The Legal Ramifications of Use of Non-Company Approved Communication Apps

It would be difficult within the last month to avoid reading some kind of headline regarding the Trump-Staff’s use of Signal and inadvertent disclosure to a journalist from the Atlantic. Debate over the use of Signal emanated throughout the media. The issue does present a real concern for company officers to curtail employee use of non-company approved communication platforms. Such use can present serious cybersecurity and regulatory concerns.

There is a natural order for the business world in which employees will always use the simplest means to finish their tasks. Cybersecurity policies and procedures just get in the way of this goal. “We see this pattern all the time, where users just want to get their job done and their view is that somebody else should be worrying about the security part.” Lorrie Cranor, director and professor in security and privacy technologies at Carnegie Mellon telling The Wall Street Journal. Companies must take this into account, not only within their bylaws and training, but in their regular supervision of their employees to make sure the proper use of devices for work purposes is used.

Two regulatory concerns for this practice include the protection of user personal data under State and International Privacy Acts and Discovery Requirements against Spoliation.
 

Data privacy laws are becoming ever more stringent on keeping data secure. The California Consumer Privacy Act (CCPA), for example, requires that businesses utilize reasonable security in the context of personal information collected or processed for specific purposes. This is a fact-specific determination often updated by today’s best practices derived from yesterday’s breaches. The State Attorney General recommends various frameworks such as CIS Controls, ISO 27001, and NIST Cybersecurity Framework to example reasonable security. Applicable to the present topic, CIS recommends using company managed devices known as fully managed devices whenever possible. The benefit is that the company can whitelist apps and the software they use and prevent the installation of unwanted ones on employee devices. Private(unmanaged) devices make it more difficult to ensure that properly vetted apps are used, identify discrete software vulnerabilities in third-party mobile libraries, and installation of malware. It can be any app on a private device that can lead to a breach of user device, leading to unauthorized access to messages sent on a commercial messaging app, placing the company in legal jeopardy under the CCPA. Use of unmanaged devices does not necessarily mean a breach of reasonable security under the CCPA, however, unmanaged use combined with other factors such as poor training regimes, a lack of employee cyber testing, and a history of breaches would likely show cause for a lack of reasonable security.
 

Specific to Signal and apps that delete the messages, investigations by regulators and law enforcement may require information contained in apps to be recorded for possible investigative use. Immediate and irretrievable destruction of communications and documents are allowed and, such as in the case of Signal, automatically enabled. Documents and communications created by these technologies can and have been covered by FTC and DOJ document requests. The failure to preserve these documents has accounted for successful motions by FTC and DOJ agencies for civil spoliation sanctions such as with the case of Federal Trade Commission v. Noland, Jr., et al. (9^th Cir. 2021) The use of self-deleting apps can run afoul of sound recordkeeping systems and cause issues with probable discoverable documents in a potential litigation. Companies should take care of the employees’ use of these apps to limit such a risk.
 

It is always a good idea to regularly train, supervise, and test employees on good cybersecurity practice. To prevent violations of Federal, State, and international law, proper use of personal devices and communications between employees on personal devices should be a point of emphasis.