Schedule a Demo

Why the DOJ Says Messaging Apps & Collaboration Platforms Are a Major Compliance Problem

The Department of Justice (DOJ) has updated their Evaluation of Corporate Compliance Programs policy with special attention paid to messaging platforms when detecting and investigating potential misconduct and law violations. Moving forward, they will now consider whether corporate policies ensure communications from these apps are accessible and amenable to preservation.

All Posts

Why the DOJ Says Messaging Apps & Collaboration Platforms Are a Major Compliance Problem

The Department of Justice (DOJ) has updated their Evaluation of Corporate Compliance Programs policy with special attention paid to messaging platforms when detecting and investigating potential misconduct and law violations. Moving forward, they will now consider whether corporate policies ensure communications from these apps are accessible and amenable to preservation. 

The update comes on the heels of an increasing number of high-profile organizations getting into hot water over recordkeeping missteps related to business-related messaging apps.

In 2021, J.P. Morgan Securities (JPMS) agreed to pay $200 million to resolve charges from the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC), and in 2022, several Wall Street firms paid the SEC over $1 billion in fines. Both of these major fines were for failing to preserve and produce records of communications on corporate messaging platforms.

DOJ Now Requires Messaging Platform Records

Team collaboration apps like Microsoft Teams and Slack, as well as unsanctioned usage of apps like Whatsapp, have replaced email as the primary communications channel within many organizations. It's the ubiquitous nature of these platforms that’s precisely why the DOJ and other regulatory bodies now require messaging platform content to be made readily available for legal and compliance matters. 

In March 2023, Assistant Attorney General Kenneth A. Polite, Jr stated the following during the American Bar Association’s 38th Annual National Institute on White Collar Crime:

“…if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things. A company’s answers—or lack of answers—may very well affect the offer it receives to resolve criminal liability.”

Why Are Messaging Platforms an Area of Concern?

The DOJ updated its policy after investigations revealed companies weren’t treating messaging platforms with the same level of preservation and compliance consideration as other online data sources. For example, in JPMS’ case, the SEC found that “none of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm.”

This kind of negligence is exactly what the DOJ hopes its updated policy will curb, especially since the landscape of corporate communications has changed. Employees now rely heavily on messaging apps to collaborate and get work done. As more conversations and media are shared in these apps, it’s vital that organizations update their compliance policies and recordkeeping processes to include messaging platforms. Otherwise, as history has shown, the price they pay could be very high. 

Recordkeeping Implications of the DOJ’s Updated Policy

With so much at stake, companies need to be more diligent and proactive in how they preserve messaging app content. But this is easier said than done. Unlike email, messaging platforms produce a huge volume of content every second and can be permanently edited or deleted by users on the fly. 

Take a popular app like Microsoft Teams, for instance. It reported over 270 million users in 2022 and continues to grow in adoption thanks to its bundling in the Microsoft Office suite. With the average employee sending a thousand messages per month, recordkeeping and finding the relevant information to demonstrate compliance is an operational challenge. 

The ability to edit or delete messages is a very popular feature in collaboration apps, but one that causes recordkeeping headaches. To the greatest extent possible, the DOJ policy recommends organizations ensure their “business-related electronic data and communications are accessible and amenable to preservation by the company”—which includes deleted messages. 

To further prove that exported chats haven’t been manipulated in any way, organizations should consider collecting metadata, digital signatures, and timestamps with every record.

In the case of Microsoft Teams chats, leveraging Microsoft Purview is one way to retrieve and preserve manipulated or deleted messages, but this feature is part of a top-tier license that not all organizations may have the need or budget for. Furthermore, even with full access, searching through Teams chats is complex and requires users to specify the drive or cloud location for search. Also PDF exports of Teams chats—a popular format for legal and compliance workflows—aren’t available as an option. As such, while Purview is a robust method for automatically capturing Teams content, finding and extracting the captured content requires highly specialized skills. 

Fortunately, there are third-party tools like Pagefreezer that help legal and compliance departments preserve and manage content from Microsoft Teams and other messaging platforms—all presented in a user-friendly UI. 

How to Produce Reliable and Defensible Messaging Platform Records

At a high level, there are four steps to compliant recordkeeping (and we support compliance departments in accurately handling each one -- read more on this in our comprehensive guide to archiving online data here):

1. Capture: Ensure that all new content is in some way being captured, such as through an API on your team collaboration platforms. Make sure your tools can also capture messages and posts that have been edited or deleted.

2. Search: Months and years worth of archived records can be overwhelming to sort through. You need a way to effectively search your archives so that you can actually find what you need when you need it. In the example image below, you can see how easy it the dashboard makes it to search all of your messaging platforms for keywords in public and private channels, as well as direct conversations.

Advanced-Search

3. Collect: You also need to be able to collect the records you’ve identified. Make sure you have a case management tool for adding relevant records to a specific case folder for easy organization. Look for tools where you can leave notes for yourself, or other reviewers, as you collect and add each record.

MS-Teams-Cases

4. Export: Once you have what you need for an audit, you need to be able to to export records in defensible formats, like PDFs—complete with a digital signature and timestamp that proves authenticity.

MS-Teams-Export

Ensuring Compliance Requires More Than Good Recordkeeping

The DOJ’s messaging app policy may seem like it’s meant to only curb intentional misdeeds around recordkeeping—such as Sam Bankman-Fried, the former FTX chief executive, and his team’s use of encrypted messaging platforms and auto-delete policies at his organization—but this isn’t the case. 

Archiving messaging platform communications is an essential part of protecting your organization in legal and compliance matters. Apps like Microsoft Teams also serve as a centralized hub for legal and compliance professionals to access critical information, such as legal documents, policies, and regulations. This collaboration helps your team minimize the risk of errors and omissions.

And while updating corporate policies for stricter preservation of messaging app data should be the new norm, it’s not the only thing that companies can do in order to improve their compliance.

“Resourcing a compliance department is not enough,” said Lisa Monaco, the Deputy U.S. Attorney General, in a September 2022 memorandum. “It must also be backed by, and integrated into, a corporate culture that rejects wrongdoing for the sake of profit, and companies can foster that culture through their leadership and the choices they make.” 

This means corporations need to implement policies and programs that ensure employees use only authorized messaging platforms for their business communications. When compliance departments don’t have to guess where conversations are happening, it makes the task of keeping records—and staying compliant—a lot less tricky and expensive.

Want to learn more? Read our guide, The Complete Microsoft Teams Field Guide for Legal & Compliance Teams. Simply click the button below.

New call-to-action
Miranda Pang
Miranda Pang
Miranda Pang is the Director of Marketing at Pagefreezer

Understanding WORM Compliance: What is WORM Storage & Why Do You Need It?

WORM storage, or "write once, read many" (WORM) compliant storage, is a regulatory necessity in industries like finance, healthcare, and government.

How to Archive a Website for Legal and Compliance

If you're searching for how to archive a website and have found yourself here, it’s likely because you’ve already tried to archive your website and realized that relying on screenshots, open source and manual software, or CMS backups is not going to work.