Updated DOJ Guidance on Devices and Ephemeral Messaging
On March 3, 2023, the Department of Justice (“DOJ”) issued long-awaited guidelines on how it will evaluate whether companies have implemented appropriate guidance and controls on the use of personal devices and third-party and ephemeral messaging platforms. That guidance allows for a fact-specific analysis rather than hard and fast rules — a welcome approach in this ubiquitous and ever-changing field. Yet the DOJ’s advice comes with a warning.
In recent public remarks, Assistant Attorney General (“AAG”) Kenneth A. Polite, Jr. forewarned that when the DOJ requests business communications from a company under investigation, it means all business communications, including those conducted outside official email channels, and “[the] company’s answers — or lack of answers — may very well affect the offer it receives to resolve criminal liability. So when crisis hits, let this be top of mind.”
In 2017, as ephemeral messaging applications grew in popularity, the DOJ revised its Foreign Corrupt Practices Act (“FCPA”) Corporate Enforcement Policy to provide that companies seeking “full credit for timely and appropriate remediation” would need to “prohibit employees from using software that generates but does not appropriately retain business records or communications.”
Two years later, following a continued growth in these platforms, the DOJ stepped back from that hardline stance. Rather than requiring a blanket prohibition on the use of third-party and ephemeral messaging applications, the DOJ’s 2019 revisions to its “Justice Manual” provided that companies should “implement appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms.” Similarly, in 2022, Deputy Attorney General Lisa O. Monaco issued a memorandum directing prosecutors evaluating “a corporation’s policies and mechanisms for identifying, reporting, investigating, and remediating potential violations of law” to consider “whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” A company’s failure to prohibit ephemeral messaging would not be dispositive; instead, the Justice Manual would look to a company’s efforts to preserve the necessary data. Both in 2019 and 2022, however, the DOJ neglected to provide any guidance on how corporate compliance would be evaluated.
That guidance has now arrived. In a March 2023 keynote speech at the American Bar Association’s 38th Annual National Institute on White Collar Crime, AAG Polite introduced updates to the DOJ Criminal Division’s Evaluation of Corporate Compliance Programs (“ECCP”), including three factors that call for the evaluation of a company’s (1) communication channels, (2) policy environment, and (3) risk management protocols.
The DOJ has provided examples of the types of inquiries that will guide prosecutors in the evaluation of each factor:
(1) Electronic Communication Channels (“ECCs”). When a company permits the use of ECCs, how were its decisions affected by applicable laws and business functions? Has the company implemented mechanisms to preserve information within each ECC? Has the company implemented preservation or deletion settings in accordance with its policies for each type of employee? What rationale underlies each of those decisions?
(2) Policy Environment. Has the company implemented policies and procedures to preserve communications and data when devices are replaced? How is the company’s ability to secure, monitor, or access business communications affected by applicable laws or policies? If the company allows the use of personal devices, what are its access and preservation policies for corporate data and communications on those devices — including data in messaging platforms?
(3) Risk Management. Does a company’s policy provide disciplinary consequences for employees who refuse to follow company data retention and preservation policies or to provide access to business communications? Has the company ever exercised those rights? Is the company’s approach to ECCs, including permitting and managing the use of personal devices and messaging applications, reasonable, given its business needs and risk profile?
Notably, on three separate occasions, Polite emphasized that these factors would be used to make “individualized determination[s].” He explicitly disavowed the use of “any one formula to assess the effectiveness of corporate compliance programs,” or any “box-checking” exercises, and recognized that “each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.” Accordingly, one of the DOJ’s central inquiries will be whether a company’s “[p]olicies governing [such] applications [are] tailored to [its] risk profile and specific business needs.”
This guidance stands in contrast to other agencies, like the SEC, which have maintained a hardline stance against the use of ephemeral messaging.1 Their stance is rooted in the perception that such applications interfere with government investigations by preventing the preservation and retention of communications that may provide the only direct evidence of fraud and illegality. The DOJ instead recognizes that “the use of these services is ubiquitous,” and that it must “adapt to the realities of modern life” and “update [its] policies and practices accordingly.”
But the DOJ’s approach may not amount to leniency. The DOJ emphasizes that a company’s failure to produce communications from ephemeral messaging applications will not be “accept[ed] . . . at face value.” Instead, prosecutors will ask about the “company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things.”
Although it is unclear exactly how the DOJ will make this assessment within the novel field of data retention and preservation, some clues can be drawn from other “risk- and industry-tailored” compliance regimes. For instance, as to FCPA compliance, the DOJ has previously indicated it will give “meaningful credit” to companies that implement in good faith a “comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.”2 As an illustration, the DOJ has suggested that companies should be more concerned with a “$50 million contract with a government agency in a high-risk country” than “modest and routine gifts and entertainment.” Future enforcement actions will be insightful as to what the DOJ considers to be sufficient data retention for a given industry.
There is likely to be some cross-over in the factors to be considered when implementing a risk-based FCPA compliance program and those that apply to a regime of data retention and preservation compliance. For instance, when constructing a business-specific risk profile, companies should consider the specific “countr[ies]” they operate within, which subjects them to a patchwork of laws and policies that could affect their ability to control, access, preserve, and retain data. Companies should also consider any risks inherent to their “industry sector,” as well as the degree of “government regulation and oversight” they are likely to face.
It remains to be seen how other agencies will adapt their guidelines (or strict rules) relating to the use of ephemeral messaging for business communications. But one thing is certain: messaging apps are here to stay in many lines of business, and oftentimes it is the clients and customers who initiate communications in that form. Despite the SEC’s continued hard line stance, companies would serve themselves and their stakeholders well by making honest inquiries into how their employees and customers communicate and by developing document retention and search capabilities that take those realities into account. At the end of the day, the SEC, DOJ, and other agencies have all made it clear that whatever form business communications take, companies have an obligation to monitor and preserve them.
1 Rebecca Fike, Jake Beach, and Jacob Mathew, Don’t Forget the G: After Years of “Environmental” and “Social” Regulations and Enforcement, the SEC’s Recent Priorities Demonstrate a Focus on “Governance,” Vinson & Elkins (Nov. 4, 2022), https://bit.ly/3jRwY8D.
2 A Resource Guide to the U.S. Foreign Corrupt Practices Act (2d ed.), Dep’t of Just. & Sec. and Exch. Comm’n (July 2020), https://bit.ly/3J5jDCm.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.