United States: Considerations For Addressing DOJ's Corporate Compliance Guidance On Mobile Devices And Messaging Platforms

In light of the DOJ's most recent guidance on the use of personal devices and third-party messaging applications by corporate personnel, this White Paper addresses issues and challenges that companies are facing in this area and offers guidance on whether, and how, to update relevant corporate policies, procedures, and systems. The ubiquitous use of mobile devices and messaging applications to conduct company business, and the DOJ's heightened focus on the preservation of and access to data from these sources, make it important to consider, among other things, potential technological solutions for increasing control over corporate data generated by use of messaging platforms and stored on mobile devices, related training, and effective preparation for possible data collection.

INTRODUCTION

Earlier this year, the U.S. Department of Justice's Criminal Division ("DOJ") released updated corporate compliance program guidance,¹ including enhanced guidance on the use of personal mobile devices and third-party messaging platforms by employees to conduct company business. DOJ's updates in this area are, in many ways, an unsurprising reaction to what has become a pervasive use of mobile devices and messaging applications (or "apps") to conduct business in the United States and around the world. Because of the frequency and informality with which these communication channels are used, they are often one of the first areas of focus for companies, as well as for DOJ and other enforcement agencies, when conducting investigations into suspected misconduct.

DOJ recognizes that these communications are often critical to a company's internal investigations or compliance reviews and, of course, to DOJ's own investigations. Thus, the goal, from DOJ's perspective, is that companies have effective policies and procedures in place to "ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company,"² even when the data and communications reside on an employee's personal device or in a third-party messaging app.

Companies face practical challenges to ensuring the preservation of these electronic communications, both from a policy and technological perspective. Notably, DOJ does not provide prescriptive guidance nor does it advocate a one-sizefits-all approach; instead, DOJ counsels that policies "should be tailored to the corporation's risk profile and specific business needs."³ As a result, companies implementing the DOJ guidance should not merely adopt an off-the-shelf, generic policy, but should instead assess their own needs and risks, depending on their business model and activities, the industries in which they operate, and the jurisdictions where they do business.

This White Paper considers the issues and challenges that companies are facing in determining how to address the pervasive use of personal mobile devices and third-party messaging platforms to conduct company business, and offers perspectives on deciding whether, and how, to make relevant changes, particularly in light of the DOJ guidance. Following a review of the guidance and tips for assessing a company's current electronic communication landscape, this White Paper addresses the considerations surrounding corporate policy updates; potential technological solutions for increasing control over corporate data generated by use of messaging platforms and stored on mobile devices; related training; and preparation for possible data collection and review.

DOJ GUIDANCE AND RELEVANT ENFORCEMENT ACTIONS

History of DOJ Guidance on Personal Devices and Third‑Party Messaging Apps

Reflecting the ever-changing realities of technology and mobile device use in the modern workplace, DOJ's guidance related to personal devices and messaging apps has evolved significantly in recent years—from encouraging outright prohibition of ephemeral messaging apps to offering a more nuanced and risk-based approach. 

In November 2017, DOJ announced a then-new FCPA Corporate Enforcement Policy requiring companies to prohibit their employees from "using software that generates but does not appropriately retain business records or communications" in order to obtain full remediation credit in FCPA matters.⁴ But in March 2019, after pushback from the business community, DOJ modified the policy to remove the suggested ban on ephemeral communications. Instead, DOJ required companies seeking remediation credit to ensure the "[a]ppropriate retention of business records" and to implement "appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company's ability to appropriately retain business records or communications or otherwise comply with the company's document retention policies or legal obligations."⁵

In September 2022, DOJ extended its guidance addressing ephemeral messaging and electronic communications beyond the FCPA Corporate Enforcement Policy, announcing that "all corporations with robust compliance programs should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, should provide clear training to employees about such policies, and should enforce such policies when violations are identified."⁶ DOJ also emphasized that whether a corporation had instituted policies allowing it to collect and provide all relevant, non-privileged documents, including those stored on personal mobile devices used for business, would be an important factor in assessing a company's cooperation credit.⁷

Then, in March 2023, DOJ updated its Evaluation of Corporate Compliance Programs ("ECCP")⁸ to include more detail regarding how prosecutors will evaluate whether a company has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms. DOJ emphasized that the policies and procedures should be tailored to the company's risk profile and outlined a number of factors to be considered, as detailed below.

Factors Used by DOJ to Assess Compliance Programs

Included in the ECCP⁹ are the factors DOJ prosecutors are instructed to consider in assessing a company's compliance program in the context of any corporate investigation. Prosecutors are directed to use the ECCP in making informed decisions as to whether, and to what extent, the corporation's compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (i) form of any resolution; (ii) monetary penalty, if any; and (iii) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).¹⁰ Regarding electronic communications, the guidance directs prosecutors to consider "a corporation's policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications" in determining whether to bring charges or in assessing an appropriate corporate resolution.¹¹ The guidance reflects DOJ's view that an effective compliance program is, in part, reliant on the corporation having mechanisms in place to allow for meaningful preservation, collection, and review of business communications for compliance-related purposes, regardless of whether those communications reside on company-owned devices or applications controlled by the company.

The factors that DOJ directs prosecutors to consider fall into three general categories—(i) the communication channels used by the company and its employees; (ii) the relevant policy environment; and (iii) risk-management considerations. In particular, the guidance suggests that a prosecutor's evaluation of these issues should include:

Communication Channels. What electronic communication channels do the company and its employees use, or allow to be used, to conduct business? How does that practice vary by jurisdiction and business function, and why? What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels? What preservation or deletion settings are available to each employee under each communication channel, and what do the company's policies require with respect to each? What is the rationale for the company's approach to determining which communication channels and settings are permitted?

Policy Environment. What policies and procedures are in place to ensure that communications and other data is preserved from devices that are replaced? What are the relevant code of conduct, privacy, security, and employment laws or policies that govern the organization's ability to ensure security or monitor/ access business-related communications? If the company has a "bring your own device" ("BYOD") program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices—including data contained within messaging platforms—and what is the rationale behind those policies? How have the company's data retention and business conduct policies been applied and enforced with respect to personal devices and messaging applications? Do the organization's policies permit the company to review business communications on BYOD and/or messaging applications? What exceptions or limitations to these policies have been permitted by the organization? If the company has a policy regarding whether employees should transfer messages, data, and information from private phones or messaging applications onto company record-keeping systems in order to preserve and retain them, is it being followed in practice, and how is it enforced?

Risk Management. What are the consequences for employees who refuse the company access to company communications? Has the company ever exercised these rights? Has the company disciplined employees who fail to comply with the policy or the requirement that they give the company access to these communications? Has the use of personal devices or messaging applications—including ephemeral messaging applications—impaired in any way the organization's compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies? How does the organization manage security and exercise control over the communication channels used to conduct the organization's affairs? Is the organization's approach to permitting and managing communication channels, including BYOD and messaging applications, reasonable in the context of the company's business needs and risk profile?¹²

To view the full article click here

Footnotes

1. Jones Day, DOJ Updates Corporate Compliance Program Guidance and Announces New Policy Initiatives and Enforcement Resources (March 2023); U.S. Dep't of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (March 2023).

2. U.S. Dep't of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, 17 (March 2023).

3. Id.

4. U.S. Dep't of Justice, United States Attorneys' Manual § 9-47.120(3) (c) (2017).

5. U.S. Dep't of Justice, Justice Manual § 9-47.120(3)(c) (March 2019).

6. Lisa Monaco, U.S. Dep't of Justice, Memorandum, 11 (Sept. 15, 2022) [hereinafter "Monaco Memorandum"].

7. See Monaco Memorandum at 11; Marshall Miller, Principal Associate Deputy Attorney General, U.S. Dep't of Justice, Keynote Address at Global Investigations Review (Sept. 20, 2022).

8. U.S. Dep't of Justice, Evaluation of Corporate Compliance Programs, supra note 2.

9. Id.

10. Id. at 1.

11. Id. at 17.

12. Id. at 17-18.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.