On Friday, March 3, 2023, the DOJ released its updated Evaluation of Corporate Compliance Programs, which included new guidance on ephemeral messaging platforms and other issues. This new guidance was released contemporaneously with Assistant Attorney General Kenneth A. Polite, Jr.’s (‘Polite”) speech at the American Bar Association’s (“ABA”) 38th Annual National Institute on White Collar Crime.[1] DOJ acknowledged the value of ephemeral messaging platforms to businesses, consistent with their evolution on these and other matters involving technology and technological advances in the workplace. Going forward, Companies will be expected to tailor policies to their risk profiles and specific business needs. They are also expected to ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation, even as it relates to communications made by third party vendors and other agents of the company.
The Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) have recently shown increased interest in this area by launching probes retention of employee communications made via ephemeral messaging platforms at large financial institutions. Several institutions reached settlements to pay approximately $1.8 billion in civil penalties in late 2022. Another agreed to pay $200 million in 2021.
In recent years, DOJ has relaxed its prior stance outright prohibiting use of ephemeral messaging platforms, but it had not previously offered concrete guidelines for their use. DOJ’s Justice Manual only mentions implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms as requirements for receiving cooperation credit in FCPA matters.[2]
Similarly, in her September 15, 2022 memorandum concerning revisions to DOJ’s corporate criminal enforcement policies, Deputy Attorney General Lisa Monaco (“Monaco”) reiterated a general rule that all corporations with robust compliance programs should:
- have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications;
- provide clear training to employees about such policies; and
- enforce such policies when violations are identified.[3]
The spirit of this rule (and the most helpful guidance for companies at that time) was highlighted in Monaco’s instructions to prosecutors to consider whether a corporation seeking cooperation credit has instituted policies to ensure it will be able to collect and provide to the government all non-privileged responsive documents relevant to the investigation, including work-related communications (e.g. , texts, e-messages, or chats), and data contained on phones, tablets, or other devices that are used by its employees for business purposes.
Monaco announced then that she asked the Criminal Division to further study best corporate practices regarding use of personal devices and third-party messaging platforms for the next edition of DOJ’s Evaluation of Corporate Compliance Programs (last updated in June 2020). In the second half of 2022, DOJ hired two former in-house compliance attorneys to top positions within the DOJ’s fraud section.[4] Glenn Leon was hired as the head of the fraud section, after previously serving as the chief compliance officer at Hewlett Packard Enterprise Company. Matt Galvin, former global compliance chief at Anheuser-Busch InBev SA, was also hired to be the fraud section’s resident expert on compliance and data, specifically to advise federal prosecutors on corporate compliance policies. These hires demonstrated a marked shift in DOJ’s focus in this area, and further evidence that data analytics and modern technological advances would be meaningfully integrated into DOJ’s investigation techniques.
Prosecutors are now directed to “consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications,” when evaluating corporate compliance programs. Prosecutors should also consider how policies are communicated to employees, and whether the company regularly and consistently enforces them. In conducting their evaluations, prosecutors will evaluate compliance with the following factors:
- Communication channels – This includes the communication methods used or allowed to be used by the company and its employees, as well as how those vary for different jurisdictions and business functions. Companies are expected to have in place mechanisms and policies to preserve information existing in all communication channels. Companies should consider appropriate deletion settings and have a strong rationale for the policies and settings they choose.
- Policy environment – This includes policies regarding device replacement and data retention, as well as codes of conduct and other security-related policies. In particular, companies with a bring your own device (“BYOD”) policy should implement and have a strong rationale for effective policies governing preservation of and company access to data on employee-owned devices or transfer of such data to company-owned systems. Prosecutors will also expect consistent enforcement of those policies.
- Risk management – Perhaps most importantly, a company’s approach to managing communications must be reasonable in the context of the company’s risk profile and business needs. Companies must discipline employees who refuse to provide required access or who otherwise violate policies. Companies must ensure that use of personal devices or ephemeral messaging does not compromise compliance programs or the ability to conduct internal investigations or respond to regulatory or enforcement inquiries.
While the exact standard that companies must meet remains unclear and will likely continue to evolve, the DOJ’s new guidance clearly recognizes there is no one size fits all solution for preserving communications, and it provides companies and compliance counsel with many helpful factors to consider in implementing and enforcing policies governing ephemeral messaging. Ultimately, companies should take a risk-based approach to implementing and enforcing strong, well-reasoned policies to ensure that relevant communications and information are preserved and can be produced in the event of a regulatory or enforcement inquiry.
[1] https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-keynote-aba-s-38th-annual-national.
[2] JM 9-47.120 (3)(c).
[3] Memorandum from Lisa Monaco, Deputy Attorney General, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group (Sep. 15, 2022) (available at https://www.justice.gov/opa/speech/file/1535301/download).
[4] https://www.wsj.com/articles/justice-department-recruits-ab-inbev-data-expert-to-white-collar-crime-force-11662659234.