Key Takeaways
- Under recent revisions to the DOJ’s Evaluation of Corporate Compliance Program guidelines, prosecutors will assess corporate governance approaches to personal devices, communications platforms, and messaging applications in evaluating compliance programs and making corporate charging decisions.
- Companies should ensure that they maintain policies and procedures regarding data, devices, and the employees using both that are tailored to the company’s particular data assets and processing activities.
Background
In a March 3 speech at the ABA’s Annual National Institute on White Collar Crime, Kenneth Polite, chief of the DOJ’s Criminal Division, announced that the Criminal Division’s Evaluation of Corporate Compliance Programs (the ECCP), which prosecutors use to make corporate charging decisions, will now consider the effectiveness of a company’s policies and procedures governing the use of personal devices and electronic communications platforms, including third-party messaging applications.
Polite’s announcement was several months in the making. In a DOJ-wide memorandum issued on September 15 of last year, Deputy Attorney General Lisa Monaco stated that “[t]he ubiquity of personal smartphones, tablets, laptops, and other devices,” and the rise in the use of messaging platforms, including those that offer ephemeral and encrypted messaging, pose “significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices for misconduct and to recover relevant data from them during a subsequent investigation.” Monaco continued that how companies address the use of personal devices and third-party messaging platforms will now impact a prosecutor’s evaluation of the effectiveness of a company’s compliance program and assessment of its cooperation during a criminal investigation. She directed the Criminal Division to study “best corporate practices regarding use of personal devices and third-party messaging platforms” and incorporate the results of the study into the next edition of the ECCP.
ECCP Revisions Concerning Use of Personal Devices, Communications Platforms and Messaging Applications
At the ABA White Collar Crime conference, Polite announced the results of that study in the form of “significant” revisions to the ECCP. Now, prosecutors will assess whether a company’s policies and procedures governing personal devices, electronic communications platforms, and messaging applications are “tailored to the corporation’s risk profile and specific business needs” and whether “business-related electronic data and communications are accessible and amenable to preservation by the company.” Prosecutors will also assess the extent to which such policies and procedures have been communicated to employees and are enforced on a regular and consistent basis. In making their assessment, prosecutors will evaluate a company’s:
- “Communication Channels,” including what channels are used, or are authorized to be used, to conduct business, and the mechanisms the company uses to manage and preserve data within each of the channels.
- “Policy Environment,” including the policies and procedures that govern the company’s ability to (1) ensure security or monitor/access business-related communications, (2) preserve and access any corporate data and communications stored on personal devices—including within messaging platforms, and (3) review business communications on personal devices and/or messaging applications.
- “Risk Management,” including the consequences for employees who refuse the company access to company communications and whether the use of personal devices or messaging applications has impaired the company’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or regulators.
At last week’s Global Investigations Review Live Spring Conference in Washington, D.C., Polite zeroed in on the access he expects prosecutors to have to communications stored on third-party messaging applications during an investigation in particular. Polite stated that “prosecutors will not simply accept a company’s inability to produce messages from third-party applications without adequate explanation. That is because we have seen how criminals often use these communication platforms – which have become a staple in modern life – and therefore can be crucial evidence of criminality.”
Analysis
The new DOJ policies reinforce that organizations should be maintaining internal policies and related procedures regarding data, devices, and the employees (including those leveraging artificial intelligence) using both. Those policies should incorporate the reality of the organization’s operations and what its employees are actually doing. This may include a combination of policies directed towards Acceptable Use, Bring Your Own Device (BYOD), Corporate-Owned Assets, Remote Access, Mobile-device-management (MDM), Platform and Container use, and third-party records management.
Developing policies and practices often begins with data mapping an organization’s assets and activities, where the process of developing the data map includes asking employees what they are doing with the organization’s data and double-checks that information against the organization’s current knowledge of its infrastructure. That combination of evaluating the organization’s assets, or where data is stored and reviewed, and considering the processing activities, or what the organization is then doing with the data, will lead to the considerations of additional devices and technologies that include personal devices and third-party-provided applications (such as messaging apps).
Once the foundation is established through data mapping (with a future promise of “evergreening” or consistently updating the same), the organization can determine how it will govern the data and classify its records. The organization should keep external representations in mind, including filed statements, notices and contractual obligations that can travel in all directions. An articulation of the exceptions also matters, as, for example, a legal hold process can trump existing practices for discrete periods of time. Depending on the organization, internal notice and training often follows, and subsequent evaluations of employee compliance or lack thereof can lead to discipline or termination. These may be further supported by internal and/or external audit resources to monitor activity, training programs that address business norms, and internal “champions” that help answer questions and guide internal improvement.
While the DOJ’s guidance does not establish any new legal obligations in the context of the duty to preserve relevant information in litigation, it does present a unique challenge to companies whose employees may continue to communicate on personal devices and unsanctioned platforms despite efforts to clearly articulate and enforce company policy. To this end, defensible preservation and collection efforts are critical. Merely issuing a litigation hold and asking a few general questions about an employee’s communication practices may not be sufficient. Rather, companies should consider conducting robust and specific custodial interviews with key personnel to determine if relevant data exists on platforms outside of the company’s policy and potentially outside of its possession, custody and control, which is an inquiry that varies in different jurisdictions.
All of this provides value to companies beyond positioning them well to preserve data in connection with internal or governmental investigations and litigation and to demonstrate cooperation and mitigate risk in connection with DOJ expectations. Organizations with a better grasp of information in their custody should improve their security posture and can, in some instances, unlock the value inherent in such data. And undertaking these types of initiatives is not a chase towards perfection; incremental improvements still present rewards and incrementally improve operations as well as organizational explanations to regulators and other interested parties.
[View source.]