Archiving vs. Privacy: The Mobile IM Disappearing Messages Dilemma

Contact Us

Contact Us

[contact-form-7 404 "Not Found"]

Almost every major instant messaging (IM) service has rolled out a version of the disappearing messages feature.

The ability to send communication that self-destructs after a pre-set period or after it is viewed has garnered widespread appreciation from privacy-focused consumers. But compliance teams, tasked with ensuring that all communication is preserved within a regulated firm, have found themselves in a tough spot.

The compliance officers have to walk the tightrope between retaining their employees’ business-related communication for compliance purposes and respecting individual privacy, and any slipup with regards to either risks unleashing the wrath of regulators and judiciary alike.

The law is clear—archiving is non-negotiable

In January 2024, the topmost enforcement department of the US, the Department of Justice, along with the Federal Trade Commission, issued clear guidelines to preserve disappearing   / ephemeral messages sent on platforms, such as WhatsApp and Signal. While the guidance was mainly focused on investigations and litigations related to antitrust matters, it reinforces the precedent set by other watchdogs and regulators when it comes to the importance of communication compliance.

For instance, FINRA, which oversees over 624,000 brokers across the country, specifies in Regulatory Notice 17-18 that financial firms have to maintain records of their employees’ business-related communication through all messaging apps and chat services.

It is worth mentioning that the regulators, such as the U.S. Securities and Exchange Commission do not take kindly to employees bypassing their recordkeeping requirements, whether it is through new technology or ways perceived to be loopholes. Case in point, the regulator has hit 11 firms with massive combined penalties worth $1.1 billion for their employees communicating through unapproved channels.

As Chair Gary Gensler puts it, “…. As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications. As part of our examinations and enforcement work, we will continue to ensure compliance with these laws.”

Along with the recordkeeping regulations and associated penalties, there are several possible drawbacks to disappearing messages that a compliant entity cannot ignore, including:

  • Lack of control over the retention period, which is a major pain point for compliance teams who are required to maintain employee messages for the duration required by the regulator.
  • Inability for regulated entities to hold employees accountable for potentially non-compliant or illegal activities, such as making unauthorized trades, insider trading, providing misleading information to investors, etc.
  • The possibility of unauthorized access to the messages before they disappear by means, including screenshotting of the sensitive messages.
  • The possibility of misunderstandings and internal conflict with no way to resolve them, given there is context missing in the communication due to the disappearing messages.
  • The inability to obtain evidence or key information for e-discovery procedures during trial.
  • Challenges in auditing and monitoring the firms’ compliance with regulations, such as WhatsApp recordkeeping requirements when there is no way of knowing if the recorded conversations are complete.

Potential conflicts between archiving disappearing messages and privacy

While there are a host of reasons to capture employee communication, even when they have decided to use disappearing messages, compliance teams still have to contend with potential conflicts with privacy-related regulations that also have serious consequences for non-compliance.

For example, the General Data Protection Regulation (GDPR)and California Consumer Privacy Act (CCPA) require employees who are citizens to give explicit consent before their personal data is gathered.

Other than regulations, compliance teams have to consider benefits that underscore the value of disappearing messages in workplace communication, including:

  • The private and secure transfer of sensitive information without having to worry about it being recorded or accessed by unauthorized individuals.
  • Enhanced access control that stems from the fact that the messages are deleted when viewed and that nowadays IMs have in place measures to thwart screenshotting attempts, including notifying the sender when an attempt is made.
  • The facilitation of trust among coworkers and between clients and employees, given that the conversation will remain private.

Resolving Conflict: Best Practices for Capturing Disappearing IM Messages While Respecting Privacy

Disappearing messages can be a potent tool in your employees’ arsenal for communicating, as long as compliance teams follow best practices to balance the accompanying compliance and privacy challenges.

Notably, they are:

  • Getting the necessary consent from employees before implementing a recordkeeping mechanism to archive their communication.
  • Establishing strict communication guidelines on what can be said on channels earmarked for business conversations, the devices and applications employees are allowed to use, etc.
  • Implementing an automated, third-party mobile archiver that can capture messages instantaneously so they can be audited and monitored.
  • Putting in place stringent cybersecurity measures and access controls so the archived communication is secure and ensures employee privacy.
  • Regularly auditing the communication policies, records, and access control mechanisms to ensure that there is no leakage of sensitive information and that the conversations are only accessed when necessary.
  • Training employees to report non-compliant behavior happening over disappearing messages.

Conclusion

While disappearing messages are intended to vanish from existence after the receiver has read them, operating in a regulated industry means that compliance officers have to painstakingly archive them without violating any privacy regulations.

As a leading mobile archiving solution, TeleMessage can help compliance officers by automatically capturing IM conversations before they disappear, creating a copy of the message in the archiving vendor of your choice. The communication goes through SOC-2-level encryption, so your messages are tamper-proof and free from the possibility of data breaches. Further, the communication is captured with all the relevant context, including sender and receiver info, such as name and phone number, so there is full transparency and accountability during audits. The messages can also be filtered according to the date for requirements, like e-discovery. Most importantly, the compliance team can set up mechanisms to flag conversations that contain certain phrases or keywords to identify violations at the beginning.

As a result, regulated entities can have their employees utilize disappearing messages to their full potential while still maintaining regulatory compliance.

To get started with TeleMessage or to learn more about its functionalities and use cases, contact us for a demo.

About TeleMessage

TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls WhatsApp, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice of archiving data storage vendor.

Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:

Skip to content