On March 8, 2019, the Department of Justice (DOJ) announced welcome revisions to its November 2017 Foreign Corruption Practices Act (FCPA) Corporate Enforcement Policy, now incorporated as Justice Manual (JM) 9-47.120. The 2017 Policy had introduced a rebuttable presumption that the DOJ would decline to prosecute companies that voluntarily self-disclose, fully cooperate, and timely and appropriately remediate in FCPA matters. To obtain full remediation credit, however, the 2017 Policy required companies to “prohibit employees from using software that generates but does not appropriately retain business records or communications.”
It was understood as a blanket prohibition against employee use of “ephemeral messaging” platforms allowing automatic destruction of messages or other communication channels resistant to record retention or third-party access. The business and legal communities expressed concerns that the 2017 Policy was out of touch with the reality of a fast-evolving global business environment, where employees ubiquitously rely on ephemeral messaging apps for business and personal communications, not least for the reasons of information security and data privacy protection.
Perhaps in self-corrective response to such concerns, the DOJ’s March 8, 2019 revisions to the Policy, in relevant part, moved away from a categorical prohibition of ephemeral communications to a more flexible approach. Under the 2019 Policy, companies seeking remediation credit must “implement appropriate guidance and controls on the use of personal communication and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.”
This was welcome news to the business community. However, now the onus is on the company to ensure that business records and communications are appropriately retained if employees are using ephemeral messaging platforms. This raises a whole new set of questions. What constitutes appropriate guidance and controls? What communications and messaging platforms may undermine a company’s ability to appropriately retain business records? How do we ensure that employees are not using ephemeral messaging platforms to generate communications that are business records? One way may be to simply ban ephemeral messaging platforms—but to what end? Will this just drive the use of such messaging underground? How should companies address this issue in a way that is consistent with the realities of how employees communicate, but also mitigates risk? There are no one-size-fits-all answers to these questions. However, there are some key questions and considerations that will help legal teams wrap their arms around this seemingly daunting task.
The overall concern is whether employees are generating business records on text messaging platforms and, if so, what the company is doing to ensure those business records are being maintained and preserved. Unlike email communications that will be retained on a company’s servers, text messages that exist on an individual employee’s device may not be preserved centrally. On top of that, text messages that disappear upon receipt or after a short time period present added challenges to maintaining comprehensive and appropriate business records. Here are some basic questions that can assist companies as they formulate appropriate guidance and controls on employee use of ephemeral messaging platforms.
- Which Messaging & Communications Platforms Are Employees Using?
People speak of “ephemeral messaging apps” as if they are all created equal. In reality, many messaging platforms that are thought of as ephemeral are not actually ephemeral, or do not have to be (preserving communications is an option). Some are encrypted and others are not. Some are even screen-shot proof. Are they used in jurisdictions where their use is perceived as necessary or essential? Is the ephemeral nature of the messaging platform crucial to its functionality or to why employees use it? Has your organization adopted instant business messaging software or applications? If so, have you adjusted the default retention settings? Should you, considering your organization and how these are used? Understanding which messaging platforms employees are using and where, and knowing the characteristics of those platforms will help you decide what to do.
- Who is Using Messaging Platforms, and What Are They Using Them For?
In order to craft appropriate guidelines for the use of ephemeral messaging platforms, it is important to understand who is using them, where, and for what purposes. The ultimate question is whether business records are being generated on these platforms and if so, what the company is doing to make sure that they are retained. In order to determine whether these texts make up business records, it is important to understand who is using them and what they are using them for. Are senior executives using them to communicate? Or is this primarily a tool used by R&D teams in India? Are they used for substantive communications? Or primarily for logistical discussions and meeting scheduling? In order to develop an approach that will work, and guidelines that will be followed, it is important to have answers to these practical questions.
- What Legal Restrictions are Relevant to Your Ability to Access and Retain Communications and do you Already Have Policies Addressing Them?
The issue of access to and retention of employee communications on messaging platforms raises questions about individuals’ rights to privacy in their communications. Employers’ ability to access communications on messaging platforms can implicate issues related to personal communications on company devices, as well as business communications on personal devices. Understanding the applicable legal frameworks that impact decision making over use and retention of employees’ communications through messaging apps is essential to avoid creating a whole new set of problems in an attempt to solve one.
Many companies have already addressed these issues in other company policies, including technology use policies, BYOD policies, and document retention policies. If this is the case, these policies can often be adjusted to take into account new text messaging platforms.
Ultimately, the trickiest questions relate to the fundamental question of whether or not to permit communications on messaging platforms that are truly ephemeral (and subsequent access and retention are not options). While the 2019 Policy allows companies a higher degree of choice in designing procedures and controls tailored to their business needs, technological preferences, and compliance priorities, these choices do not necessarily lend themselves to easy solutions.
While many companies have not yet figured out their own solution, companies that have are taking varying approaches. Some companies, for example, may choose to prohibit use of ephemeral messaging apps in certain types of business communications (e.g., permitting them for scheduling and logistics but not substantive communications). Other companies may permit their use only by certain personnel (e.g., R&D may use them, but not sales, and not senior executives). Another option is to permit only messaging apps that have a retention option. There is no one right answer.
At the end of the day, companies need to figure out what works for their organization (and will not drive behavior underground). There is a need to strike a thoughtful balance between current business practices and business realities, and compliance with the DOJ’s 2019 Policy’s aims of deterring misconduct and preserving evidence.
About the Authors:
Jina Choi is a 16-year veteran of the Securities and Exchange Commission (SEC), where she ultimately served as the Director of the San Francisco Regional Office of the SEC. There she helped to enforce many of the laws that govern the public and pre-IPO companies she now represents. While many of Jina’s achievements as an SEC enforcement lawyer and federal prosecutor are public record, her current work in private practice is equally as impressive. She brings a formidable dedication to the rule of law and client advocacy. She represents and counsels companies on government and internal investigations, enforcement-related litigation, whistleblower complaints, and compliance programs.
Stacey Sprenkel is the head of the Litigation Department in Morrison & Foerster’s San Francisco office and is a member of the firm’s global anti-corruption and compliance team. She has extensive experience conducting corporate internal investigations on a broad range of issues both domestically and internationally, and she regularly assists clients with conducting global risk assessments, and with developing compliance programs, including reviewing and implementing anti-corruption and other compliance policies, controls, and training programs. She conducts anti-corruption due diligence in connection with M&A and private equity transactions, and provides counseling on a broad range of compliance issues.