DOJ Outlines Compliance Expectations Relating to Preservation of Data from Messaging Applications (Part III of III)
The Justice Department finally released its new policy to improve corporate preservation of data generated by executives and employees. In this new technology era, companies have had significant gaps in collecting and reviewing data generated by messaging applications, texting systems and emails. While many employees have been using personal devices for business purposes, a large number of companies have failed to apply strict BYOD policies to preserve communications data. As a result, DOJ has experienced recurring gaps in evidence in criminal investigations. This frustration has bubbled up now to DOJ’s push to ensure that companies preserve communications data, whether on personal or business devices.
DOJ’s new Evaluation of Corporate Compliance Programs includes specific requirements to address the increasing gap in access to corporate communications information. In evaluating a company’s system for identifying, reporting, investigating and remediating potential misconduct, DOJ focuses on whether the company maintains policies and procedures governing the use of personal devices, communications platforms and messaging applications. In reviewing these policies, DOJ is demanding that companies tailor communications data policies to the specific risk profile and needs of its business, and seek to the maximum extent possible, to preserve business-related electronic data and communications. Beyond the existence of such policies and procedures, companies will be required to demonstrate that they have communicated and enforced these policies and procedures.
DOJ mandates that companies consider: (1) the communications channels available for use by the business and what specific channels have been authorized; (2) the policies and procedures that apply to preserve communications data, including the company’s code of conduct, privacy, security and employment policies that govern access to and preservation of company communications; and (3) risk management for employees that violate the company communications and data preservation policies, the impact that such non-compliance has had (or could have) on a company’s ability to conduct a thorough investigation of potential misconduct, and the overall risk-profile for the company given the company’s business communications needs and practices and its overall risks..
With respect to each available communications channel, the company has to document how it will manage and preserve information on that channel, what preservation or deletion settings have been implemented, and the reasons for each applicable setting.
As to the company’s policies and procedures, DOJ expects companies to address data preservation requirements, especially with respect to a BYOD program. Given the increasing use of BYOD programs for business communications purposes, the company has to ensure adequate attention to data preservation and company access to such communications data. Companies have to enforce these provisions, preserve access to the data to review when necessary, and maintain business data generated by employees. If the company requires employees to transfer the data to company record-keeping systems, companies have to regularly conduct such transfers consistent with its stated policies and requirements. Any restriction or exception to the data preservation policy has to be stated and the justification for such an exception has to be documented and explained.
Finally, with respect to risk management, companies have to ensure that there are appropriate consequences to executives and employees who fail to comply with communications and data preservation requirements. In this respect, companies have to discipline executives and employees consistently for failures to comply with applicable policies and procedures. In assessing the risk, the company has to determine if any existing gaps in communications data and preservation have hindered the company’s ability to complete an internal investigation of potential misconduct.