacted millions of individuals.

[00.01.14.19–00.01.41.20]

And she’s routinely brought in when legal risk and technical reality collide. With nearly two decades at the intersection of engineering, privacy, and compliance, Amy brings a practitioner’s lens to questions of governance, retention, and executive communications. Next up, we’ve got Rachel. Rachel Maimin is a partner at Lowenstein Sandler focusing on white collar defense, government investigations, and complex commercial litigation.

[00.01.41.22–00.02.12.21]

As a former Assistant United States Attorney in the Southern District of New York, she regularly advises companies and executives navigating high-stakes investigations where communications, intent, and records preservation quickly become central issues. Rachel’s work sits squarely at the intersection of legal exposure, executive behavior, and defensible decision-making, making her perspective especially relevant as enterprises rethink how sensitive communications hold up under scrutiny.

[00.02.12.23–00.02.50.22]

And finally, and last but not least, Kathleen McGee. Kathleen leverages her extensive government experience representing clients before federal, state, and local regulators on criminal and civil investigations, including by the SEC, DOJ, FTC, state AGs, and many others, in commercial disputes, and advisory matters involving technology, cybersecurity, privacy, consumer protection, AI, and data governance. Her nuanced understanding of how the administrative code affects business provides a rather unique perspective on commerce and law, giving her an edge in advising on regulatory issues.

[00.02.51.02–00.03.13.03]

And with that, I’m actually going to do something that we typically keep as a very quick, short topic overview here. I’m actually going to go back and take a look at what brought us to this point in a little bit more in depth than we would normally do. So, in March of 2025, a Signal/Atlantic Group chat put a spotlight on a problem that enterprises quietly wrestle with every day.

[00.03.13.05–00.03.38.07]

What happens when leaders default to consumer-grade encrypted apps for urgent, high-sensitivity coordination? The immediate controversy stemmed from senior U.S. officials using a Signal group chat to discuss details surrounding U.S. military operations against the Houthis in Yemen and, critically, a journalist from The Atlantic was inadvertently included in that Signal thread. However, this isn’t a red or blue issue.

[00.03.38.07–00.04.03.20]

Really, it’s a purple one, and it’s something that has existed with every administration. This ephemeral messaging issue didn’t introduce a new problem. It exposed a familiar one. For years, across multiple administrations, members of the intelligence and defense communities have acknowledged relying on consumer‑encrypted apps like Signal or early versions of Wickr for “official‑adjacent” coordination when sanctioned tools lagged real‑world needs.

[00.04.03.22–00.04.33.13]

The same tension exists inside enterprises today. When approved systems don’t meet operational demands and users choose to route around them, often with good intentions, real governance has consequences. What makes this story newly current again is the Pentagon Inspector General’s follow‑on review, which resurfaced core issues—not whether end‑to‑end encryption exists, but whether the channel is authorized, governed, and retained in a way that reduces operational and legal risk.

[00.04.33.15–00.05.00.00]

Reporting on the IG’s conclusions indicates that the watchdog found the use of Signal and related handling of sensitive operational details via personal and unauthorized means posed risk and potentially violated policy expectations, even as public defenses emphasized that Signal is encrypted and that no classified leak took place. Their report serves to provide additional context that we think deserves considerable consideration.

[00.05.00.05–00.05.26.16]

In parallel, the intervening months reinforced why this is not just a government problem. Across sectors, incidents and regulators’ expectations have continued to converge on a familiar enterprise reality. End-to-end encryption alone is not a compliance strategy.

[00.05.26.18–00.05.55.02]

Retention duties, supervision, access controls, defensible audit trails, legal hold readiness and policy enforcement or would determine whether communications hold up under scrutiny, especially when executives are moving fast. Stakes are high, and later you must explain who knew what, when and why. This episode uses the IG report as a catalyst to pivot from a politics of ephemeral comms to the enterprise lesson. when privacy collides with compliance. When privacy collides with compliance, consumer apps create avoidable governance and litigation exposure.

[00.05.55.04–00.06.15.21]

And that is exactly where enterprise-grade out-of-band comms earns their keep. And with that, I’d love to dive right in. And Amy. So I’m going to direct this initial question towards you. But I would really love for Rachel and Kathleen to chime in as well, because given their backgrounds, I think they’re going to have a lot to say on this topic.

[00.06.15.23–00.06.40.03]

Right. The IG says the Secretary’s use of ephemeral comms violated policy but declines a specific recommendation because the problem is broader. And really, when I take a look at this scenario, what I see is that it’s not just about something that would occur in government or in government contracting, or in government‑adjacent defense or intelligence‑related businesses.

[00.06.40.05–00.06.52.12]

But really, there are broader takeaways for the enterprise. And so the question for you is, what’s the enterprise takeaway when violations are systemic and symptomatic rather than idiosyncratic?

Amy:

[00.06.52.16–00.07.26.21]

Absolutely. I think at base it’s a compliance issue. And let’s take it from the perspective of government contractors, because in our private practice, that’s where we end up in our enterprises and then also commercial industry. On the government contracting side, even if this issue was a simple government contractor issue and someone using an application that they weren’t supposed to, you have security obligations and enterprise system requirements with regard to classified data, which is confidential, secret, and top secret.

[00.07.26.23–00.08.04.10]

You also have security and enterprise obligations with regard to unclassified data that you have access to, which can just be sensitive information or that label CUI or confidential but unclassified information. Typically, you have NIST and/or CMMC obligations with regard to that data outside of the government contracting obligation. So that data, if you are a government contractor and it is subject and it is allocated in one of those classifications, you have obligations to it.

[00.08.04.10–00.08.43.07]

You must use enterprise systems. You must not have unapproved systems creep. Or you could be in violation with the security standards that you are representing to as a government contractor in most enterprises. Outside of the government contracting issue, this is an issue of the fact that you must use enterprise applications for conducting business, and both Rachel and Kathleen can do an excellent job of describing what that means—not just for me, for the privacy compliance systems integration perspective.

[00.08.43.09–00.08.58.02]

But what does this mean in a real‑world investigation where the DOJ may be breathing down your neck, where you might have inquiries from State AGs and the Federal Trade Commission? And I love, Rachel and Kathleen, for you guys to chime in on that private perspective.

Rachel:

[00.08.58.07–00.09.37.09]

Sure. So, the question of ephemeral messaging has, as we all know, been top of mind for all government regulators, including the Department of Justice, for several years now. I think there was a time period when people thought that they could use ephemeral messaging and have that not count in connection with document retention requirements, those regulatory requirements, or in connection with the regular investigation.

[00.09.37.11–00.10.10.06]

And the DOJ, SEC, and others came out very clearly explaining that these ephemeral messaging apps should be discouraged because, unless you’re able to actually control what is maintained—which is very difficult since these apps usually exist on people’s personal devices—unless you can really control it, it’s very hard to give a complete response to a government subpoena or a government inquiry.

[00.10.10.08–00.10.39.02]

And you’re going to be dinged by the government in many possible ways, including, for example, if you are trying to get cooperation credit with the government and you are saying that you voluntarily produced documents, but ephemeral messaging isn’t included and you simply say, well, it’s not included because we don’t have it because it was deleted.

[00.10.39.04–00.10.43.10]

You are much less likely to get the cooperation credit that you’re seeking.

Kathleen McGee:

[00.10.43.13–00.11.37.06]

I will jump in off that great point and underscore Rachel’s comments there and say that, irrespective of whether we’re talking about a criminal or a civil investigation, when investigators and regulators see that ephemeral messaging was used, it does arouse a suspicion, and understandably so from the regulator and investigators’ perspective. So just understanding that initially, when an enterprise, when a company, has staff that are starting to use ephemeral messaging, you are already putting yourself in a position that is disadvantageous to the regulator in the event that they initiate something.

Amy:

[00.11.37.08–00.12.15.17]

And might I add, from the technologist perspective, you are likely using an insecure set of communications that’s not enterprise‑grade. SMS—there’s a difference between SMS, I mentioned, iMessage, and Signal. And typically, when we have folks using ephemeral communications, they don’t have enough discipline to understand the true security of the applications in which they’re operating. We want to make sure, from the regulator perspective, they understand that this disadvantages them, potentially in the context of an investigation.

[00.12.15.19–00.12.30.16]

But more importantly, we care about the security of the messages themselves. And if you are communicating company business or perhaps personally identifiable information, you don’t want to be using these apps. Use enterprise‑grade apps for your enterprise‑grade security.

Rachel:

[00.12.30.20–00.13.02.15]

It’s particularly, I think, concerning both from the perspective that you’re discussing, Amy, but also from the government’s perspective. I gather when there are appropriate means of communication for someone to opt against them and use ephemeral messaging, as Kathleen said, it creates the question of why wouldn’t you simply use something just as easy, which is iMessage or Slack?

[00.13.02.15–00.13.32.16]

I mean, there’s so many ways for people to communicate in a secure way. But it necessarily raises the question about why did you switch? And that’s a question that’s arisen in litigation. And people have been able to use—the use of ephemeral messaging to their advantage—the use by opposing parties in various ways.

[00.13.32.18–00.14.23.22]

I’m aware, for example, of a civil litigation earlier this year regarding an employment law issue, and the three defendants in the case—this is a civil case—switched all of a sudden one day from their regular email to an ephemeral messaging app. And the—while the messages themselves were not recoverable, the fact that they were using that app itself was evidence that was presented to the judge who’s presiding over the bench trial. And I assume that the purpose—and I think it is effective—is to show that the people didn’t want anyone to know what they were talking about.

[00.14.24.00–00.14.29.00]

And if you don’t want someone to know what you’re talking about, then you’re probably up to no good.

Kathleen:

[00.14.29.03–00.14.54.10]

There is such a circumstantial inference of intent that goes behind these ephemeral messaging tools that can be very problematic for our clients. I know Rachel and I have both seen that, and I think it’s a reflection of what is the purpose for our clients in using these apps. And they really can be either completely unintentional.

[00.14.54.10–00.15.17.13]

It is a—can be a very convenient way to communicate on a platform that people think is relatively agnostic to the institution. So, for example, if you’re a member of a board, you may want to try to find a way to communicate that’s easy and doesn’t involve implicating your personal phone number and SMS systems.

[00.15.17.13–00.15.42.23]

But I think that the other plausible reason is, as Rachel’s pointed out, sometimes we have, and we’ve seen it before time and time again, individuals who believe that instant message now, see if there are any repercussions later. But the inferences are not positive for them when it comes to a government investigation.

Navroop:

[00.15.43.01–00.16.11.15]

Now, Amy, you and I come out of a space that’s a little bit different than Kathleen and Rachel, in which folks would probably rightfully point and say, well, wait a minute, while you—well, Kathleen and Rachel are talking about things that should be addressed by enterprise policy and training and in mitigating controls—that those policies would probably have to allow for an exception for when official channels are either unavailable or unreliable, like during a breach, right, or Microsoft Teams.

[00.16.11.15–00.16.37.04]

Your Outlook, your email, or other communication systems in general are likely to be surveilled by an adversary during a breach or potentially brought down, or your access cut off. And so, in an enterprise crisis, how should legal and security teams think about exceptional moments that are break‑glass comms at that point? Or are the consumer apps like Signal or WhatsApp okay as is in those moments?

[00.16.37.06–00.16.40.12]

And what would make an out-of-band option defensible at that time?

Amy:

[00.16.40.14–00.17.22.13]

Oh, absolutely. I want to tie off just the last bit of what Kathleen was saying because we shouldn’t—we need to continue to do on the plain vanilla communications, the plain business communications. We need to do a continued good job of educating our user base to make sure that they’re not just communicating haphazardly and sloppily by default, especially given what Rachel emphasized, which is in the event that you are communicating sloppily, you could have the inference that your sloppiness is malfeasance intent.

[00.17.22.13–00.17.54.10]

And you don’t want that, because I truly think that many enterprises are quite often dealing with the fact that we are all on planes, trains, and automobiles, and trying to communicate in the fastest way that we can to get business done in order to make it home to our families. Now, transitioning to the incident response context, I think the ringing truth that we have to communicate as incident response professionals is think ahead, think ahead, think ahead.

[00.17.54.14–00.18.20.19]

You will have a breach in which there will be a moment where you do not know if your Slack channels are secure, if your Microsoft Teams channels are secure, if, for example, your VoIP system is secure. So you have to plan ahead with an enterprise out‑of‑band solution, or you will be left with the circumstance that you are trying to open SMS, text people, to get them onto a bridge where you will have insecure communications going on by default, which is necessary because everything might be bricked and encrypted.

[00.18.20.19–00.19.10.01]

And as we think about out‑of‑band communications, not all out‑of‑band communications are created equal. First of all, in the vast majority of circumstances where we walk into enterprises, they haven’t given out‑of‑band communications a good systematic thought and often think that applications that are already tied to your Active Directory are quite often what they would consider as the out‑of‑band communications that they would use just in—if Teams or Outlook might be compromised.

[00.19.10.01–00.19.39.20]

That’s not good enough, because if you’re using, for example, a Mimecast that technically is still linked to your AD, but it’s not on your enterprise immediately, an attacker might still have access to it. So there’s still the identity component where you need to sever and make an out‑of‑band communication platform truly out‑of‑band. Navroop, the platform that you are CEO of.

[00.19.39.22–00.20.37.16]

We know other platforms, but agnostic to the technology, you need to have identity separate from your domain. Identity needs to be quality control. The communications themselves must be logged, and the platform itself has to be robust enough to work from all of the different geographies that folks are working from and have effective workflows. So even though you don’t have email, you might not have Slack, you might not have other enterprise‑grade communications, you have a platform that you can work in, have appropriate workflow, have thought through, and have, for example, your IR plan loaded in there, your vendor plans, your appropriate vendors loaded in there, so you are not rushing and racing for what you need to do outside of that comms platform.

[00.20.38.02–00.20.51.01]

And to Kathleen and Rachel’s concern, if there ever is a governmental investigation as a result of your activities, you’ve got a platform in which it is the—we’ve got the communications preserved.

[00.20.51.03–00.21.21.07]

So we have a very good log of the difficult decisions that you need to make in the first few hours of investigating a breach, all throughout the end of the investigation, triage, and remediation process. It’s super important, and we wish that most of—many more of the enterprises that we walked into had a more conservative—concerted thought of do I have a real out‑of‑band communication solution?

[00.21.21.09–00.21.37.18]

Does it have the data in the workflows I need loaded on top of it? And is it robust enough for me to actually do what I need to do to get internal comms organized and vendors hired? And, by the way, to do this all under privilege.

Navroop:

[00.21.37.20–00.22.07.01]

The only thing I’d add there is that you’d likely need to address the topic of security of those communications. Those communications likely need to be more secure than the other day‑to‑day tools you’re using. Because if they’re not, the channels you’re relying on to be resilient enough, in that scenario, are likely going to succumb to the same kinds of attacks launched against the rest of your day‑to‑day platforms, and so that upleveling to end‑to‑end encryption is likely going to be pretty critical in that moment.

[00.22.07.03–00.22.25.07]

But, yeah, Amy, I agree wholeheartedly. In fact, I’d love to have you and Audrey Wade, who’s from one of our banking clients, come back on to actually talk about all the kinds of things you would preload into the system to help facilitate that workflow. Shifting gears, though, back to the preservation side of the house.

[00.22.25.07–00.23.07.01]

And this may be more of a Rachel and Kathleen question, but Amy, certainly as well too, when it comes to preservation, it’s one of the key issues that we keep coming back to on consumer apps. Right. And so the IG piece cites that there’s a Federal Records Act that requires a 20‑day forwarding requirement. Right. And concludes that auto‑deleted, wiped messages—sorry, auto‑deleted, wiped messages—in this case prior to that preservation. And so, from an enterprise context—may I just report an aside for a second—how should they translate that into their own retention and legal hold obligations if, for example, they are using one of these consumer‑grade apps that wasn’t really built for enterprise requirements?

Rachel:

[00.23.07.04–00.23.46.13]

Well, I think that in an ideal world, they would be able to switch to an app that makes it as easy as possible to collect documents, because when you receive a government subpoena, or you’re in the middle of an exam in SCC, or even a subpoena in a civil litigation, you don’t want to have to go to every single person’s personal device and make a forensic copy of whatever messages happen to still be on that app.

[00.23.46.18–00.24.26.16]

It’s extremely expensive. It’s almost certainly more expensive to do that than to invest in an application that’s going to be more secure, and you’re going to be contending with the potential adverse inference that I mentioned before. That being said, I am—sometimes I work with international startup companies, and they’re using WhatsApp. I advise them not to do that, but I certainly advise them to turn off the auto‑delete feature to the extent that can be turned off.

[00.24.26.21–00.24.47.01]

You’re at least in a situation where you’re not going to be dealing with the adverse inference. You’ll still have to deal with the expense of collection that is increased by using WhatsApp. But you won’t—you’ll be able to show that you were acting in good faith.

Kathleen:

[00.24.47.01–00.25.22.21]

I wanted to sort of close the gap between what Amy and Rachel said by adding that fairly regularly, when Amy and I are initially engaged for the client who’s going through a threat actor experience of a data security incident of some sort, and they don’t already have, as part of a tabletop IR plan, a messaging communication strategy, they are resorting to creating burner email accounts on personal devices.

[00.25.22.22–00.25.46.05]

This is something that is probably just as bad for a whole host of reasons. First and foremost, as Rachel already mentioned, what we don’t want is for our clients and the individuals working at those companies to have personal invasions of privacy. And yet that is going to happen regularly, and those devices have to be preserved.

[00.25.46.06–00.26.19.16]

Now, those other accounts have to be preserved. And it really creates an unfortunate intrusion and conflagration of privacy issues for personal and work devices.

Amy:

[00.26.19.18–00.26.43.01]

But let me be a bit more pointed, having been the attorney who was the CISO who’s had to go through folks’ browser history and other things that you capture when you capture a device or a home computer of someone sloppy. Please don’t—please put your HR team and your security office in a better position than, in my past life, what was subjected to me. You don’t want someone to have to look at your personal browsing history, your personal files on the Files application—the file share of your iPhone.

[00.26.43.01–00.27.19.15]

And that’s going up into the iCloud. There are just some things that you really do want to keep professional communications and personal communications completely separate. And Kathleen’s trying to very delicately say this—and maybe I will just say it not so delicately—to the extent that we really can drive enterprise users to enterprise‑grade applications, it protects their privacy, it helps with ESI and retention issues, and it helps us avoid a negative inference when you are in the middle of an investigation.

[00.27.19.15–00.27.58.22]

So it’s just good business all across the board. But to motivate personnel, I would certainly use the privacy issues that Kathleen so delicately raised, because nobody wants someone going through your personal information as we’re trying to pull out information that was related to conducting business, and specifically in the context of a breach, there are so many initial decisions and discussions that have to occur that you have to search broadly.

[00.27.59.00–00.28.25.23]

So we can’t help, as investigators and as IR professionals, to preserve broadly ‘cause it’s often necessary in the context to understand what truly happened. And we do want to promote business communications and understand what did happen, but also protect the privacy of employees where we can do so. And we can show good separation between those sets of communications.

[00.28.26.01–00.29.19.06]

And Kathleen, really great point to emphasize, ‘cause we want to protect employees, and most of the time, employees are doing the right thing and trying the hardest that they can under very difficult situations. And we don’t need more mess in that process.

Kathleen:

[00.29.19.08–00.29.54.08]

Yeah. And I think the other thing we can take from that is even any non‑emergent situation—for example, the traditional business of being on a board when a board is constituted of two individuals who work for separate institutions—those other organizations do not want their servers subject to a subpoena in the event that there’s, for example, a shareholder dispute that implicates the board. And having an enterprise solution that allows board members to easily communicate on board matters in a way that doesn’t implicate their individual companies’ servers is a problem looking for a solution. So it doesn’t always have to be a personal matter. It can certainly be the integrity of other companies that are investor companies, all the time, are looking for solutions for ease of communication with their portfolio companies in a way that doesn’t intrude on their own institutional integrity.

Navroop:

[00.29.54.13–00.30.06.01]

So I’m doing my best not to think about all the things that Amy had to see as a CISO and an attorney along the way, ‘cause, God, I can only imagine what was in that browsing history, but…

Amy:

[00.30.06.03–00.30.09.23]

Oh yeah, you don’t want to—look, we’ll just move on, man.

Navroop:

[00.30.10.01–00.30.48.00]

We’re going to move on from that one. That’s a topic for the bar one day. But, Kathleen, I think that’s actually a really great point. Right. So boards and executives are probably acutely aware of the fact, or at least I imagine they would be, that if they’re using their home company’s email or personal email for their communications related to their work and efforts on the board of another company, and/or many companies, that that likely means that all of that could get swept up at some point and become problematic for more than just one entity.

[00.30.48.02–00.31.22.15]

So given that, why might executives and boards actually bypass—I guess that explained why boards and executives might bypass enterprise tools like their normal day‑to‑day email for your shadow IT—but how then should their oversight teams and counsel be responding to that? Should they then be actively looking for those kinds of solutions, like you’re mentioning, something that allows them to cordon off that particular board‑specific way, their communications into its own capability that’s secure? What should oversight teams and counsel be responding with?

Kathleen:

[00.31.22.18–00.31.59.08]

I think that in the first instance, a general counsel and IT for companies that have sophisticated boards should be thinking about ways to streamline communication and make it as easy for their board members to communicate board‑sensitive material in a way that makes it easy for those board members. The reality is that if you are an investor sitting on a company’s board, you have a lot on your plate every day, and the last thing you want is to have to have yet another email account to address.

[00.31.59.10–00.32.26.14]

Email has become the logjam of our day, irrespective of what your job is. So coming up with a system like an enterprise communication system that is really easy to use and is designated explicitly for board conversation, and has a facility of use that comes naturally. We are all now used to text messages. We are all now used to, for example, the Zoom chat at work—whatever it is.

[00.32.26.16–00.32.49.12]

And those have become the go‑tos, at least in my day. Email is the last thing that I’m dealing with every day. And there’s a backlog. So I think that from larger enterprises, when they’re thinking about how to address board communications and how to facilitate ease of communication in a way that’s controlled and maintained, these enterprise solutions are a real potential solution for that.

Amy:

[00.32.49.14–00.33.22.08]

Yeah. And I would add to that, even if you don’t have the problem of being on board for company Y and using email Z for company Z ’cause that is a problem. That is potentially archiving business communications from another company in the context of your board role. Or, if you don’t have an out‑of‑band solution or a platform, you don’t have workflow.

[00.33.22.10–00.34.03.03]

And to just emphasize something that Kathleen mentioned as an administrative point. But all of us are grounding in email, and we want to make sure that for e‑discovery, for federal communications, for all the good litigation reasons, you keep appropriate business communications of your board versus primary business communications separate. But to truly make sure that tasks are tracked and board communications are actioned appropriately, and people actually get their task list done—wow, does workflow make that much more efficient.

Navroop:

[00.34.03.06–00.34.31.15]

So I’m going to jump ahead to something else. We’ve kind of already been talking—we’ve already talked about investigations and sanctions exposure and cooperation credits. I think Rachel touched upon that earlier. Rachel also mentioned having to use WhatsApp with some of her foreign startups that she’s worked with, and I’m assuming a lot of them probably still leave on those privacy‑by‑default or disappearance‑by‑default settings on these various applications.

[00.34.31.16–00.34.51.11]

But if and when a litigation hold or regulatory inquiry does attach at that moment, what are the changes that they need to introduce? Is that when, Rachel, you would suddenly say, hey guys, I know we’re using disappearing messages now, but we’ve received the following. Here’s the changes you need to make. At what point does privacy become a spoliation risk?

Rachel:

[00.34.51.16–00.35.24.13]

Well, the moment that the obligation to preserve material arises—which is when there’s a reasonable expectation of litigation, or when you receive a subpoena, or essentially any government inquiry—if you want to be conservative and careful about it, you certainly want to turn off, on every possible device that messaging or response material may exist on, you want to turn off auto‑delete.

[00.35.24.15–00.35.51.06]

So let’s say you already were doing an auto‑delete. You have to turn it off, as a matter of law, when you have an obligation to preserve—because then you’re looking at spoliation of evidence, which is something that can lead to negative inferences in front of a jury or a judge and can actually make or break a case.

[00.35.51.08–00.36.48.20]

And as we’ve discussed, sometimes people are using these ephemeral messaging systems in a totally innocent way. But the moment that preservation obligation comes into play, it’s absolutely critical that nothing be deleted. So, however that can get accomplished, it should be. Typically I tell everyone—my clients—to ensure that auto‑delete is turned off, and if they have been using text messages to conduct, for example, their work, which is very common, we’ll make an immediate—as immediate as possible—forensic image of that phone, trying to avoid the personal stuff.

[00.36.48.20–00.37.03.07]

But thoroughness is more important than privacy at that point, in terms of the balance, because you certainly don’t want to run afoul of the law in an effort to protect an employee’s privacy.

Navroop:

[00.37.03.10–00.37.28.07]

So it wouldn’t be enough to just say, sorry. Judge, mea culpa, we had the disappearing messages on by default for the past two years prior to there ever being a real preservation requirement, and we forgot to just turn it off when this litigation holder, financial subpoena, or whatever it is suddenly came. It wouldn’t be just enough to say, mea culpa, this was just the long‑string practice. We forgot to address this.

Rachel:

[00.37.28.09–00.37.56.14]

No, I mean, the Department of Justice and other—and regulators have specifically stated that they will not accept the excuse, oh, well, we would produce it to you. We’d love to produce these messages to you. We just don’t have them because we were automatically deleting them. We weren’t doing anything on purpose. We were just automatically deleting them.

[00.37.56.16–00.38.45.02]

That excuse is no longer acceptable to the extent it ever was. And so you absolutely cannot rely on a good‑faith, innocent use of ephemeral messaging—which, of course, as we discussed, does exist—to avoid your document preservation obligations, which, whether it’s a government inquiry or a civil case or whatever it happens to be, means that nothing gets destroyed that’s potentially responsive. And when you’re at the very beginning of an investigation, you’re still figuring out what’s responsive.

[00.38.45.03–00.38.57.05]

It’s best to turn off all auto‑delete. You can’t really start picking and choosing until you have more information, and you have to immediately begin preserving.

Kathleen:

[00.38.57.07–00.39.24.06]

I did want to jump on one thing that has come to mind as Rachel’s been talking. Very often we are counseling clients in non‑emergency situations—just regular vanilla counseling—on document retention periods and helping them to establish appropriate data retention relative to the use of data and the type of industry in which they—the company—slots in.

[00.39.24.10–00.40.05.15]

And ephemeral messaging as a communication device would certainly qualify. And so I’m not—I am certainly not—trying to come up with a workaround, but what I am saying is, in regulatory inquiry, they’re going to want to know about all forms of communication, as Rachel’s rightly pointing out. And if you go into your traditional document retention policy and establish why it was reasonable for you to set a cadence on certain types of communications, that is somewhat defensible.

[00.40.05.15–00.40.28.20]

It is certainly not defensible to say we use Signal or WhatsApp or any of the other ephemeral messaging to avoid our document retention schedules. But this is just to say that is another tool that investigators are going to be looking at. Do you have a document retention schedule? Can we take a look at where this slots in?

[00.40.28.22–00.40.56.16]

And if you haven’t gone through that document retention schedule and put a hold on those documents relative to whether or not they exist in a certain period of time, that’s going to be a problem.

Amy:

[00.40.56.18–00.41.33.12]

Yeah. Can I loop back to—and just, Navroop—to the original question, ‘cause I think it’s also the dynamic of can we justify use of these communications because of employee privacy? The macro policy stance, too, within your organization also needs to be that you need to check your employee acceptable‑use policies and BYOD policies, and make sure that you have sufficiently disclaimed the right to employee privacy over, of course, enterprise‑grade applications, but also where you are, anywhere you’re conducting business communications. So Kathleen and Rachel can loop back and get the information that they need to get and preserve in the event that they are helping defend a company in the middle of an investigation.

[00.41.33.14–00.41.58.04]

So ephemeral communications demand for us to look at our retention schedules to make sure they’re justifiable, and that we have—where we have—these enterprise platforms, where appropriately both defining them and subjecting them to the legal‑hold process. So we don’t have a role of a communication issue, but also that our policies are sound.

[00.41.58.06–00.42.23.14]

So we have the ability where employee communications may fall between the cracks and go on to non‑enterprise‑grade communications, that we’ve sufficiently looked at our employee policies and made them as strong as we can with regard to the company’s right to reach and preserve the communications that it needs to defend itself in the event of an investigation.

Navroop:

[00.42.23.19–00.42.53.14]

So as Rachel and Kathleen were speaking, I was reminded of something that’s come up on multiple of our other podcast episodes, particularly when lawyers are on. We’ve often spoken about the fact that the SEC and the CFTC ended up issuing—what, roughly 3.4 billion‑plus in fines now—to some of the major financial institutions. I think it’s somewhere around 40‑ish or so that those fines were across at this point, and it wasn’t for necessarily doing anything wrong.

[00.42.53.14–00.43.18.16]

It was really just about not having met their business‑records retention obligations when they couldn’t produce a copy of what was said over a Signal or WhatsApp thread or some other consumer‑grade messenger. And so it sounds like that failure to be able to produce records can result in very real fines. But Amy, on this last point, you’re talking about policies, and we think about policies.

[00.43.18.18–00.43.46.18]

A lot of what leads to problems in and around policy really comes down to training. Right? And I think the IG report specifically highlights missing comprehensive mobile or application policy, uneven controls, and, very importantly, inadequate training. Right. That may have contributed to this loss or the deletion of messages inadvertently. So what should robust corporate policy—but also, very specifically, the training—include?

Amy:

[00.43.46.23–00.44.33.08]

Oh, absolutely. So, policy—we need to disclaim the right to employee privacy over any corporate device, over any corporate platform that may be put onto a personal device, most commonly email, Slack, and other enterprise‑grade applications. And also, to the extent that someone is communicating over personal channels, over a personal device, making sure that they are aware that, if they are using that device for those communications, there is the possibility that that device must be preserved in order for a company to fund itself.

[00.44.33.10–00.45.21.06]

That needs to be echoed in your acceptable‑use policy, in your BYOD policy, and your general statements with regard to employee conduct. So often what we will see is that if you don’t have a strong disclaimer of the right to privacy, you ought to have gaps in what you can preserve, so that creates almost like problem one when you’re going through an investigation. On the training side, all too often the security—annual security awareness training—is very focused on phishing, as it should be, very focused on deepfakes and social engineering, as it should be.

[00.45.21.08–00.45.48.22]

But oh boy, does it also need a section on how to communicate securely, and that you need to keep communications over company‑grade apps. List what is acceptable. Identify these are corporate‑supported apps, these are not corporate‑supported apps, and may subject your personal device to being seized in the event that we need a—that we need—the company needs to defend itself within the context of an investigation.

[00.45.49.00–00.46.31.02]

Doesn’t take very long to do, can take—and can be—a five‑minute conversation. It can be a chart in a PowerPoint. But as a company, you want something that you can point to to say, I, as an enterprise, have done a reasonable job of trying to train my team, and even better, A‑plus Gold Star goes to the companies who also have those IT reminders of the months and occasional emails regarding, “Hey, this is how we want our employees to communicate,” because we want to signal this in training and then reinforce it with culture, because that’s how you make meaningful change happen.

Navroop:

[00.46.31.04–00.47.06.10]

And it sounds like a lot of that needs to be done situationally, right? Because your communications needs during business continuity or disaster recovery or incident response, or even based on your role. Right? Say you’re an executive for the board, and you almost want a classified tier of communications, kind of separated away from IT insight. It almost sounds, either based on the role or situations, that there may need to be different examples provided then in that chart or that PowerPoint slide—whatever it is—on how to appropriately communicate for those circumstances.

Amy:

[00.47.06.12–00.47.41.05]

Yeah, this is a big question, but I can answer it really succinctly. You are, Navroop, 100% right that training needs to be specialized for the occasion in which you’re dealing with. For everyday business communications, annual security awareness and reminders are important. For additional government contractor—I’m going to say government contractor—in heavily regulated communications. So, financial services, HIPAA, you name the U.S. sector‑specific regulation, you have specialty training for that.

[00.47.41.07–00.48.03.05]

When it comes to true incident response and/or board communications, you also need training for that. That’s the reason why we tabletop and crisis‑comms tabletop. And so, as we are looking at training as an animal, it is not a one‑size‑fits‑all operation. And you need to think of, what do everyday users need?

[00.48.03.07–00.48.30.15]

What do boards need? What do I need for my highly regulated communications that might be subject to additional security standards? And then you divvy up process. But also, as we’re talking about out‑of‑band communications platforms, you make sure that the process identifies what enterprise platform should be being used for the circumstances under which that employee is dealing with.

Navroop:

[00.48.30.17–00.48.51.18]

We’re going to hit pause here. I want to say thank you for spending time with us on this conversation. As we were recording, it became clear this was one of those conversations that deserved more space than a single episode would allow. So this is part one of our discussion with Amy, Kathleen, and Rachel.

[00.48.51.20–00.49.18.17]

In part two dropping in mid-January, we’ll pick up right where we left off and continue unpacking what these issues mean for enterprises that are navigating privacy, compliance, and executive communications. We didn’t want to rush a great conversation, and I’m grateful you’re along for both parts. If you enjoyed this episode of The Lock & Key Lounge, or if you have a unique perspective, a question we should tackle, or a guest you think we should bring into the lounge, we’d love to hear from you.

[00.49.18.19–00.49.40.11]

You can reach us at lounge@armortext.com. Also, be sure to visit armortext.com/podcast to catch up on other episodes of The Lock & Key Lounge. These are also available on Apple Podcasts and Spotify. Until next time, keep your communication secure, compliant, and intentional.