[00:00:04–00:00:30]

Navroop Mitter:

Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, armortext.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

[00:00:30–00:01:28]

Navroop Mitter:

I’m delighted to welcome Marisa T. Darden to our program.

Marisa Darden:

Well, good morning, and thanks for having me. I’m super excited to be here and talk to you about this, Navroop.

Navroop:

Marisa is a chair of the White Collar, Government Investigations, and Regulatory Compliance Practice Group at Benesch. Marisa is a former state and federal prosecutor who has successfully tried more than 15 complex criminal cases to verdict. She handles a range of investigations, including bribery, corruption, the Foreign Corrupt Practices Act, and high-stakes cybersecurity matters. Marisa regularly advises companies and individuals facing civil or criminal investigations, helping them navigate regulatory scrutiny and develop forward-looking compliance strategies. She’s recently authored client bulletins dissecting the so-called Salt Typhoon breaches and the conflicting or even contradictory stances taken by different US agencies on secure communications, especially ephemeral messaging.

[00:01:28–00:02:36]

Navroop:

Now, today, we’re going to be discussing why enterprises simply can’t take CISA and the FBI’s guidance at face value. After the Salt Typhoon breaches in telecom, both the FBI and CISA urged Americans, especially businesses, to use consumer end-to-end encrypted messaging apps for greater data security. However, other federal regulators—for example, the Department of Justice, Securities and Exchange Commission, and the Federal Trade Commission—have made it clear that ephemeral messaging can land corporations in hot water if key data is lost or destroyed.

In other words, enterprises could unknowingly violate recordkeeping, discovery, and compliance obligations if they adopt ephemeral messengers like Signal, WhatsApp, or iMessage without implementing robust retention or governance. We’ll explore these conflicting signals and ask how companies can protect themselves with our expert, Marisa. So, Marisa, were you surprised to see the FBI, an agency historically critical of strong encryption and supportive of backdoors, suddenly advocating for consumer end-to-end encrypted messengers?

[00:02:37–00:04:54]

Marisa:

In a nutshell, yes, I was very surprised. The interesting thing about ephemeral messaging lately is that, for years, the Department of Justice didn’t really focus on it, and other regulatory agencies, including the Security Exchange Commission, were a bit more front-loaded or heavy-handed about regulating their businesses and giving instruction about how to handle data as more and more people started using phones. And so, in 2023 and 2024, the Department of Justice, under the Biden administration, did come out and say for any criminal investigations that are corporate in nature, you will not get full cooperation under scrutiny from the agencies or from the organizations if you’re not providing text messages and other data that could be stored on your employees’ phones. They did not provide any sort of specific information about how to retain that information or the rights and responsibilities that would have to go with storing that type of data.

They really didn’t even talk about specifics related to the type of chats or messaging platforms one should use. But they made it very clear that you have to retain the data in order to provide it to the government, should they want to look at it. So for the FBI and other federal agencies to now come out and say, well, yeah, we recognize, in a modern world, everybody’s using text messaging and everyone’s using data—phone data—to communicate on a business channel.

But you can go ahead and use an end-to-end user-encrypted system to do so. And, in fact, we’re encouraging you to do that to protect your data, without also providing a piece that gave guidance about what the responsibilities and rights would be for a business to have access to its employees’ and end-user encrypted chats—or the type of sanctioned applications that would ensure retention of such data—seemed a little bit out of left field.

[00:04:55–00:07:01]

Navroop:

I couldn’t agree more. From your perspective, what’s driving the clash between law enforcement agencies encouraging encrypted apps and the other agencies demanding rigorous data retention? Surely, the left hand must know what the right hand is doing.

Marisa:

One would hope, Navroop, but I think, particularly in this political environment, we just can’t be sure that that’s accurate. I wonder if the main source of contention is access to technology and information.

The FBI and some of the other sort of three-legged agencies on the ground—they’re much more poised to have a better sense of what’s actually confronting the modern consumer. FBI agents are actually interacting with people on a regular basis. And the powers that be in the Department of Justice and the SEC can sometimes be a bit cerebral and slower to implement practical, pragmatic change and advice.

That’s very evident in the Department of Justice—I think was a great pick in many respects as the attorney general. But, colloquially, I think those of us who have been around the block have said, “Don’t put a federal judge in charge of an agency because federal judges are deliberate.” They often want to research every minutia opportunity.

And sometimes they sort of overthink things. And I think there was a lot of evidence in the department that the Garland administration was doing that, and making it really difficult to accept more pragmatic on-the-ground advice. Historically, the department hasn’t had good technology.

It’s four or five, eight years behind what’s going on on the ground, also. And so, it really is only recently that FBI has more modern technology that could even intercept or crack phones that had end-user encrypted services on it. They’re still not 100 percent able to real time get a lot of the information that people might be using or sending on Signal, or Kik, or WhatsApp, or even through Apple iMessage.

[00:07:01–00:11:48]

Navroop:

It’s interesting that, while the Department of Justice has historically been incredibly deliberate and slow moving to provide this type of modern guidance, that ultimately they did come to a balance point that said, “You are able to use these technologies so long as you ensure that you don’t run into these other legal and compliance pitfalls that we have.” Right? It appears that, at the moment, it’s the CISA and FBI who, in theory, should be more aware of how these technologies work and what the potential alternatives are, that are actually taking us a step backwards and potentially creating a situation where enterprises go dark by using certain end-to-end encrypted consumer apps. And so that brings me to my next question here, then, if an enterprise were to go dark, so to speak, what kinds of legal and compliance pitfalls could they face?

Marisa:

Yeah. And just so I’m clear on the term “going dark,” you’re saying if a business uses end-to-end encrypted consumer apps and they’re not able to retain that information or see it or control it, that’s what you mean by “going dark”?

Navroop:

Absolutely.

Marisa:

Okay. Yeah, it’s a problem in a nutshell. Even if FBI is going to shout from the rooftops that it’s okay to do it, that does not mean that law firms or lawyers are going to recommend that companies or businesses should. There have been a slew of examples, largely actually coming out of the SEC, more so than other industry regulatory agencies, that demonstrate that, if you don’t have access to your employees’ data or work that’s taking place either via text message or end-to-end encrypted user apps, you’re facing, at a minimum, regulatory intervention and, at maximum, civil and criminal penalties and fines. I think a lot of people are very aware of various Wall Street firms that were fined for failing to preserve electronic communications as required under federal law.

A bunch of agencies, organizations, and businesses were all fined after not being able to provide regulators the information that they requested pretty much on the spot. We’re not really sure in the Trump administration how that’s going to move, change, or be implemented or advised, I guess, whether the new SEC chair will take that as seriously. But you can imagine that, as technology continues to improve, this isn’t going to go away.

And so, we’re also looking at and sort of monitoring how state investigations and state attorneys general will sort of pick up the slack if the federal government’s not prepared to more fulsomely investigate cases where people might be using phones to do something illegal or nefarious. One of the other examples I know is a big enforcement priority for the department back in, I think, 2022, was a specific business that had a bribery and corruption investigation involving an allegation that their employees were bribing Egyptian consulates and Egyptian government employees to have favorable oil and gas contracts. And the parent company, which was a US company, found this information, was able to track that information by seizing the employee’s phone, and then gave that information cooperatively and willingly to the Department of Justice, which resulted in a very favorable outcome for the agency or the business.

They individually prosecuted the employee, who was eventually fired, but the business was able to pay a fine, and the government declined to prosecute them as a result. And if they had not had access to that individual’s phone, this would have been a very different outcome. So we’re counseling not only to companies to have a clear understanding of their ability to access this material, but to have policies and procedures in place that clearly outline and delineate the power that the business has to seize an individual employee’s phone.

Navroop:

That makes a lot of sense. With respect to the fines issued by the SEC and, I believe, the CFTC alone in the banking sector on failure to deliver the required business records that had been requested, I believe the fines now total approximately three and a half billion dollars. So not an insignificant amount.

Marisa:

That sounds about right.

[00:11:49–00:13:30]

Navroop:

Beyond, though, what you just said about the preliminary guidance you’re issuing to folks, I’m curious as to what advice you may have for CISOs or legal teams who feel stuck between the CISA and FBI guidance on encryption and their own regulatory obligations to maintain audit trails—the kinds of advice you were diving deep into in those client bulletins that we saw online from Benesch.

Marisa:

You actually are probably in a better place to answer that question, Navroop, because your technology, I think, solves a lot of the common problems that some of these businesses might be facing.

So, I guess I’ll push the question back on you. But, at a high level, we recognize and acknowledge the need for security in this environment and certainly want to prevent data from being leaked or otherwise making the business vulnerable in any sector—but want to make sure that that’s balanced very cleanly, clearly, and articulable in writing what the company plans to do in order to have some visibility and capture authority on the work that their employees are doing on any encrypted device.

Navroop:

From our perspective, only because you’ve pushed it back over here, we do think there’s a distinction between enterprise security and enterprise privacy applications. Both would provide things like user management and some degree of policy enforcement, but it is the former—the enterprise security applications—that have taken into account the regulatory, statutory, and legal obligations that an organization may have for things like business records retention or the maintenance of audit trails.

Marisa:

That makes sense.

[00:13:31–00:16:11]

Navroop:

Here’s another one for you, Marisa. Where do you see the biggest blind spots that executives miss in their incident response or communications playbooks, especially around ephemeral messaging?

Marisa:

That’s a great question. I think there are two blind spots.

One is 15 years ago, companies had a lot more control over what their employees were doing because they issued phones. I think, over time, businesses, particularly publicly traded companies, felt like that was too expensive or there wasn’t a need as people shifted to smartphones. And then there was a Bring Your Own Device policy.

Many corporations and businesses kind of left their technology there. The last sort of written piece of advice or written guidance or policy that they have in their arsenal or in their compliance regime is a Bring Your Own Device policy. They haven’t updated it to reflect apps or other modern technologies, and they haven’t really updated it to account for privacy concerns.

And that puts you in a host of hot water for a lot of reasons. And businesses have been loath to also give themselves, or deputize themselves, the authority to seize individual personal phones because they don’t want to turn into a quasi-state where they’re worried about privacy concerns of their individual employees. So, in a perfect world, we’ve asked a lot of our businesses to consider going back to giving out work devices or encouraging a financial stipend that would allow employees to have two phones.

As someone who had, as a government employee, who had two phones for 10 years, I can tell you it’s arduous, and it sort of sucks. But, at the same time, it allows the corporate entity to have much more visibility and control over how the clients, third-party vendors, subsidiaries, and other outside actors behave with their individual employees. So, we’re sort of encouraging that, but if that’s not possible, or you sort of can’t put your BYOD policy back in the can and start fresh, then we recommend drafting a very comprehensive ephemeral messaging and phone policy that helps create expectations for the employees up front about the type of information that they may be subject to turn over to their employer should an investigation become necessary.

[00:16:11–00:18:26]

Navroop:

Now, one of the challenges I see, though, is that, regardless of whether it’s a corporate-issued device or an employee’s BYOD device, using the wrong communications technologies could still hamper your ability to easily comply with a business records request that you are supposed to deliver against in a timely manner. It may still end up costing you the same level of extended effort in collecting and imaging devices and having to pull information and then prove that nothing had been tampered with prior to the point that the corporation started to do that imaging effort. So, I can see that even in those scenarios where it is a corporate-issue device, there’s probably a good reason to start to re-examine what kinds of technologies we use, even when we desire secure messaging.

Marisa:

Oh, absolutely. Absolutely. And also, have a retention policy that’s attached to your device policy. So how many weeks are you keeping your team’s chats? How long before your Slack channels are deleted? What settings are you going to put on either your BYOD device or your corporate device to make sure that text messages never get deleted, or Apple iMessages are always retained? And what kind of technologies even exist right now to make sure that your data is safe, but you can easily access and retain that information and turn it over? WhatsApp and Slack and, not Slack, but WhatsApp and Kik and some of these, and Signal, some of these—they’re really hard to pull data from and don’t always allow the corporation to provide that information in a fulsome way to the government.

And the government lacks the technology to celebrate or to extract full, comprehensive data. If, for example, your employee is talking to a sales vendor in a highly corrupt nation where you do business, and they’re FaceTiming each other or using some sort of chat mechanism that’s video, that information isn’t captured in most modern applications.

[00:18:27–00:19:32]

Navroop:

Absolutely. I could not agree more. I think there’s a need to especially start to loop the legal and general counsel functions into the requirements-building process. So, as these kinds of technologies are evaluated, a lot of these legal things are addressed up front rather than as an afterthought.

And we’ve seen some of that start to take place, especially in banking, but also in places like energy.

Marisa:

A hundred percent. Energy is a perfect example of that. And Ohio has had a lot of issues, in particular, with bribery and corruption recently in the sector. And phones were a big part of the exhibits, examples, and other sort of information that the Department of Justice used to indict and criminally investigate the regulatory industry, the regulators, and the individual executives in the energy systems. There’s another big case in Chicago that involved an energy company where phones played a crucial part in that as well.

[00:19:33–00:21:48]

Navroop:

Now, looking ahead, do you think we’ll see a regulatory shift or more explicit set of unified guidance from the federal government?

Marisa:

It would certainly be my hope that FBI’s guidance post-Salt Typhoon and the Department of Justice’s and the SEC’s guidance on ephemeral messaging could sort of get on one page and help our clients have a better understanding of what their obligations are to meet DOJ standards. It’s really hard to know. I think Pam Bondi, as the new attorney general, has sort of come in being very clear that FCPA enforcement is not their priority, for example.

But that doesn’t also mean that you’re not going to have an obligation as a corporation or business to answer to some regulatory agency if there are issues regarding the Foreign Corrupt Practices Act going on in your business. So, maybe you’re not going to spend $10 million on legal services trying to prevent that from happening. Maybe you’re only going to spend a million dollars.

I think that will be some of the shift, is like companies will start to do more of the bare minimum to make sure that they’re covering themselves, rather than responding in a more activist federal environment. And then we’re also—I think I mentioned this—we’re also looking to see whether state attorneys generals are going to pick up some of the slack.

Not every state has federal—excuse me. Not every state has criminal laws that mirror the federal criminal regime. But a lot of states do.

For example, in Georgia, we’ve seen the Georgia—both local prosecutors and federal prosecutors, state as well—state attorneys general use the RICO statute to criminally indict groups of rappers. You would never have seen that 10 or 15 years ago coming out of a state investigation.

And, by the way, phones played a huge part in that case also. And so, we’re going to look and see whether these state attorneys, generals, will really push to use their state laws to ask companies to give out more information and provide the type of review that we might normally expect to see the federal government handle.

[00:21:49–00:23:01]

Navroop:

Well, Marisa, I’ve been loving this conversation we’ve been having, and we’re nearing the end of our time today.

And while we’ve been discussing business, legal, cybersecurity, and all things ephemeral messaging, I’d actually love to end on a question that’s a little bit more about your personality and things that we love to know about our guests. So, if you’ve got time for one more question here.

Marisa:

Lay it on me.

Navroop:

All right. You’ve just wrapped up the biggest post-breach litigation of your career. What’s the libation you and your team are going to toast with?

Marisa:

Uh, what a great question. I mean, I’m drawn to a celebratory tequila, but I think if I’m sharing the win with my team, we’re going to open a very nice bottle of Barolo and treat ourselves to a dry Italian wine.

Navroop:

Well, in that case, the next time we meet up, Barolo on me.

Marisa:

I’m going to hold you to that.

Navroop:

Please do. All right. Well, this has been a great episode of The Lock & Key Lounge podcast with Marisa T. Darden of Benesch. Marisa, thank you for coming on.

Marisa:

Thank you for having me.

Narrator (Matt Calligan of ArmorText):

We really hope you enjoyed this episode of The Lock & Key Lounge.

If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@armortext.com or our website: armortext.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.