For decades, electronic communications such as e-mail have played a central role in e-commerce and, correspondingly, in criminal corporate investigations. As technology has evolved, however, employees are increasingly making use—with or without approval by their employers—of third-party messaging applications, some of which offer “ephemeral messaging” whereby certain communications are permanently deleted after a period of time. Some examples include Snapchat, Telegram, WhatsApp, and Signal. Importantly, unlike employee use of e-mail, which normally operates on an enterprise system controlled by the company, employees using these applications use them individually and on personal devices that they are permitted to use for work.
These apps pose a serious challenge to prosecutors investigating corporate misconduct. The DOJ—seeking to update its policies to adapt to these evolving technologies and the challenges they pose to investigations—has issued proposed revised guidance to its Evaluation of Corporate Compliance Programs (ECCP). This revised guidance requires federal prosecutors to “consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications” in determining whether a corporation should be criminally charged for conduct of its employees or agents. During remarks at the ABA’s Annual National Institute on White Collar Crime in March 2023, Assistant Attorney General Kenneth A. Polite made the stakes explicit for companies whose employees are using third-party messaging apps:
During [any] investigation, if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things.
A company’s answers—or lack of answers—may very well affect the offer it receives to resolve criminal liability.
Both Polite’s statement and the revised policy make it abundantly clear that corporations will be expected to have explicit policies in place on message retention which are (1) communicated clearly to employees and (2) enforced on a consistent basis. Additionally, if asked by federal law enforcement officials, corporations should be prepared to share the contours of their policies. Notably, unlike policies on records retention and message archiving common in the financial and securities industry, these guidelines apply to any corporation or similar organization, regardless of whether it is publicly traded or closely held, and regardless of its size or headcount. The guidance lays out three factors that prosecutors will consider in evaluating the effectiveness of a corporation’s compliance program in this area:
-
Communication Channels: A prosecutor may consider what electronic communication channels that a company uses, which channels employees are permitted to use, and whether those channels vary by jurisdiction or business function. What mechanisms the company has put in place to preserve information and the rationale for doing so will also be subject to review.
-
Policy Environment: A prosecutor will consider what policies—including retention policies, codes of conduct, and “bring your own device” (BYOD) policies—have been developed and implemented by the corporation. Here, a company will need to give serious thought to policies and procedures for the preservation of and access to corporate data and communications stored on personal devices, including data stored in third-party applications. These policies should permit the company to conduct a thorough internal investigation to identify evidence related to any employee misconduct.
-
Risk Management: A company must assess whether the use of personal devices and third-party messaging apps, including ephemeral messaging apps, risks impairing the company’s internal compliance program, its ability to conduct internal investigations, or its ability to respond to inquiries from prosecutors or civil enforcement agencies. As with any compliance program enforcement, prosecutors will also want to know whether there are any consequences for employees who violate company policies and the company’s history of discipline.
Meeting DOJ’s expectations in this area will be a significant compliance challenge for many companies. Aside from crafting the required policies and conducting periodic assessments to identify any compliance gaps across a range of technologies, devices, and use cases, companies may very well encounter employees who are resistant to certain operational changes and the prospect of having their personal devices examined in the event of an internal investigation. Notwithstanding these challenges, the message to companies from DOJ is clear: Failure to effectively manage third-party apps and personal devices may come at a huge cost when it comes time for a prosecutor to assesses a corporation’s criminal liability. Companies should also expect that other federal and state agencies with civil enforcement authority will be looking at the very same issues and updating their policies accordingly. Against this backdrop, it is incumbent upon corporations to analyze and assess their policies (or lack thereof) surrounding employee messaging apps and how data is preserved, stored, and accessed using those tools.
Note from the Editor: The Federalist Society takes no positions on particular legal and public policy matters. Any expressions of opinion are those of the author. We welcome responses to the views presented here. To join the debate, please email us at [email protected].