Messaging Applications - Can You Hear Me Now?
The Department of Justice (“DOJ”), in their revised Evaluation of Corporate Compliance Programs issued in March 2023, meant to promote compliance, includes specific requirements to close the gap in the preservation and availability of information within messaging applications ((e.g., text messages, third-party instant messaging applications (Teams, Slack, WhatsApp, and more), etc.)).
The DoJ's interest in messaging apps was first stated in a September 2022 memorandum [PDF] on Corporate Criminal Enforcement Policies penned by deputy attorney general Lisa Monaco.
Today the DOJ is focusing on whether the company maintains policies and procedures governing personal devices, communications platforms, and messaging applications. Mostly, is the information preserved and available for review.
Remember Securities and Exchange Commission (“SEC”) has long prohibited the use of messaging applications by certain securities dealers. Still, the DOJ has lacked a formal policy regarding companies’ use of such applications.
In reviewing these policies, DOJ is demanding that companies tailor their communications data policies to the specific risk profile and needs of the business, then manage and preserve the information contained within each electronic communication channel.
Beyond such policies and procedures, companies must demonstrate that they have communicated and enforced them.
Companies must consider the following -
The communications channels available for use by the business and what specific channels have been authorized;
The policies and procedures that apply to preserve communications data, including the company’s code of conduct, privacy, security, and employment policies that govern access to and preservation of company communications; and,
The consequences for employees that violate the company communications and data preservation policies, the impact that such non-compliance has had (or could have) on a company’s ability to conduct a thorough investigation of potential misconduct, and the overall risk profile for the company given the company’s business communications needs and practices and its overall risks.
For each available communications channel, the company has to document how it will manage and preserve information on that channel, what preservation or deletion settings have been implemented, and the reasons for each applicable setting.
As to the company’s policies and procedures, the DOJ expects companies to address data preservation requirements, especially for any BYOD program.
Given the popularity of BYOD and messaging programs for business communications purposes, the company has to ensure adequate attention to data preservation and access to such communications data. Companies must enforce these provisions, preserve access to the data to review when necessary, and maintain business data generated by employees.
If the company requires employees to transfer the data to a record-keeping system, they must regularly conduct such transfers consistent with its stated policies and requirements. Any restriction or exception to the data preservation policy has to be stated, and the justification for such an exception has to be documented and explained.
Can you hear me now? Well, if not, remember in evaluating a corporation’s policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law, prosecutors will be considering the corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications. So be prepared because the "improper destruction or deletion of business records" is more than likely going to be problematic.
Always feel free to reach out to me for help with any of your governance, risk, or compliance concerns.
Source: DOJ ECCP March 2023
