The U.S. Department of Justice (DOJ) recently announced updates to guidance related to corporate compliance programs. This expanded guidance instructs prosecutors to consider how compensation structures can drive compliance, including the use of financial penalties such as compensation clawback provisions to disincentivize non-compliance. The updated guidance further details how prosecutors should evaluate a company’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.
The DOJ’s March 2023 updated guidance on the Evaluation of Corporate Compliance Programs, has generated significant attention, in part, because of its focus on how companies oversee communications, with a particular emphasis on employees’ personal devices, such as mobile phones, and ephemeral messaging applications, in which communications may effectively “self-destruct.” As stated in the guidance:
“In evaluating…policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law, prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications. Policies governing such applications should…ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company. Prosecutors…should consider how the policies and procedures have been communicated to employees, and whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”
The guidance raises several considerations, including:
- If a company has a “bring your own device” program, what are its policies governing preservation of and access to corporate data and communications stored on personal devices?
- Is the company’s approach to personal devices consistent with any privacy regulations to which the company is subject?
- How are the company’s data retention and business conduct policies applied and enforced as to personal devices and messaging applications?
- Do those policies permit the company to review communications on personal devices and/or applications?
- Does the company have a policy as to whether messages and other information must be transferred from private phones or applications to company record-keeping systems? If so, is the policy followed? How is it enforced?
- Has company personnel use of ephemeral and other messaging applications impaired the company’s compliance program or its ability to conduct internal investigations or respond to requests from regulatory agencies?
Given the post-pandemic surge in remote work, considerations regarding personal device communications and ephemeral messing applications continue to be significant, as many employees default to communicating across a variety of platforms and devices. Additional concerns may arise for companies with nonemployee directors, who in many cases use their own devices – and frequently their personal email accounts – to receive corporate communications.
Now, more than ever, companies should evaluate their Information Governance policies and related monitoring and enforcement activities to ensure compliance with this new DOJ guidance and best practices.
Gunster’s Information Governance, Electronic Discovery and SEC/Corporate Governance teams are well-positioned to provide counsel on this front by reviewing existing policies, guiding internal audits, assessing the preservation capabilities of messaging platforms your company uses, or evaluating your company compliance program altogether. In addition, we welcome the opportunity to provide an overview presentation regarding Information Governance and related topics to clients and friends of the firm that want to learn more.
To read about the SEC’s recently adopted final rules regarding clawbacks, click here.
YES! PLEASE SIGN ME UP TO RECEIVE EMAIL ALERTS FROM OTHER GUNSTER PRACTICE AREAS.
This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.
Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 13 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Naples, Orlando, Palm Beach, Stuart, Tallahassee, Tampa Bayshore, Tampa Downtown, Vero Beach, and its headquarters in West Palm Beach. With more than 260 attorneys and consultants, and over 270 committed professional staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at www.gunster.com.