The U.S. Department of Justice (DOJ) reaffirmed its scrutiny of corporate compliance programs, particularly as they relate to off-channel communications messaging platforms outside the scope of formal IT oversight, such as iMessage, WhatsApp, Signal, WeChat, and Telegram.

The updated Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations guidance, released by the DOJ’s Antitrust Division in November 2024,[i] places renewed pressure on companies to prohibit unauthorized messaging apps, preserve communications, and demonstrate clear, rational, and enforceable policies governing employee communication, even on personal devices.

Concurrently, the U.S. Securities and Exchange Commission (SEC) recently highlighted its “off-channel communications” initiative, which has resulted in over $600 million in civil penalties in 2024 and $2 billion+ since 2021 for firms failing to monitor and preserve business-related messaging apps.[ii] In practice, communication-capture failures often stem not only from technical gaps but also from legal, process, or policy constraints, such as General Data Protection Regulation (GDPR) and California Privacy Rights Act (CPRA) implications, works council rules/unions, bring your own device (BYOD) ambiguity, or disappearing message settings. A governance-first approach that is anchored in approved channels, device monitoring, trigger-based holds, and documented rationale for deletion settings enables organizations to manage cross-jurisdictional risk while aligning with DOJ and SEC expectations for accountability, oversight, and defensibility.

However, here is the challenge: The tools that claim to capture these communications often fail to work.

The harsh truth: Most capture tools fail in the real world

Enterprise messaging capture platforms, including TeleMessage and SafeGuard Cyber, promise compliance-grade archiving of mobile communications. But in practice, they struggle to keep up with:

• Mobile operating system (OS) security updates (especially iOS)
• End-to-end encryption
• User-controlled deletion settings
• Growing fragmentation of messaging platforms across jurisdictions and languages

In fact, Cellebrite, one of the most respected names in digital forensics, announced it is moving away from remote collection toward full-file system extraction to align with industry changes.[iii] Although the company is developing a new remote full-device extraction tool, it is not yet production-ready and is unlikely to solve the problem for high-security, app-based messaging services such as Signal or Telegram.

A more practical path: MDM + legal hold + device preservation

Despite seamless automated capture sounding nice, a risk-based, defensible workflow is a more realistic and cost-effective approach. Here is what that looks like:

• Use mobile device management (MDM) to monitor, not capture. Deploy platforms like Microsoft Intune, VMware Workspace ONE, or Jamf Pro to:
  • Inventory apps installed on company-managed devices.
  • Flag high-risk chat applications (e.g., WhatsApp, iMessage, Signal).
  • Generate reports that track usage patterns over time.

This level of telemetry doesn’t provide message content, but it does offer sufficient awareness to trigger defensible preservation protocols the moment litigation or regulatory events arise. That visibility also helps maintain compliance with GDPR, CPRA, and collective bargaining restrictions, where overcollection can create privacy risk. Importantly, message-capture gaps aren’t always technical; they often stem from legal, process, or policy constraints such as jurisdictional limits, data residency rules, or works council approvals. A governance model built around awareness, documented decision-making, and timely preservation enables organizations to navigate these boundaries while still meeting DOJ expectations for accountability and control.

• When litigation hits, issue a legal hold. Use MDM reports to identify custodians using off-channel apps and immediately:
  • Issue a legal hold, including directives to preserve all personal devices used for work.
  • Ensure employees do not delete messages or uninstall apps.
  • Suspend auto-delete policies and disable disappearing messages or ephemeral chat settings within approved platforms.
  • Coordinate with IT and HR to preserve in place, ensuring data is retained without improper access or transfer.

• Preserve at the source by collecting the physical device. Once the hold is in place, send a loaner and collect the original device for forensic preservation. Only through physical access can forensic experts:
  • Extract decrypted content from messaging apps.
  • Preserve metadata and context.
  • Comply with evidentiary standards.

This method works across messaging apps and is the only reliable way to get to the truth.

Why this approach beats the capture vendors (financially and forensically)

Capture platforms often cost tens or hundreds of thousands of dollars per year, while still missing key data and failing under scrutiny. In contrast, the MDM + legal hold + device preservation workflow:

• Costs less
• Works across all apps
• Aligns with the DOJ’s expectations
• Is deployable as needed, with no expensive subscriptions

What the DOJ really wants: Risk-based, documented, and enforced programs

The DOJ is not asking anyone to perform the impossible. The Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations guidance makes it clear that what matters most is:

• Having written policies that prohibit unmonitored off-channel communications
• Implementing reasonable controls (e.g., MDM audits and access monitoring)
• Responding to risk with clear, timely, and defensible actions
• Training employees and preserving data when risk exists

Perfect capture is not expected, but proactive governance, monitoring, and legal response are non-negotiable.

Communications governance – Characteristics of success

✅ Approved channels list

• Current inventory of sanctioned communication tools
• Rationale for approval and a clear BYOD position

✅ Policy and training

• Written policy covering off-network and ephemeral apps
• Annual training and employee attestation confirming understanding

✅ Device management

• MDM enforcement on all managed devices
• Periodic application inventory reports to identify unauthorized tools

✅ Preservation triggers

• Defined legal hold activation workflow for chats and mobile data
• Disappearing messages disabled once preservation triggers are met

✅ Mobile collection playbook

• Documented process for user consent, loaner devices, and chain of custody
• Tested workflows for defensible extraction and documentation

✅ Cross-border compliance

• Integrated review for GDPR, CPRA, and works council implications
• Preapproved templates for data transfer risk assessments

✅ Audit trail and governance record

• Record of who decided what, when, and why
• Decision logs to demonstrate compliance program effectiveness

Final thought: Good compliance is about judgment, not technology

We are at an inflection point where tech solutions are overpromising and legal expectations are climbing. Smart organizations are shifting away from false promises of full automation and embracing policy-driven, human-informed approaches.

If your company has not reviewed its off-channel messaging posture recently, or if your compliance strategy still relies on apps that “archive” WhatsApp, it is time to rethink your approach.

HKA’s digital forensics teams help clients design MDM-integrated compliance protocols, draft defensible legal hold workflows, and perform forensically sound mobile collections across industries. To find out how we can assist you, contact one of our Digital Forensics & Investigations experts.

---

Geo Brown is a Partner at HKA specializing in digital forensics, compliance advisory, and defensible data governance. He leads multidisciplinary investigations at the intersection of law, technology, and risk.

View Geo’s Expert Profile.

---

[i] https://www.justice.gov/d9/2024-11/DOJ%20Antitrust%20Division%20ECCP%20-%20November%202024%20Updates%20-%20FINAL.pdf

[ii] SEC.gov | SEC Announces Enforcement Results for Fiscal Year 2024

[iii] Navigating the Future of Mobile Data Collection – Cellebrite

---

Trademark notice

All product names and brands mentioned, including TeleMessage, SafeGuard Cyber, Cellebrite, Microsoft Intune, VMware Workspace ONE, and Jamf Pro, are trademarks of their respective owners. Use of these names does not imply endorsement.

This article presents views, thoughts, or opinions that are provided for general information purposes only. It does not represent the views of, or constitute advice of any form (legal, professional or otherwise) from HKA or any of its affiliates. While HKA takes reasonable care to ensure the accuracy of its contents at the time of publication, the article does not deal with all aspects of the referenced subject matter and may not be relied upon as a substitute for professional judgment or independent analysis. Accordingly, neither HKA nor the author accepts liability for any use of, or reliance on, the information presented in the article. This article is protected by copyright © 2026 HKA Global, LLC/© 2026 HKA Global Ltd. All rights reserved.