Words exchanged on ephemeral messaging apps are naturally fleeting. But companies that misuse the apps can face long-lasting consequences.

Now that the Justice Department has eased its stance on the use of ephemeral messaging apps, corporate legal departments need to ensure that employees are relying on the apps in the right scenarios and are documenting business communications that vanish into the ether.

Up until last month, companies that wanted credit for cooperating with DOJ enforcement actions under the Foreign Corrupt Practices Act essentially had to prohibit employees from using Snapchat, Telegram Messenger, Wickr and a number of other ubiquitous apps that automatically erase messages.

That changed March 8, when the DOJ issued a revised policy that lifted what had been seen as a prohibition on ephemeral apps—but with a relatively vague caveat. Companies seeking cooperation credit have to implement “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms.”

What types of guidance and controls? That's not entirely clear, according to former federal prosecutor Mitch Mitchelson, now a partner at Alston & Bird in Atlanta who represents companies facing government investigations.

He asserted that the “DOJ provided no concrete guidance on when use of ephemeral messages would be consistent with self-reporting.” But he and fellow Atlanta-based law partner Paul Monnin, also a former federal prosecutor who specializes in white-collar criminal defense, said in an interview Tuesday that there are steps companies can take to minimize risks.

First, employees should be using the apps in question only when it's necessary, such as when they're working in corrupt or hostile foreign jurisdictions and are concerned about being spied on through compromised communications networks. Companies need to have strict guidance in place regarding employees' use of ephemeral communication, otherwise the apps could be abused, which raises compliance risks.  

“Let's say you're a tech company operating in China or Russia. You're in an insecure environment and take it from there,” Monnin said.

Mitchelson added, “So you communicate using an ephemeral messaging platform. But the important aspect of the deal that you're discussing needs to be recorded in some fashion. It's incumbent upon the person on the receiving end to make a memo to the file that reflects the substance of the conversation.”

The second compliance key is proper record keeping. The DOJ is not only going to want to know that the use of the app was necessary but also that the company took steps to document the communication in its records, according to Mitchelson and Monnin.

They stressed that the DOJ's revised cooperation credit policy is “forward-looking,” meaning that companies that want to benefit from the policy when a possible FCPA violation comes to light need to prepare now by counseling employees and enacting policies and procedures through risk-based analysis.

“The DOJ is going to be asking self-reported entities, 'Are you doing business in potentially corrupt jurisdictions?'” Monnin said. “And if you are, what are you telling your personnel, including your distributors and third parties, in terms of how they conduct their business and what type of digital or paper audit trail exists there?”

Read More: