Now is the time to upgrade your records retention and communications policies
The law, and law enforcement, tend to lag behind technology. Indeed, as businesses innovate, their use of technology may outpace even their own policies. For many companies, this imbalance is one more part of doing business.
But recent SEC enforcement actions and DOJ guidance signal that now is the time for businesses, especially those with operations around the globe, to take a hard look at their compliance, communications, and records retention policies. Companies should be ensuring that these policies:
- are consistent with the actual use of technology within their workforce
- are consistent with regulatory and Department of Justice policies governing record retention of communications, and
- put the company in the best position to cooperate with any law enforcement or regulatory inquiry and provide the communications necessary to qualify for such cooperation.
DOJ and SEC enforcement policy expectations
In 2017, the Department of Justice (DOJ) issued its FCPA Corporate Enforcement Policy setting forth the steps that any business organization must take in order to achieve full credit for cooperation and remediation during the course of an FCPA investigation.
The factors which the DOJ takes into consideration when deciding whether to charge a company in a bribery investigation include 1) timely self-reporting; 2) cooperating with investigations; and 3) implementing rigorous compliance programs.
“This is a new trend in enforcement, and companies should expect that the focus on the proper retention of personal and ephemeral messages will only increase over time.”
At the time it was issued, the policy included, as a part of the timely and appropriate remediation factor, a requirement that a company must have a policy “prohibiting employees from using software that generates but does not appropriately retain business records or communications” in order to receive full remediation credit. USAM Insert 9-47.120 – FCPA Corporate Enforcement Policy (November 29, 2017). This arguably prohibited the use of personal and ephemeral messaging services, such as text messages, WhatsApp, weChat, and other messaging platforms.
In 2019, DOJ relaxed the Policy slightly to require companies seeking cooperation credit to implement “appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company's ability to appropriately retain business records or communications or otherwise comply with the company's document retention policies or legal obligations.” JM 9-47.120(3)(c) – FCPA Corporate Enforcement Policy. This policy gave companies a new choice: either prohibit use of these communications platforms entirely as the 2017 Policy envisioned or allow use of personal and ephemeral messaging platforms among the workforce but create a policy which would ensure that these communications were retained as any other business record would be.
US regulators sharpen their focus
Since the 2019 amendment was issued, while the availability of such records was no doubt considered by the SEC and DOJ in settling various investigations, there had not been signs that law enforcement or regulatory authorities were focusing on the retention of these documents as an issue in and of themselves. However, in the last year, things have changed. Regulators – particularly the SEC – have started to indicate that the retention of personal and ephemeral messages has become an issue to which companies must pay close attention and have entered into various settlements reflecting the importance of maintaining adequate records, including personal and ephemeral messaging platforms.
Additionally, in September 2022, the DOJ issued a memo titled “Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group” (sometimes called the Monaco Memo). In this memo, the DOJ explicitly noted that “[a]s part of evaluating a corporation' s policies and mechanisms for identifying, reporting, investigating, and remediating potential violations of law, prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.”
The Monaco Memo went on to say that corporations with robust compliance programs “should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, should provide clear training to employees about such policies, and should enforce such policies when violations are identified.” Prosecutors were also instructed to consider such policies and effective retention when considering cooperation credit for companies. And, most recently, Acting Principal Deputy Assistant Attorney General Nicole Argentieri stated that the DOJ is considering issuing new guidance to prosecutors regarding how to evaluate business’ compensation structures and use of ephemeral messaging apps.
Companies that do not takes steps to ensure that they have policies and procedures in place to maintain and preserve written communications regarding business matters – including communications made via text message, personal email accounts, and ephemeral messaging platforms – now risk heightened scrutiny, an inability to cooperate fully in criminal investigations, and substantial fines.
The SEC’s enforcement focus thus far has been on the obligations of financial institutions to preserve records under securities laws. But all global and public companies should see these settlements as signaling a new trend in enforcement, and companies should expect that the focus on the proper retention of personal and ephemeral messages will only increase over time. And the DOJ has now made it explicit that the retention of such records may impact a company’s ability to successfully navigate a criminal investigation.
This suggests that companies should see this enforcement trend as an opportunity to enhance their retention, communications and compliance policies.
Keep these factors in mind
- Compliance and policy considerations: Companies will need to take numerous concerns into account when amending their compliance policies to meet their recordkeeping obligations. Among them:
- Types of messaging platforms allowed by company policy: Each company will need to determine what types of messaging it will permit its employees to use for business communications. This question may have practical and geographic elements. For example, employees in certain countries may tend to use WeChat, while employees in other countries are partial to WhatsApp. Additionally, companies need to be aware of what types of messaging platforms are already being used by their employees in order to capture these platforms in any policies. A comprehensive global compliance policy needs to account for these considerations and be tailored to the existing behavior of the workforce.
- Vendor/agent compliance: As in companies’ other compliance policies (ie, FCPA, AML, OFAC), companies will need to ensure that their vendors, agents and other third parties are contractually required to maintain records consistent with the expectations of US regulators. Also, consider including specific provisions in higher risk third-party contracts that provide you with access to these records, whether through audit rights or similar provisions.
- Training: Companies will need to devote time and resources to ensuring their employees are properly trained on new retention policies and that employees understand their obligations under these policies.
- Technological considerations: Companies need to make numerous technological decisions when deciding how to best to retain messages sent between employees.
- Company-issued cell phones vs. business use of personal phones: Most companies allow their employees to use their own personal devices for business purposes, and companies will often offer a stipend to employees toward their phone bills. While this model is efficient and places less stress on a company’s internal IT infrastructure, it also gives the company less control over its employees’ devices. The process of collecting or retaining business-related messages on employees’ personal devices can consume a lot of time and resources. Simply separating personal communications from business communications is resource intensive. To determine the most sensible approach for your company, weigh the costs and benefits of a bring-your-own device model and the upgrades to your records retention and IT systems that such a model will necessitate.
- Mechanisms to archive electronic communications: determining the most effective ways to archive personal and ephemeral communications requires research and due diligence on your part. There are technology vendors who offer automated solutions for archiving and monitoring electronic communications, including encrypted communication platforms such as WhatsApp, WeChat, Telegram, and Signal. Companies must decide whether it would be better to employ such vendors or to build in a retention policy within the existing IT system.
- Local law considerations: Companies need to ensure that any alterations they make to their policies with regard to the retention of personal and ephemeral communications is sufficient to satisfy the expectations of US authorities while being in compliance with the localities where they conduct business.
- Data privacy laws: Various countries have developed data privacy laws which increasingly focus on limiting the amount of data that is processed and stored for individuals. When creating compliance policies for a global company, ensure that any such policy will abide by and apply to the local data privacy laws for all jurisdictions where the company has employees. Below are just two examples of data privacy laws companies with a global reach may have to consider:
- General Data Protection Regulation: Under the European Union’s GDPR, employees gained additional rights to exert control over their personal data. The GDPR applies to the data of any person residing in the EU. Any policies regarding the retention and storage of employee data for employees located in the EU must account for the rights guaranteed by the GDPR. This means that any company with any employees (or contractors) in the EU has to consider the GDPR when processing or controlling data. The main principles relating to the processing of personal data under the GDPR are that data should be 1) processed lawfully and transparently; 2) collected for specified and legitimate purposes; 3) limited to what is necessary for processing; 4) accurate and updated frequently to ensure accuracy; 5) limited in the way it is stored; and 6) processed in a way that ensures security.
- Brazilian Data Protection Law: The LGPD, like the GDPR, imposes strict requirements on data controllers and processors. It established rules for the collection, use, processing, and storage of data. Under the LGPD, employers have minimal access to employees’ personal communications and messaging.
- Employment laws: Employment law and employee protections differ vastly across jurisdictions. To create a successful compliance policy which addresses the use and retention of personal and ephemeral messaging of employees, companies need to be aware of the limitations they may face under the employment laws of the jurisdictions where their employees sit. For example, certain countries may not allow a company to terminate an employee for cause if the employee refuses to turn over a personal device, or a local law may require that the company pay certain amounts of severance for terminations related to these issues. Companies will need to consider the best way to incorporate these local employment issues into a comprehensive global compliance policy.
Companies face a myriad of questions when creating and implementing a comprehensive compliance and technology policy which will appropriately police and retain personal and ephemeral messages sent among employees. Recent SEC settlement activity suggests that we are now at a critical inflection point. The SEC is signaling that the expectations of law enforcement and regulators regarding document retention of personal messaging systems is changing.
In order to avoid prosecution on this basis alone or to gain cooperation credit when facing government investigations on other grounds, companies must re-evaluate their approach to employee communications. Gone are the days when companies can ignore the likelihood that their employees are using text messages, WhatsApps, personal emails, and other messaging systems to conduct business. The time has come for companies to analyze their current policies and ensure that they no longer lag behind the technology which drives the global business world today.