Lankford and Hussain: New DOJ enforcement policy takes aim at messaging apps
Thursday, December 14, 2017 at 7:28AM
Nate Lankford and Aiysha Hussain in Cooperation, Pilot Program

FCPA investigators routinely face obstacles to gathering data from non-company email and messaging apps. In particular, such communications are often not stored on company devices, and where files exist, they may be encrypted or otherwise difficult to open.  

Outside messaging apps, such as Snapchat and Wickr may automatically delete messages after a few seconds or days precisely so that users can keep their communications confidential. 

Outside email accounts are also difficult to access and present obvious data privacy issues. These circumstances have long posed challenges for FCPA investigators, but now, the use of outside email and messaging apps also threatens to disqualify companies from receiving substantial benefits under the DOJ’s new FCPA Corporate Enforcement Policy

Specifically, under the new DOJ policy, for a company to receive full credit -- e.g., the presumption of a declination -- for timely and appropriate remediation in the context of cooperating with a government investigation, the company must meet the following criteria (among others):

Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications [emphasis added].

This language is unprecedented in prior DOJ guidance on FCPA enforcement, and shows a significant evolution in the DOJ’s expectations for data controls.
 
In particular, the new Policy signals that the DOJ now expects companies to clearly instruct employees not to communicate about business matters using any type of email or messaging software that doesn’t properly store the relevant data. If a company fails to do so, it may not qualify for a declination or certain other benefits under the new DOJ Policy -- even if the company has an otherwise state-of-the-art compliance program and satisfies all other requirements for cooperation under the DOJ Policy.
 
From a practical perspective, the new Policy suggests that the DOJ expects companies to:

Many companies have already made substantial efforts to implement effective data controls, recognizing their importance to safeguard against a broad range of corporate risks. In light of the DOJ’s new Policy, corporate attention to this area will likely intensify.

For compliance professionals, it is important to first understand the perspectives and work habits of business personnel. For example, if company email servers are slow, employees may use personal Gmail accounts to get through more quickly. If the company doesn't offer an internal messaging app, employees may use Skype to chat with a workmate down the hall rather than individually sending, opening, and deleting hundreds of short emails.

Employees may find it more reliable to reach customers and business partners through Viber if the business partners find it more economical, user-friendly, or compatible with their personal smartphones. Employees may prefer the functionality of WhatsApp in sending photos, accessing contacts, or chatting with project teams.

With a solid understanding of such factors, one can more effectively develop practical data controls that help companies address risk and position themselves to qualify for substantial benefits under the DOJ’s new enforcement Policy, with minimal disruption to legitimate business processes.

_____

Nate Lankford, pictured above, is a member at Miller & Chevalier in Washington, D.C. He focuses his practice on matters involving the Foreign Corrupt Practices Act, business and human rights and other areas of international corporate compliance. He has conducted investigations and created tailored compliance programs for U.S. and international companies in several industries and advised companies on all areas of compliance program implementation.

Aiysha Hussain, pictured above, is a senior associate at Miller & Chevalier. She specializes in internal and government investigations. She has played a significant role in the execution of numerous internal investigations involving fraud, violations of the Foreign Corrupt Practices Act, and the False Claims Act.

Article originally appeared on The FCPA Blog (http://www.fcpablog.com/).
See website for complete article licensing information.