Preserving Data from Personal Devices and Third-Party Messaging Platforms – What Companies Need to Know
Preserving Data from Personal Devices and Third-Party Messaging Platforms – What Companies Need to Know
Deputy Attorney General (DAG) Lisa Monaco’s September 15, 2022, memorandum on revisions to the Department of Justice’s (DOJ) Corporate Enforcement Policies (the Monaco Memo) reflects that preservation of business communications is a significant factor in DOJ’s evaluation of corporate compliance programs and resolutions of criminal liability. The modern workforce increasingly relies on personal devices and third-party messaging platforms for business communications and companies need to develop and implement comprehensive policies and procedures that address where such communications are stored as well as ensure that the communications can be accessed and preserved appropriately.
Recent DOJ enforcement actions and policy speeches by DOJ leadership demonstrate DOJ’s concern that corporate employees may be using personal devices and third-party messaging applications to engage in misconduct. Such communications often are outside company control, making it difficult to prevent and detect any such misconduct. DOJ’s inclusion of a section on the use of personal devices and third-party applications in the Monaco Memo reflects that DOJ intends to scrutinize whether companies have ensured that data from personal devices and messaging platforms is preserved for compliance and investigations.
To evaluate a compliance program as part of a potential corporate criminal resolution, DOJ prosecutors are directed by the Monaco Memo to consider whether the company “has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.”[1] DOJ considers whether a company’s compliance program includes the following three fundamental elements: (1) “effective policies,” (2) “clear training to employees about such policies,” and (3) enforcement when policy violations are identified. The Monaco Memo further provides that, for a company to receive cooperation credit, its policies need to “ensure that [a company] will be able to collect and provide to the government all non-privileged responsive documents relevant to [an] investigation, including work-related communications (e.g., texts, e-messages, or chats), and data contained on phones, tablets, or other devices.”[2] It also directs DOJ’s Criminal Division to “further study best corporate practices” and “incorporate the product of that effort into the next addition of its Evaluation of Corporate Compliance Programs.”[3]
DOJ’s concern about corporate retention of business communications on personal devices and applications is not a new phenomenon. In November 2017, DOJ issued its Foreign Corrupt Practices Act (FCPA) corporate enforcement policy, which initially required companies to “prohibit[] employees from using software that generates but does not appropriately retain business records or communications” in order to receive full cooperation credit. In May 2018, the Chief of DOJ’s FCPA Unit informed companies not to “expect full cooperation [credit] if there are no records of the misconduct.” Following concern from the business and legal communities that the prohibition was unworkable, DOJ revised its stance in March 2019, amending the FCPA corporate enforcement policy to require that companies “implement[] appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.” The Monaco Memo expands on this more measured and nuanced approach.
The Monaco Memo’s focus on preserving business communications follows similar pronouncements from federal regulators. The Securities and Exchange Commission (SEC), for example, explicitly has stated that it will ask courts for adverse inferences or other relief against a company under investigation that failed to preserve evidence. The Commodity Futures Trading Commission (CFTC) likewise recently delivered “a zero-tolerance message” that CFTC would not allow financial institutions to undermine its enforcement efforts by obfuscating or deleting communications relating to trading activity.
Failure to implement sufficient policies and protocols could result in significant penalties. In September 2022, the SEC announced $1.1 billion in fines against 16 financial institutions to resolve investigations over employees’ use of third-party messaging applications to conduct business, in violation of SEC Rule 17a-4(b)(4), which requires preservation of written communications. The CFTC also announced settlements for related conduct that violated provisions of the Commodity Exchange Act. In these settlements, the CFTC found that those firms failed to supervise and stop employees from using off-channel business communications notwithstanding preservation requirements. Although both the SEC and CFTC resolutions were based on specific preservation requirements for regulated entities, the matters nevertheless reflect enforcement agency concerns that companies are not appropriately addressing new technologies that allow employees to communicate outside of the corporate environment.
In compliance with the Monaco Memo, companies need to implement policies governing personal devices and third-party messaging platforms for corporate communications, provide training to employees about such policies, and enforce the policies when violations are identified. The Monaco Memo also requires companies that seek cooperation credit to implement policies that allow them to collect and produce to the government work-related communications and other data contained on phones, tablets, or other devices that are used by employees for business purposes.
In view of the Monaco Memo, companies should revisit their personal device and messaging application policies and make necessary adjustments, including considering how to monitor employee compliance. To do so, companies should consider taking the following actions: (1) conduct a risk assessment, (2) consider enhancing policies and procedures in a manner that complies with regulatory requirements and reflects the realities of how employees communicate, (3) implement effective employee training, and (4) establish sufficient monitoring and enforcement.
To evaluate whether revisions to policies and procedures are warranted, companies should begin by conducting a risk assessment. The risk assessment should be designed to (1) evaluate how employees actually communicate in the course of their work, including whether employees are using ephemeral messaging platforms; (2) assess whether existing policies and procedures are responsive to the ways in which employees communicate; (3) identify any control gaps that must be addressed so that business data is preserved and can be collected; and (4) assess whether technological fixes are available to ensure retention of business communications (e.g., adopting enterprise versions of popular third-party messaging platforms, implementing tech solutions that give companies access to business interactions on a range of mobile messaging applications, or turning off auto-delete functionality).
An updated risk assessment is particularly important given the increased use of personal devices and messaging applications since the onset of the COVID-19 pandemic and the evolving communication patterns of employees in hybrid workplaces.
Based upon a risk assessment, companies should consider updating and enhancing their policies and procedures to meet applicable regulatory requirements and the realities of how employees communicate. There is no one-size-fits-all solution, and a company’s compliance program should be tailored to its business practices and applicable regulatory requirements. Companies should consider their ability to access employee personal devices, including via mobile device management (MDM) solutions, and reevaluate “bring your own device” (BYOD) policies to ensure effective compliance. As discussed above, they also need to consider ephemeral messaging applications that may complicate an organization’s ability to preserve communications.
Companies, such as financial institutions, that are subject to strict preservation requirements by regulators may decide to prohibit all business communications on personal devices and third-party messaging platforms. But, even companies that impose such prohibitions cannot ignore that employees may not abide by such prohibitions and that it may not be realistic to eliminate all business communications on personal devices and messaging applications. Instead, it is a better practice, as suggested in the Monaco Memo, to take appropriate and practical steps to access, monitor, and collect off-channel business communications. To do so, companies may wish to consider taking one or more of the following actions:
BYOD policies that permit employees to use their personal devices for work should be reevaluated and enhanced to meet DOJ’s and regulators’ express expectations. For example, companies should impose data retention requirements; specify, which data the company may access, monitor, and retain; and provide a means to ensure employer access and retention. Companies should be thoughtful about the contours of BYOD policies and consider whether a BYOD policy may not be appropriate for certain categories of executives and other employees whose communications could draw regulatory or government scrutiny. As part of a BYOD policy, a company may decide to mandate, as a condition of using personal devices for work, that employees consent to the company’s collection of business-related data from those devices, subject to applicable privacy laws.
Under the Monaco Memo, companies need to train employees on the contours of corporate policies and procedures and regulatory requirements and instruct them on how to preserve business-related communications. Companies generally should train employees when they are onboarded and develop a risk-based approach to refresher training. Companies also should maintain detailed written training records, which can be of particular importance when discussing the sufficiency of the corporate compliance efforts with DOJ and other agencies.
The Monaco Memo states that companies should enforce violations of personal device and third‑party messaging application policies when detected, but it does not explain how companies should detect such violations. DOJ’s position likely reflects its acknowledgment that corporate approaches to enforcement will vary based upon their business practices. For example, a company that does business in countries where third-party messaging applications are ubiquitous faces greater risk than a non-regulated company that does business in countries where the business community has not yet adopted such applications. In any event, although the Monaco Memo does not expressly discuss monitoring, companies should explore ways to monitor or audit off-channel communications and potential data loss to ensure effective enforcement, including by conducting “spot” audits of employees.
If a violation is detected, companies should take appropriate remedial steps, including employee discipline or more systemic responses such as those discussed above.
The Monaco Memo encourages companies to take a proactive approach to ensuring that personal devices and third-party applications are not used for inappropriate communications and that company data generated on such platforms is preserved, including for compliance and investigations. The touchstone for companies is to devise and implement a practical, good-faith program designed to reduce risk and ensure compliance. Failing to do so may draw enhanced government scrutiny as well as negatively impact a company’s ability to obtain cooperation credit from the federal government.
[1] https://www.justice.gov/opa/speech/file/1535301/download at 11.
[2] Ibid.
[3] Ibid.