Unless a mobile device management (MDM) system or special software is in place, messages may not be retrievable without cooperation from custodians. Even with cooperation, old or deleted messages may be unobtainable.
As employees increasingly work remotely — with work and private data merging on various apps and devices — employers are facing a very challenging issue: work-related communications that may not be preserved and accessible in the event of an investigation.
Retrieving messages can present a tension between, on the one hand, data privacy and employment laws (which in many jurisdictions place restrictions on an employer’s ability to review employees’ messaging data) and on the other hand, the need to investigate (and certain authorities’ expectations regarding data preservation). The U.S. Department of Justice, for example, expects companies to ensure that messages sent over ephemeral instant messaging applications are retrievable in the event of an investigation. In the UK, the FCA’s recent market watch newsletter sets out its expectation that “if such apps are used for in-scope activities on business devices, they are recorded and auditable.”
Mobile data presents an issue for bribery investigations for three main reasons:
- Those involved in bribery will try to avoid detection by using personal mobiles or encrypted or ephemeral messaging applications.
- Bribery issues often take years to come to light. In that time, apps may have been deleted, and mobile devices may have been (innocently) reset, reassigned, or broken.
- Unavailable data on mobile phones may provide additional (and exculpatory) color and context (e.g., as to the reasons or payments/the services provided by third parties).
In this post, we set out four practical and legal challenges to be considered in seeking to obtain and review mobile phone data in bribery investigations and proactive steps companies can take to best preserve their ability to access and review this data in the event of an investigation.
Challenges faced (focusing on WhatsApp and iPhones)
Deleted WhatsApp / text messages: If the user deletes their WhatsApp messages (or app), it is unlikely that their employer can retrieve the messages unless specialist software has been installed on the phone or another party to the messages can provide them. Similarly, deleted text messages or iMessages may be gone forever – even on work phones. For companies to preserve and retrieve messages, WhatsApp for Business or Symphony or similar software would have to be used, or, in the cases of SMS / iMessages, the MDM system would have to be configured to back up the messages.
Custodian cooperation: Unlike email data, mobile phone data is not usually preserved or collectible centrally unless an MDM system is used, meaning that you need the cooperation of the custodian to physically hand over their phone and provide any passwords/account details. This presents a problem because custodians (particularly those working remotely) may then have an opportunity to delete messages and apps before handing over the phone.
Back-ups: iCloud back-ups are often of little use, particularly in relation to historic allegations, because they delete after 180 days. Users can back up phones to iTunes, and many other third-party tools can be used to back up data. However, these are not guaranteed to capture all data and are often unreliable as they can quickly become obsolete due to frequent Apple IOS updates. This means that unless an employer specifically backs up mobile data, there may not be any back-up available.
Data privacy and employment law issues: Concerns are likely to arise in many jurisdictions because there is often a mixture of work and sensitive personal data on an individual’s mobile device, especially within their WhatsApp and text messages. This is particularly a problem where companies have “BYOD” policies and employees use personal devices for work purposes. Even where messages can be accessed, care needs to be taken to minimize the review of personal data (which in many jurisdictions is defined broadly).
Steps companies can take to best preserve their ability to obtain and review data:
- Establish clear policies about the use of work devices and personal devices (including a prohibition where possible of non-business versions of WhatsApp and text messages for work communications, and guidance on deletion).
- Provide centrally hosted (and backed up) messaging systems for work communications (e.g., MS teams or similar).
- Preservation where possible: MDM systems are becoming available, which enables employers to preserve data. In addition, WhatsApp can be provided in a more controlled way (for example, through the Symphony platform, which some banks have implemented to preserve and, in some cases, monitor employees’ WhatsApp messages).
- Establish clear policies about right of access for the firm to applications on mobile devices, and clear procedures for the investigation of data on mobile devices (for example, protocols to separate any personal and work-related communications ahead of any review). Particularly where monitoring will take place, advice should be sought on compliance with relevant data privacy and employment laws.
Andrew Reeves is a Partner based in Norton Rose Fulbright’s London office. He works on a range of major regulatory and criminal investigations and related litigation, focusing on bribery and corruption, fraud, financial crime and money laundering. He can be reached here.
The authors would like to thank Claudia Culley who contributed to this post.