Search

Editors

Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor


FCPA Blog Daily News

« Jessica Tillipman: The most important FCPA case of all time is . . . | Main | Job: FCPA Compliance Counsel »
Thursday
Dec142017

Lankford and Hussain: New DOJ enforcement policy takes aim at messaging apps

FCPA investigators routinely face obstacles to gathering data from non-company email and messaging apps. In particular, such communications are often not stored on company devices, and where files exist, they may be encrypted or otherwise difficult to open.  

Outside messaging apps, such as Snapchat and Wickr may automatically delete messages after a few seconds or days precisely so that users can keep their communications confidential. 

Outside email accounts are also difficult to access and present obvious data privacy issues. These circumstances have long posed challenges for FCPA investigators, but now, the use of outside email and messaging apps also threatens to disqualify companies from receiving substantial benefits under the DOJ’s new FCPA Corporate Enforcement Policy

Specifically, under the new DOJ policy, for a company to receive full credit -- e.g., the presumption of a declination -- for timely and appropriate remediation in the context of cooperating with a government investigation, the company must meet the following criteria (among others):

Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications [emphasis added].

This language is unprecedented in prior DOJ guidance on FCPA enforcement, and shows a significant evolution in the DOJ’s expectations for data controls.
 
In particular, the new Policy signals that the DOJ now expects companies to clearly instruct employees not to communicate about business matters using any type of email or messaging software that doesn’t properly store the relevant data. If a company fails to do so, it may not qualify for a declination or certain other benefits under the new DOJ Policy -- even if the company has an otherwise state-of-the-art compliance program and satisfies all other requirements for cooperation under the DOJ Policy.
 
From a practical perspective, the new Policy suggests that the DOJ expects companies to:

  • Maintain appropriate written standards for data controls, which clearly define the types of communication software that are permissible to use for business matters. The new Policy suggests that acceptable software should include only programs that create and store business-related emails and messages in a form that is reasonably accessible to the company (e.g., to preserve and collect in an investigation), and consistent with the company’s document retention rules.
  • Effectively implement data controls through means such as training, automated checks (e.g., potentially blocking installation of unauthorized apps), obtaining employee consents (to facilitate data processing), routinely testing compliance (e.g., through audits), and enforcement through discipline where appropriate.

Many companies have already made substantial efforts to implement effective data controls, recognizing their importance to safeguard against a broad range of corporate risks. In light of the DOJ’s new Policy, corporate attention to this area will likely intensify.

For compliance professionals, it is important to first understand the perspectives and work habits of business personnel. For example, if company email servers are slow, employees may use personal Gmail accounts to get through more quickly. If the company doesn't offer an internal messaging app, employees may use Skype to chat with a workmate down the hall rather than individually sending, opening, and deleting hundreds of short emails.

Employees may find it more reliable to reach customers and business partners through Viber if the business partners find it more economical, user-friendly, or compatible with their personal smartphones. Employees may prefer the functionality of WhatsApp in sending photos, accessing contacts, or chatting with project teams.

With a solid understanding of such factors, one can more effectively develop practical data controls that help companies address risk and position themselves to qualify for substantial benefits under the DOJ’s new enforcement Policy, with minimal disruption to legitimate business processes.

_____

Nate Lankford, pictured above, is a member at Miller & Chevalier in Washington, D.C. He focuses his practice on matters involving the Foreign Corrupt Practices Act, business and human rights and other areas of international corporate compliance. He has conducted investigations and created tailored compliance programs for U.S. and international companies in several industries and advised companies on all areas of compliance program implementation.

Aiysha Hussain, pictured above, is a senior associate at Miller & Chevalier. She specializes in internal and government investigations. She has played a significant role in the execution of numerous internal investigations involving fraud, violations of the Foreign Corrupt Practices Act, and the False Claims Act.

Reader Comments (2)

Are you literally indicating that Skype conversations put a company at risk of non-compliance with DOJ guidelines, because they aren't recorded and retrievable? Such an assumption would say that business could no longer be conducted over the telephone as well.
December 14, 2017 | Unregistered CommenterDS
I’m almost certain they are referring to the “text” communication via Skype, not the voice calls. Also, this is a requirement that has taken too long to get traction. I mentioned it 3 times since May of 2016 to the SEC. It was clear that the company executives, legal team and auditors were using encrypted messaging apps to have conversations that they didn’t want stored on the company “encrypted” email server. There is absolutely no reason to use external, non-company, messaging services. Those using external messaging services to “chat” about business are doing so in order to hide something. And, unfortunately, that something is usually illegal.
December 15, 2017 | Unregistered CommenterMessaging
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.