In today’s fast-paced digital environment, messaging apps like Signal, WhatsApp, and Telegram have become indispensable tools for communication. Their convenience, however, comes with a significant risk—especially when organizations fail to implement robust records retention policies. For records and information management (RIM) professionals, the stakes are even higher when these platforms include features like auto-deletion and end-to-end encryption.
The Legal Landscape: What’s Required?
In the United States, federal and state laws impose strict requirements on records retention, particularly for public entities and regulated industries. The Federal Records Act mandates that government agencies preserve records that document the organization, functions, policies, decisions, and essential transactions of the agency. Similarly, the Freedom of Information Act (FOIA) and state-level open records laws require that certain communications be accessible to the public.
For private-sector organizations, regulations like the Sarbanes-Oxley Act, HIPAA, and SEC Rule 17a-4 impose retention requirements that can span years. These laws apply to all communication mediums (email, text, or encrypted messaging), requiring organizations to retain any qualifying business record.
Messaging Apps and Auto-Deletion: A Risky Combination
Apps like Signal and Telegram offer auto-delete features that can erase messages after a set period—sometimes in as little as 30 seconds. While these features enhance privacy, they can also undermine compliance if not properly managed. Without a clear Records Retention and Disposition Schedule (RRS), organizations risk losing critical data, legal penalties, and damaging public trust.
Case in Point: Denver’s “Strike Force”
In early 2025, Denver Mayor Mike Johnston and 14 senior staff members formed a group dubbed “Strike Force” to coordinate the city’s response to the migrant crisis. They used Signal, an encrypted messaging app, and enabled auto-deletion for their communications. This decision came just weeks after legal watchdogs filed open records requests related to the city’s handling of the crisis.
Critics, including the Colorado Freedom of Information Coalition, argued that this was a deliberate attempt to circumvent transparency laws. Although the mayor’s office later adjusted the auto-delete settings and eventually disabled them, the damage to public trust was already done.
Lessons for RIM Professionals
This incident underscores the importance of proactive records management policies. Here are key takeaways:
- Audit Messaging Tools: Know and regulate which platforms your employees use and know whether they support auto-deletion or encryption. Ensure disposition practices align with policies and procedures.
- Update Your RRS & PIM Policy: Ensure your retention schedule and records and information management policy account for records and non-records in all communication channels, including ephemeral messaging apps.
- Train Staff: Employees must understand that convenience should never override compliance.
- Implement Governance Tools: Use enterprise-grade solutions that integrate with messaging platforms to archive and manage records automatically.
Zasio Can Help
At Zasio, we specialize in helping organizations navigate the complexities of modern records management. Our solutions are designed to ensure compliance across all communication platforms, including those with auto-delete features. Whether you’re updating your RRS or conducting a compliance audit, Zasio provides the tools and expertise to keep your organization protected.
Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.