On December 17, 2021, a financial institution agreed to pay the Securities and Exchange Commission and the Commodities Futures Trading Commission a $ 200 million fine for allowing employees to discuss business on their personal devices without preserving these communications. . The financial institution was accused of failing to maintain and properly implement controls over the use of personal communications and messaging platforms in violation of the record keeping and oversight requirements of the Securities Exchange Act and of the Commodity Exchange Act, as well as related rules and regulations.
Businesses should seize this enforcement action as an opportunity to assess whether and how their corporate compliance programs ensure proper retention of personal communications and ephemeral messages.
Work-from-home arrangements have exploded during the pandemic and are likely here to stay. Employee use of personal devices and messaging apps to conduct or discuss business is common, but it can be difficult for companies to preserve employee emails and personal messages sent via SMS, WhatsApp and other third-party messaging platforms. In addition, some third-party messaging platforms, including WhatsApp, allow “ephemeral” messaging, automatically deleting messages after a certain period of time.1 Ephemeral messages can prevent businesses from retroactively collecting messages if they receive a subpoena or cooperate with a government investigation.
Having “appropriate guidance and controls in place over the use of personal communications and ephemeral messaging platforms” in place becomes particularly important if a business discovers a fault. The law enforcement policy on corrupt practices abroad (CEP),2 which now extends to all white-collar cases handled by the Criminal Division of the United States Department of Justice, provides advice on steps businesses can take to mitigate criminal penalties if they discover wrongdoing. The CEP further notes that there is a presumption that a company will receive a declination3 if, except in aggravating circumstances,4 he (1) willfully discloses the misconduct, (2) fully cooperates and (3) remedies in a timely and appropriate manner.
Under the CEP, “timely and appropriate remediation” by the business must include “the proper retention of business records and the prohibition of the destruction or improper deletion of business records”. As part of this element, the initial version of the CEP, published in November 2017, required companies to prohibit the use of “software that generates but does not properly maintain documents or commercial communications”. This effectively worked as a blanket ban on the use of ephemeral messaging apps, as withholding those communications was difficult, if not impossible.
In March 2019, the CEP was revised to include softer language, allowing businesses to qualify for full remediation credit if they have implemented “appropriate guidance and controls over the use of personal communications and ephemeral messaging platforms that compromise the company’s ability to properly maintain business records or communications or otherwise comply with corporate policies retention of documents or the company’s legal obligations. In other words, a business seeking to qualify for a declination or reduction of fine based on timely and appropriate corrective action may still qualify if it allows personal communications and ephemeral messages, provided the The company’s corporate compliance program has been designed to address and mitigate the risks associated with their use.
Implementing guidelines and controls for personal communications and ephemeral messaging platforms could also be key in convincing the government that the company has “fully cooperated.” To assess whether a company has fully cooperated with an investigation, prosecutors will examine whether there has been “the timely retention, collection and disclosure of relevant documents and information.” Companies that are unable to produce the requested information, causing a delay in the investigation or the expenditure of additional resources, are unlikely to claim full cooperation credit, thus disqualifying them from a variation or extension. a reduction in the fine.
As permanent work from home grows in popularity, continued use of personal devices and third-party messaging apps is inevitable. These regulations should remind companies to ensure their compliance programs include guidance and controls for the retention of business documents and communications, including text messages, personal emails, and communications on messaging platforms. .
Total bans on the use of personal devices or third-party messaging apps are unlikely to be enforceable (or practical). However, there are steps companies can take to develop and implement appropriate guidelines and controls, including the following:
- Businesses should consider implementing enterprise versions of messaging platforms (that is, versions specifically designed for business use). Enterprise versions can allow businesses to customize features, such as security and data retention settings, for users within the organization and can help businesses maintain control over communications.
- Businesses should implement policies and guidelines detailing bans and / or limitations on the use of personal devices and messaging platforms.
- Once a business solidifies its stance on the use of personal devices and messaging platforms, the business needs to clearly communicate expectations to employees (for example, by incorporating bans and limitations into training) .
Companies operating in states that have legally established privacy rights for employees using personal digital assistants should carefully navigate potential competing public policy issues when designing and implementing guidelines and policies. controls related to personal communications.
1 In 2020, WhatsApp launched a feature called “Disappearing Messages”, which allows users to automatically delete messages after seven days. The feature also deletes messages from the other party’s phone. In December 2021, WhatsApp updated the options to allow automatic deletion as early as 24 hours after sending messages. By default, the feature is disabled, but all users can enable it.
3 A declination is a matter that would have been prosecuted or resolved criminally without the voluntary disclosure, full cooperation, remediation and payment of restitution, confiscation and / or restitution by the company.
4 Examples of aggravating factors that may justify a criminal resolution include the involvement of the top management of the company in the misconduct, the pervasiveness of the misconduct, and the significant profit to the company from the misconduct.