DOJ Releases Guidance on Corporate Practices Concerning Employees’ Use of Personal Devices, Communications Platforms, and Messaging Applications

On March 3, the DOJ continued its recent streak of notable policy changes related to corporate crime and compliance (as noted in our prior alerts on the DOJ’s announcements of new policies on clawbacks and voluntary self-disclosure) with a revised Evaluation of Corporate Compliance Programs policy (ECCP). As part of the revised ECCP, the DOJ has provided additional guidance on how it will consider corporate practices surrounding the use of personal devices, messaging applications (including “ephemeral” messaging) and communications platforms in the workplace. When evaluating a company’s compliance program, prosecutors are now required to evaluate a company’s “policies and procedures governing the use of personal devices, communication platforms, and messaging applications.” Companies are expected “to update their policies and practices accordingly.” Those choosing not to heed this advice could jeopardize a favorable resolution.

‘Top of Mind’

As Assistant Attorney General Kenneth Polite noted in his remarks at the American Bar Association’s (ABA) annual National Institute on White Collar Crime, when content from personal devices or non-company-provided messaging applications has not been produced during an investigation, prosecutors will no longer “accept that at face value” and will instead demand information regarding the company’s preservation and deletion policies and ability to access personal devices. Ultimately, whether a company has preserved and produced communications from messaging applications and personal devices “may well affect the offer it receives to resolve criminal liability” and should therefore “be top of mind” as companies refine existing policies.

The revised ECCP contains detailed questions prosecutors should address when evaluating a company’s policies. For example, prosecutors are now directed to determine whether a company’s policies permit the company to review business communications on personal devices and messaging applications, and whether employees are required to transfer messages from messaging applications to company recordkeeping systems to preserve and retain them. Similarly, prosecutors should evaluate whether there are consequences for employees who refuse to provide access to business-related information stored on personal devices, and whether any employees have been disciplined for not providing such access.

Policy Communication and Enforcement

Prosecutors are required to consider how these policies and procedures have been communicated to employees and whether they are enforced “on a regular and consistent basis.” Companies should also be prepared to articulate their rationale for choosing which messaging platforms and settings are allowed. Such policies should be “tailored to the corporation’s risk profile and specific business needs” and ensure that business-related communications are accessible and preserved “to the greatest extent possible.” 

Companies should review the revised ECCP and take steps to critically assess their compliance programs to help prepare for and align with the DOJ’s new expectations for effective compliance programs. For example, it would be prudent to evaluate existing policies regarding the permissible use of mobile devices and third-party messaging applications, including the company’s retention and preservation policies, to ensure alignment with the revised ECCP. Companies should also ensure that their employees are receiving periodic training on their permissible-use policies and should conduct regular monitoring of communications to ensure compliance with those policies. As AAG Polite noted in his ABA remarks, “use of these services is [now] ubiquitous,” and the DOJ expects corporations to both “adapt to the realities of modern life and update their policies and practices accordingly[.]”

Conclusion

The DOJ’s update to the ECCP should be a clarion call for companies to begin updating their policies and procedures related to business-related communications. Companies should take these steps now to ensure more favorable resolutions in the event of a DOJ investigation. Ballard Spahr attorneys in the White Collar/Internal Investigations Group have deep experience in assisting individuals and entities in navigating federal criminal laws and the DOJ's policy, including the development and oversight of effective compliance programs and document collection and preservation practices. Please contact us for more information.

Copyright © 2024 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.