WhatsApp / Signal / Messenger: New Compliance Obligations Coming to New Zealand – Messaging Platforms
Edwin Morrison, Andrew Coffin
Use of encrypted messaging platforms such as Telegram, Whatsapp, WeChat, Signal, or Messenger is becoming more common practice for business matters.
Users need to be mindful of the developing compliance requirements overseas and consider what is best practice, as it is only a matter of time before New Zealand adopts similar requirements. In short, overseas companies face penalties under criminal law if they do not have sufficiently enforced policies requiring employees to keep accessible business records when using personal devices and encrypted messaging platforms.
Why control encrypted messaging platforms
On an encrypted platform like Telegram, only two people know what has been sent - you and the recipient. This is an increasing problem because any business conducted using these applications is difficult to get information about unless you are the person using those applications. Several scenarios are described below where information on such applications is pivotal, yet it might be impossible to even know they exist, let alone obtain a copy:
1. Insider trading occurs by an employee sending a screenshot over Messenger of an upcoming company financial report and sends it to their friend.
2. Health and safety incidents like near misses being discussed on a Whatsapp group chat, which are not documented in formal incident reporting. Subsequently there is a related serious injury and Worksafe prosecutes the company.
3. An employee agrees over Signal that their company will use their friend’s company’s services in exchange for their friend providing them with a kickback private benefit they do not disclose.
4. A prospective employee agrees over Telegram to work for the company if they have a bonus package beyond what is in the employment agreement, but the employee loses their phone and access to their Telegram account and this bonus agreement was never added to the employment agreement.
5. The Board of Directors discuss over Messenger their plans to restructure the company are not for commercial reasons but solely to reduce tax, contradicting statements they have elsewhere made to the IRD.
6. A director carrying out a performance review of an employee predetermines the outcome and informs HR using Telegram that the employee will be removed for unsatisfactory performance before any disciplinary process occurs.
7. An agreement is made through messages within Messenger but the disappearing chat feature was turned on and the agreement was subsequently lost.
8. A contract is being negotiated between two companies and important parts of the negotiation occur over a Whatsapp chat which is subsequently deleted by one person prior to litigation.
9. A lawyer chats to another lawyer in the same firm over WeChat identifying that they think their client has lost mental capacity, but they deny ever believing this in a subsequent law society investigation.
10. Employees working from home communicate highly confidential project information using various messaging apps, both on personal and work accounts.
Regulatory organisations like the IRD and Worksafe would benefit substantially from increased access to the records of messages sent on messaging platforms. Therefore, these regulators will likely push the government towards adopting compliance regulations which will require companies to keep records of messages sent on these platforms. This is a significant driver behind why we believe it is a matter of time until these compliance measures are adopted in New Zealand.
What should I do about this?
You should start thinking about sensible business practices to ensure you have a copy of all business records from messages sent on encrypted messaging platforms and private devices. There are many ways to set up these policies, but the overriding focus should be that they make sense in the context of your business circumstances and the regulatory environment. Another consideration if you trade internationally is aligning with overseas standards so there are no issues caused by differences in policies between your geographical locations. You also need to consider the right of privacy for your employees – just because you need to keep business records does not mean you should have access to information relating to their private lives.
One approach to creating these policies is to offer employees work devices with software like Smarsh or Proofpoint which make copies of all messages. Another might be requiring employees using applications for work to save a backup of all such messages periodically onto your computer servers. There are many possible options to ensure you retain all communications that are important business records and the most appropriate option will depend on the particular circumstances of your business.
Once you have identified how you want to retain information from use of encrypted messaging applications, you need to work out how you will review employee activity to ensure it complies with these requirements and what you will do if they breach their obligations. These should form procedures that are integrated into business practice. It will be critical to demonstrate that you have provided clear guidance along with adequate upskilling of employees, and that processes are practical to follow and review.
If you need help creating or implementing business policies relating to use of personal devices and encrypted messaging platforms, please contact your regular adviser at K3 Legal. We work closely with K3 Human Resources to produce legally sound Polices tailored to your circumstances which are rolled out in the best way possible given your work culture.