New compliance obligations coming to New Zealand for messaging platforms

Use of encrypted messaging platforms such as Telegram, Whatsapp, WeChat, Signal, or Messenger is becoming more common practice for business matters. Users need to be mindful of the developing compliance requirements overseas and consider what is best practice, as it is only a matter of time before New Zealand adopts similar requirements. In short, overseas companies face penalties under criminal law if they do not have sufficiently enforced policies requiring employees to keep accessible business records when using personal devices and encrypted messaging platforms.

New Zealand regularly follows the rest of the world when it comes to compliance obligations. Anti-money laundering (AML) and due diligence obligations are commonplace in New Zealand now, but they were only established here 10 years ago. However, in overseas jurisdictions like the European Union, AML procedures were being refined several years before this. Similarly, we expect overseas compliance regimes controlling how business employees use encrypted messaging applications to be imported into New Zealand in the near future, so it pays to be prepared and understand the landscape before this happens.

Why control encrypted messaging platforms

Who knows what you have sent on an encrypted platform like Telegram? Only you and the recipient. This is an increasing problem because any business conducted using these applications is difficult to get information about unless you are the person using those applications. Several scenarios are described below where information on such applications is pivotal, yet it might be impossible to even know they exist, let alone obtain a copy:

1. Insider trading occurs by an employee sending a screenshot over Messenger of an upcoming company financial report and sends it to their friend.
2. Health and safety incidents like near misses being discussed on a Whatsapp group chat, which are not documented in formal incident reporting. Subsequently there is a related serious injury and Worksafe prosecutes the company.
3. An employee agrees over Signal that their company will use their friend’s company’s services in exchange for their friend providing them with a kickback private benefit they do not disclose.
4. A prospective employee agrees over Telegram to work for the company if they have a bonus package beyond what is in the employment agreement, but the employee loses their phone and access to their Telegram account and this bonus agreement was never added to the employment agreement.
5. The Board of Directors discuss over Messenger their plans to restructure the company are not for commercial reasons but solely to reduce tax, contradicting statements they have elsewhere made to the IRD.
6. A director carrying out a performance review of an employee predetermines the outcome and informs HR using Telegram that the employee will be removed for unsatisfactory performance before any disciplinary process occurs.
7. An agreement is made through messages within Messenger but the disappearing chat feature was turned on and the agreement was subsequently lost.
8. A contract is being negotiated between two companies and important parts of the negotiation occur over a Whatsapp chat which is subsequently deleted by one person prior to litigation.
9. A lawyer chats to another lawyer in the same firm over WeChat identifying that they think their client has lost mental capacity, but they deny ever believing this in a subsequent law society investigation.
10. Employees working from home communicate highly confidential project information using various messaging apps, both on personal and work accounts.

These situations identify pitfalls when key information is contained in encrypted messaging applications. When nobody except the sender and recipient can access the messages, such messages might not be produced in civil or employment procedures like discovery (the requirement to provide all related hard and electronic copies of related communication and information). This can lead to a real temptation to not produce these messages if other parties might not know about them if you did not tell them! Similarly, if the messages are subsequently deleted for everyone and you have not made a prior copy, there is not much you can do about it, potentially even with the cooperation of the messaging platform.

In criminal proceedings, section 130 of the Search and Surveillance Act 2012 allows the Police to require a person to provide the Police access to data held in a computer system or other data storage device where that data is subject to a search warrant. However, this is only useful for the Police when they have executed a search warrant, which suggests they know the data exists in the first place. In situations where the Police do not know incriminating messages exist, why get a search warrant? Searching every mobile phone of every person potentially connected to a criminal offence is a massive undertaking and is impractical. Therefore, it seems likely that for company criminal offences, the Police will seek to place more of this burden off their shoulders and on to the shoulders of companies, hence a major driver for creating these compliance requirements.

Regulatory organisations like the IRD and Worksafe would benefit substantially from increased access to the records of messages sent on messaging platforms. Therefore, these regulators will likely push the government towards adopting compliance regulations which will require companies to keep records of messages sent on these platforms. This is a significant driver behind why we believe it is a matter of time until these compliance measures are adopted in New Zealand.

Developments in the US

In 2017, the US essentially required companies to stop employees using personal encrypted messaging applications which did not retain business records. The idea was that employees would default back to using emails to send messages which were captured internally. In practice, this proved unenforceable because of how common it was for people to use encrypted messaging applications for work activities. In 2019, this standard was relaxed to require companies to create policies which appropriately controlled employees using these encrypted messaging applications so business records were retained.

In 2022, the Department of Justice revised their corporate enforcement policy, focusing further on requiring companies to have “a robust compliance program” if employees used encrypted messaging platforms for business use. The Monaco Memo identified that the data from these applications needed to be collected and retained as part of these compliance programs. In general, when the Department of Justice makes inquiries from a firm in the US and ask them for their business records, if the company does not provide substantial communications from third party messaging applications, this is a red flag triggering further investigation into their data retention practices.

The Monaco Memo also recommended compliance programs to encourage employees to comply with their regulations by creating serious personal consequences for employees breaching them. One particularly emphasised consequence was clawbacks where if the company was fined for its employees breaching the company policy, the company would require its employees to reimburse it. In fact, companies that use such clawback mechanisms may face reduced fines under the pilot scheme being implemented by the Department of Justice if employees breach their policies and the company is caught with insufficient business records.

Many high profile firms in the US have been caught out by these rules when they have not enforced their own policies controlling encrypted messaging applications. Ironically, often the individuals responsible for developing and enforcing their company’s compliance policies were using those applications breaching the rules! Substantial fines have been levied in relation to these breaches, showing the Department of Justice has been taking this issue very seriously. In 2022 there was $1.8 billion of fines issued against 16 financial services firms, with this number growing further in 2023.

Developments elsewhere

The US has been a pioneer regulating encrypted messaging application use for businesses, with the UK now starting to catch up. In 2023, an energy trading firm was fined £5.41 million for not keeping business records of messages sent using these applications despite having policies requiring employees to do so. The picture is similar in the European Union, meaning that there is increasing international alignment in requiring companies to regulate their employees to keep business records when they use encrypted messaging applications.

What should I do about this?

You should start thinking about sensible business practices to ensure you have a copy of all business records from messages sent on encrypted messaging platforms and private devices. There are many ways to set up these policies, but the overriding focus should be that they make sense in the context of your business circumstances and the regulatory environment. Another consideration if you trade internationally is aligning with overseas standards so there are no issues caused by differences in policies between your geographical locations. You also need to consider the right of privacy for your employees – just because you need to keep business records does not mean you should have access to information relating to their private lives.

One approach to creating these policies is to offer employees work devices with software like Smarsh or Proofpoint which make copies of all messages. Another might be requiring employees using applications for work to save a backup of all such messages periodically onto your computer servers. There are many possible options to ensure you retain all communications that are important business records, and the most appropriate option will depend on the particular circumstances of your business.

Once you have identified how you want to retain information from use of encrypted messaging applications, you need to work out how you will review employee activity to ensure it complies with these requirements and what you will do if they breach their obligations. These should form procedures that are integrated into business practice. It will be critical to demonstrate that you have provided clear guidance along with adequate upskilling of employees, and that processes are practical to follow and review.

If you need help creating or implementing business policies relating to use of personal devices and encrypted messaging platforms, please contact your regular adviser at K3 Legal. We work closely with K3 Human Resources to produce legally sound Polices tailored to your circumstances which are rolled out in the best way possible given your work culture.