The DOJ has long expressed concern about the impact of personal messaging – in particular of encrypted and ephemeral message apps – on its ability to effectively conduct investigations (and rely on the results of company investigations). Close on the heels of the well-publicized SEC enforcement sweeps of financial industry message retention practices, Deputy Attorney General Lisa Monaco recently issued a Corporate Crime Advisory Group Memo (the “Monaco Memo”) that articulates raised DOJ expectations for companies’ to retain and disclose employee personal device data. The DOJ’s expectations, however, may clash with practical limits on companies’ ability to control personal devices and with international data protection laws, and may increase companies’ preservation and disclosure risks in other proceedings.
Implementation of Personal Device and Third-Party Messaging Policies
In providing guidance to prosecutors on evaluating individual and corporate accountability, the Monaco Memo devotes an entire subsection to the “Use of Personal Devices and Third-Party Applications”. The Memo notes that the explosive growth in use for business purposes of personal smartphones, computers and other devices pose “significant corporate compliance risks” to a company’s and regulators’ ability to monitor misconduct and recover relevant data for an investigation. A similar risk is posed by third-party messaging platforms, which may feature ephemeral and encrypted messaging.
A primary factor in prosecutors’ assessments of compliance is whether the corporation has taken sufficient steps to “ensure” it can timely preserve, collect and disclose “all non-privileged responsive documents … including … data contained on phones, tablets, or other devices that are used by its employees for business purposes.” Compliance programs must consider how that may be accomplished “given the proliferation of personal devices and messaging platforms that can take key communications off-system in the blink of an eye.” Markers of a robust compliance program include meaningful personal use policies, clear training and effective enforcement.
Importance of Self-Disclosure
The DOJ wants to investigate and move to charging decisions quickly, and urges companies to structure their systems, processes and responses to this end. From the Miller Keynote: “Collectively, this new guidance should push prosecutors and corporate counsel alike to feel they are ‘on the clock’ to expedite investigations.… If a cooperating company discovers hot documents or evidence, its first reaction should be to notify the prosecutors”. Such “self-disclosure is often only possible when a company has a well-functioning Compliance Program that can serve as an early warning system and detect the misconduct early.” Ironically, the DOJ reportedly is simultaneously instructing prosecutors to “collect less evidence” because it purportedly is drowning in data. The DOJ seems to be looking to square this circle by increasing reliance on companies to review the expected torrent of personal device data that requires collection and assessment, and make rapid self-disclosures.
Impact of Foreign Data Privacy Laws
The Monaco Memo also makes clear that companies are expected to work hard to overcome any impediments to full disclosure posed by international and regional data privacy and protection laws. When faced with such conflicts, “the cooperating corporation bears the burden of establishing the existence of any restriction on production and of identifying reasonable alternatives to provide the requested facts and evidence, and is expected to work diligently to identify all available legal bases to preserve, collect, and produce such documents, data, and other evidence expeditiously.”
While not instructing companies to ignore foreign laws, the DOJ will credit companies that can successfully navigate such issues and produce relevant documents. Moreover, it cautions against any company that “actively seeks to capitalize on data privacy laws and similar statutes to shield misconduct inappropriately from detection and investigation by U.S. law enforcement,” noting that prosecutors may draw “an adverse inference as to the corporation’s cooperation … if such a corporation subsequently fails to produce foreign evidence.” Companies in this predicament are well advised to proactively consult with experienced cross-border data transfer counsel as to their obligations and options for response.
Does this mean companies have to be in control of their employees’ phones?
Companies revisiting their BYOD and compliance policies in light of the Monaco Memo will need to be alert for unintended consequences. There can be tension between expectations of aggressive corporate compliance measures and companies’ actual ability to control and access personal devices, as well as litigation risks and duties that may accompany such control. In some jurisdictions there may be no obligation to preserve and collect data from employee phones absent a “legal right” to obtain it (e.g., through contract or policy), while other courts hold that a company’s “practical ability” to obtain the data from the employee may suffice. See generally The Sedona Conference, Commentary on Rule 34 and Rule 45 “Possession, Custody, or Control,” 17 Sedona Conf. J. 467 (2016). For example, the court in In re Pork Antitrust Litig., No. 18-CV-1776 (JRT/HB), 2022 WL 972401 (D. Minn. Mar. 31, 2022) recently refused to compel a defendant to produce employee text messages because, inter alia, its BYOD policy did not expressly provide for company ownership of the texts or its right to access personal phones to obtain them. The court also reasoned that defendant “should not be compelled to terminate or threaten employees who refuse to turn over their devices for preservation or collection”. After the Monaco Memo, that is perhaps not the approach a prosecutor would take to a company looking for cooperation credit.
This wave of regulatory guidance and activity (more is forecast to be issued soon) reflect the DOJ’s emphasis on holding individuals accountable for corporate misconduct, and its need to fill off-channel gaps in the ability to perform such assessments. Cooperating corporations are expected to show sustained and comprehensive efforts to ensure that even occluded data sources like personal devices and messaging applications used for business are available for monitoring, review and disclosure. Companies should consider updating their policies to limit business communications to onboarded systems and platforms that are subject to retention; provide a process for spotting and reviewing business messages that nevertheless go through non-conforming channels; as well as providing enhanced training, auditing and enforcement. Compliance programs should be tested to confirm their effectiveness in the field, and not just on paper. To really motivate action, the DOJ is urging that executives have skin in the game – to tie compensation and promotion decisions to their fidelity to corporate use and retention policies. This would occasion a significant change in culture for many companies.