Electronic Communications Risks — DOJ Enters the Fray in March 2023 (Part II of III)
Just to play devil’s advocate (or perhaps to push my agenda), I have conflicting views on corporate use of ephemeral messaging applications. On the one hand, I understand the importance of managing electronics communications data, prioritizing the preservation of relevant data, and reducing attendant costs from managing ever-growing amounts of electronic data.
On the other hand, as a former prosecutor and now defense counsel, I would find it difficult to explain to corporate leaders and prosecutors at DOJ or a regulatory agency why the company did not maintain electronic data that was relevant to an internal investigation. The potential impact of a blind investigation can carry significant consequences for a company.
Given the need to develop a more cost-effective balance in maintaining electronics data, it is clear why DOJ did not want to stand in the way. DOJ investigations have become more difficult and time consuming as a direct result of the growth in electronics data. DOJ investigations require more intensive review and sorting of large amounts of data to reach a conclusion.
DOJ’s revised approach, as reflected in its Evaluation of Corporate Compliance Programs (“ECCP”) released in March 2023, reflects this fundamental re-balancing of equities.
As an initial step, a company that authorizes use of ephemeral messaging needs to understand exactly how the application is programmed to delete messages and data, the precise nature of the data that gets stored, and the types of communications that employees are sending and receiving via using the platform.
in 2019, DOJ initially directed that companies prohibit the use of ephemeral messaging applications. It backed away from this position, and instead has provided a framework for companies to apply to implement appropriate guidance and controls on devices used in the workplace.
DOJ’s ECCP identifies three significant areas for consideration: employee use of personal devices, availability of communications platforms (e.g. Jabber, Slack, Teams, Google, Zoom), and messaging applications, including ephemeral messaging. DOJ’s ECCP noted that a company’s policies governing messaging applications “should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.”
When evaluating a company’s policies on these issues, the ECCP directs that prosecutors should examine how the policies and procedures have been communicated to employees, and whether the company has enforced the policies and procedures on a regular and consistent basis in practice.
The ECCP identified the following factors:
- Communications Channels: The existing electronics communications channels used by employees to conduct business, the geographic jurisdictions where such uses are permitted, the specific business functions using each channel, the steps taken to preserve or delete such communications and the applicable policies to such communications channels and uses.
- Policy Environment: The company’s policies and procedures in place to ensure that communications and other data is preserved, including its code of conduct, privacy, security and employment laws or policies governing the company’s access and ability to ensure security or monitor/access business related communications.
- BYOD: If a company has a “bring your own device” program, the policies and procedures have to preserve and ensure access to corporate data and communications stored on personal devices, including data contained in messaging platforms, and such policies and procedures should be enforced to permit the company to collect, store and review business communications on BYOD and messaging applications.
- Risk Management: The consequences meted out to employees who violate existing communications policies or fail to provide access to business-related communications. In addition, the impact of the company’s communications policies on its ability to conduct internal investigations or respond to government subpoenas or inquiries. The overall reasonableness of the company’s risk mitigation strategy as reflected in its electronics communications policies.
Similarly, DOJ’s Criminal Division Corporate Enforcement and Voluntary Self-Disclosure Policy (9-47.120; previously known as the FCPA Corporate Enforcement Policy) provides that in order to receive full credit for timely and appropriate remediation, beyond the credit available under the U.S. Sentencing Guidelines: the company must, among other things demonstrate:
Appropriate retention of business records, and a prohibition against the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and messaging applications, including ephemeral messaging platforms, that may undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.
DOJ’s policy and practices considerations listed above permit companies to use ephemeral messaging systems. However, DOJ has deftly established a set of issues to weigh, applicable risks, and other potential consequences that must be addressed, it is difficult to imagine when and how companies can mitigate the attendant risks sufficiently to offset the countervailing legal and compliance risks.
In other words, it is hard to imagine when a company would balance the risks from ephemeral messaging systems against the potential benefits from such messaging systems and authorize employees to use such messaging systems.