Officials with the FBI and Cybersecurity and Infrastructure Security Agency (“CISA”) recently recommended Americans use encrypted messaging apps in response to the Salt Typhoon cyberattack that infiltrated at least eight U.S. telecommunications companies. In a news call to address the Salt Typhoon attack, Jeff Greene, the executive assistant director for cybersecurity at CISA, stated, “Encryption is your friend,” and an official with the FBI added that “responsibly managed encryption” benefits users who wish to protect their mobile device communications. These statements acknowledge that ephemeral messaging, which generally refers to messaging applications that employ “end-to-end encryption” or auto-delete technology, minimizes the risk of falling victim to a cyberattack.
But these recommendations and statements in favor of the legitimate benefits of encrypted messaging apps in enhancing a cybersecurity posture, may appear inconsistent with other statements disfavoring the use of such apps to conduct business.
For instance, in January 2024, the Federal Trade Commission (“FTC”) and Justice Department updated their document preservation requirements to require preservation of data from ephemeral messaging apps, with a DOJ official observing these platforms are “designed to hide evidence.” In November 2024, the DOJ Antitrust Division updated its guidance on how it evaluates company compliance programs and included new information on the use and preservation of ephemeral messaging platforms. Now, in evaluating an antitrust compliance program, the Antitrust Division considers what “electronic communication channels” the company and its employees use for business purposes, how the company manages and preserves information contained within each of the electronic communication channels, whether the company has clear guidelines regarding the use of “ephemeral messaging or noncompany methods of communication,” and what preservation or deletion settings are available and the company’s rationale for those settings.
The FTC and DOJ are not alone in discouraging ephemeral messaging—the U.S. Securities and Exchange Commission touted obtaining more than $600 million in fines in 2024 for “recordkeeping cases,” which primarily focused on off-channel communications. In the press release announcing its annual enforcement results, the SEC observed that compliance with the recordkeeping requirements of the federal securities laws “is essential to investor protection and well-functioning markets.” The failure to preserve off-channel communications also “deprives the SEC of these communications in its investigations.”
Companies should not have to make a choice between cybersecurity guidance from the government on the one hand, and complying with general compliance guidance from the government on the other. Companies should evaluate carefully how they can avoid such a dilemma in developing and implementing compliance programs that address the use of messaging apps, and how to best ensure that they are able to leverage encryption.